JAN-FEB 2018

Issue link:

Contents of this Issue


Page 34 of 53

INTECH JANUARY/FEBRUARY 2018 35 SPECIAL SECTION and intrusion prevention systems. Also, check if a demilitarized zone (DMZ) is used between the plant network and ICS net - work security devices. The DMZ is an interme- diary/buffer zone between the plant network and the ICS that prevents direct communica - tions between the two. Vital sign #4 Are network access controls in place to prevent unapproved devices from being connected to the ICS? Vital sign #3 protects against unwanted traffic entering or leaving the ICS, while this vi - tal sign lets you determine if someone can walk up and connect a device to your ICS network. For this vital sign, check if (1) network devices (e.g., switches, routers, and patch panels) are in locked cabinets, (2) unused ports of network devices are locked down, (3) the network is periodically monitored or scanned to look for newly added devices, and (4) network device ports are configured to limit the devices able to communicate through them to specific devices and to a specific number of devices. The first two capabilities protect against plug- ging a device into an open port on a network device, such as an Ethernet switch, and then listening or transmitting. The third capability is used to find unauthorized devices, but network scanning should be done with care because it FAST FORWARD l Know the difference between a cybersecurity self-check and a full security assessment of your ICS. l The vital signs represent top-level diagnostics that you can use for a self-check of your ICS's cybersecurity. l This self-check can be performed periodically and supplemented with occasional in-depth assessments. what is practical for you, because it is not the actual score that is important; it is the insights you gain when answering the questions. Once complete, you should have a good feel for the strengths and weaknesses of your ICS cyber - security readiness. Vital sign #1 Is cybersecurity ingrained into your organi- zation's culture and day-to-day operations? The answer to this question can be found in the work practices and behavior of per - sonnel involved in the operation of the ICS, from management to operators. Are they se - curity aware? Is the organization committed to keeping the ICS secure? Has it provided training and guidance for security best prac - tices? Are there disciplinary measures for failing to observe them? And, for the more security-conscious, does the organization have security-certified personnel? This vital sign should be easy to assess. Just look around. The way USB memory sticks are handled is a good place to start. Are there rules, formal practices, or polices defined for their use? Does ignoring or violating them go against the culture of the organization? Vital sign #2 Do you maintain an inventory of all hardware and software in the ICS, and do you follow a formal process for controlling changes to them? For this vital sign, look for documentation that describes hardware and software components, when they were installed, and what changes have been made to them, including who ap- proved the changes and who made them. It is important that all components and their change histories are documented. This vital sign makes it easy to determine if a device and its software are authorized, and if their updates (patches and upgrades) are current. Vital sign #3 Are only necessary inbound and outbound com- munications between your ICS and other plant systems allowed? Unnecessary traffic has the potential to flood the network, attack internal ICS software, and otherwise disrupt operations of the ICS. Here, you are trying to identify all connections of the ICS to the plant network and beyond, and then determine if each is pro - tected by a properly configured network secu- rity device. Typical network security devices that can be configured to control network ac - cess are firewalls, intrusion detection systems,

Articles in this issue

Archives of this issue

view archives of InTech - JAN-FEB 2018