Get highly relevant, immediately applicable cyber security training in Seattle - Mar. 23-28.

SANS Security Insights

6 Tips for ICS Trips - guest blog by Dean Parsons

6 Tips for ICS Trips

By Dean Parsons, ICS515 Instructor

You can't defend what you don't know you have.

Whether your industrial control system (ICS) is an electric power utility, an oil & gas installation, or a cookie factory — asset identification is a crucial prerequisite for efficient network security monitoring. The most time-consuming method of asset identification is taking those trips to your ICS facilities, physically walking through the sites, and taking inventory. But I can tell you first hand that it's totally worth it!
Here are six tips for effective cybersecurity ICS trips that will maximize your time spent during on-site visits for accurate asset identification, effective cybersecurity awareness that fosters IT and OT relationships for smooth ICS incident response, and highlights new ways to ethically hack your physical security perimeter.

1. Coordinate with Safety Department

Prior to getting to the site, coordinate with stakeholders, including the site Safety Department. They'll need to be aware of your arrival and will conduct safety training when you arrive. This team knows the sites well and will be your guide, connecting you with plant operators. On-site operators and engineers live and breathe safety every day.
Stay alert and don't forget your proper personal protective equipment (PPE). Wear the right gear as per your site's policy. Learn to leverage the physical safety culture by drawing parallels between physical safety and cyber-safety.

2. Ethically Hack Your Physical Security Perimeter

Approach each site with the objective to evaluate defenses against physical intrusions. See how far you can get into the facility by challenging authentication at each level, starting with the front gate. Wait to show a badge until its requested, look for areas you could tailgate, look for unlocked doors, fences with holes or gaps, etc., all while keeping safety as the highest priority.

3. Cybersecurity Discussions on the Plant Floor

The ultimate place for a cybersecurity discussion is right on the plant floor with your operators. Cybersecurity teams need to understand how the physical ICS process and plant works, which systems are likely to be targeted by the adversary, and which are critical to the process that, if unavailable, would cause disruption to the process or a safety concern to people in the plant.
Cybersecurity teams need to communicate that security fully supports the safety and reliability of operations as their prime concern (always preferring IDS over IPS, for example). This goes a long way for the efforts of IT and OT convergence.

4. Spreadsheet App, Laptop Stand, and Network Diagrams

We all know there is a difference in what's on paper and what's in production — but let's start with what's on paper. Network diagrams will kick-start your asset identification efforts. If/when gaps are found on diagrams document them and keep moving.
Laptop tripod stands speed up inventory and data gathering efforts when a desk is not accessible.
Your spreadsheet to capture asset inventory should contain at least:

- Asset Name
- Description of Function
- IP Address
- MAC Address
- Model/Manufacturer
- Serial Number
- Means of connectivity to the network
- Ports and protocol(s) used
- Firmware, operating system version

5. Follow Up with Traffic Analysis

Some items from plant inspections can be missed when doing asset identification. For example, when there is scheduled maintenance or upgrades, there may be inaccessible areas.
To close these gaps and get information on other assets when the process is fully up and running, traffic analysis can be used. This method is safer and less time consuming since no site visit is required, but will require a SPAN port and a hard drive to store the PCAPs.
You may want to capture traffic for 24-72 hours depending on the ICS process and how the process functions. Using free tools such as Wireshark, and its built-in features, can help you further identify assets. Of course, you will not get the discussions on the plant floor or the chance to strengthen relationships (face-to-face), which is why physical inspection is my recommended first method for asset ID efforts.

6. Storing Asset Inventory Back at the Office

Your inventory is incredibly valuable to you and the team. It is also of value and sought after by the adversary. Dump data gathered from your spreadsheet into a database that's scalable, searchable, secure via strong authentication, and segmented off from user land.

Learn more about Dean Parsons, Information Security Officer at Nalcor Energy.
Dean will be teaching ICS515: ICS Active Defense and Incident Response in Dallas this November.


Posted September 5, 2018 at 6:21 PM | Permalink | Reply

Ernie Hayden

One pre-visit activity that is non-intrusive and usually reveals valuable insight is to run a SHODAN check for the IP addresses for the site/company being visited.

Post a Comment


* Indicates a required field.