February 16, 2016 | Security and Risk | Alex Leemon
In December 2015, the Department of Homeland Security, the Federal Bureau of Investigation and the National Security Agency (NSA) jointly released a report, “Seven Steps to Effectively Defend Industrial Control Systems” recommending ways to safeguard from cyber-attacks. The release of this report highlights the increased frequency of attempted attacks against Industrial Control Systems and the companies where they are used, specifically in the United States Critical Infrastructure sectors. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) noted that 295 incidents were reported in Fiscal Year (FY) 2015.
The recommendations should be taken seriously and implemented promptly. The report warns:
“If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response.”
With CyberArk solutions, you can address six of the seven recommended steps:
- Implement Application Whitelisting (AWL)
Implementing Application Whitelisting in critical, top-hierarchy control computers such as Human Machine Interfaces (HMIs) represents one of the first steps in locking down an Industrial Control System network. CyberArk Viewfinity removes local administrator rights from the HMI, and it seamlessly elevates privileges, based on policy, as required by trusted (whitelisted) applications. This measure helps to mitigate the risk of malware-based attacks.
- Reduce Your Attack Surface Area
The isolation of the ICS networks from any untrusted networks is one of the most important steps in safeguarding ICSs given the risks associated with direct connectivity of untrusted end points to ICS assets as well as the potentially devastating impact of an intrusion. Regulations, standards and security experts have advocated this measure as part of a defense-in-depth architecture for many years. The CyberArk Privileged Session Manager secure jump server can isolate sessions connecting to ICS networks, effectively separating users and devices from critical systems, as well as establishing an isolated network segment without the use of a VPN.
- Build a Defendable Environment
Network segmentation in ICS helps contain potential damage from a network breach by limiting access to other ICS network segments while allowing authorized communications to continue. The CyberArk Privileged Session Manager secure jump server provides the necessary access control and isolation between network segments and provides an added level of security not available through home-grown or commercially available jump servers. Security measures include individual accountability, access control to target systems, command- level monitoring and keystroke logging, video recording and playback as well as enforcement of established workflow processes.
- Manage Authentication (Secure Privileged Accounts)
Privileged credentials allow users to access the organization’s critical systems, including the industrial control system’s computers. When left unsecured, these credentials can be lost, stolen or shared with unauthorized users. The CyberArk Privileged Account Security solution allows customers to secure privileged credentials in a vault and implement controls that prevent the misuse of privileged credentials and alert on suspicious behavior. Additionally, the CyberArk solution allows organizations to add an additional layer of authentication to existing password authentication solutions. It supports various authentication technologies such as LDAP, RSA, SecurID, RADIUS, PKI, smart cards and more.
- Implement Secure Remote Access
Remote access allows third-parties (vendors, contractors, consultants, remote employees, etc.) to access the ICS system and other critical assets from outside of the ICS networks. The CyberArk Privileged Session Manager secure jump server provides a central point of control for protecting the ICS networks through the isolation of all sessions originating outside of the ICS network and from unmanaged devices. The jump server protects the ICS target assets in several ways: it blocks the spread of desktop malware, mitigates the risk of credential theft and monitors and records every session.
- Monitor and Respond
Monitoring and analytics solutions help organizations to detect malicious activity, while implementing additional measures to quickly respond and mitigate any potential damage or compromise of the asset. CyberArk Privileged Threat Analytics provides both of these capabilities. It helps to detect account and user misuse or compromise and allows incident response or security operations teams to quickly respond to in-progress attacks.
CyberArk is uniquely qualified to help secure Industrial Control Systems from cyber-attacks related to the misuse of privileged accounts. Download “NIST-800-82 Rev 2: Guide to Industrial Control System (ICS) Security” to learn more about how CyberArk can help your organization meet the unique security requirements of Industrial Control Systems.
Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.