Sunday, December 4, 2022
HomeCyber SecurityDefence in Depth: Four essential layers of ICS Security

Defence in Depth: Four essential layers of ICS Security

Security is not a solution that fits all.  Not only is this true due to the seemingly infinite variety of equipment found in every business, but also the many ways each company sees security. Many organizations spend a lot of time focusing their attention on security. This is especially true for those that have industrial control systems (ICS). Other small companies are concerned more about personal data theft. Everything in-between these ideologies is possible.

The end goal for all entities is the same, so the differences are usually a misinterpretation of terminology or industry-specific language.

A good example would be someone who is from the ICS world referring to their log management solution as “the historian,” whereas someone in the commercial vertical knows it as a SIEM. The basic idea is that they collect all data and activity from devices in order to allow them to be forensically stored/analyzed later.

What can be done to bridge the industry jargon and show that a product is not synonymous with another? This time-tested analogy might be the best.

While there is a lot of information security that can be important in large areas, these are the four most critical security concerns all ICS companies should address.

1. Asset Management

The consistent monitoring or awareness of all devices in an organization is referred to as software, hardware, or PCs. Anyone within an organisation could become vulnerable to compromise. Knowing what you have doesn’t make it any less dangerous than leaving it unprotected. Innocence is not bliss.

In the past, any device that could become a target for hackers was not considered a serious threat. However, network attacks have been witnessed through seemingly innocent devices like a cellular phone. vending machineAn, an aquarium thermometer.

A common analogy Imagine that someone walks by your door and says that he wants to get into your house. You don’t know who he is or even what item he is referring to. First, you wonder if he is going to get in.

You should perform an asset analysis when you return home. What are your physical weaknesses? Maybe the windowsDoors, maybe the burglar has an obsession with Santa Claus, and plans to access the chimney.  If you are diligent about security, have you forgotten anything or gotten distracted? Potential vulnerabilities can be created by inconsistent monitoring.

This same method can also be used for items inside the home. Have you ever taken inventory of your entire household, not just high-value ones? You would be surprised if your Rolex watch is missing and you were unable to figure out the date.

Security take away: Although it may not be possible to inventory all the objects in your house at once, maintaining a detailed network inventory is feasible.  You should ensure every device that can be misused to access sensitive information or compromised is properly documented and kept. Most organizations make the most common mistake: they don’t know what devices are in their network. This does not necessarily mean that you have to know the exact location of physical objects. A security hole could be caused by outdated or unpatched software.

The difference between attempting to continually monitor your personal household belongings, and an enterprise’s assets, is that there are automated tools to assist an organization.

2. Network Segmentation

Because it separates internal networks, network segmentation is essential for good security hygiene. It could be used to limit access to an area or zone within your network to prevent illegal access.

The benefits of this control may seem obvious, but many organizations, both commercial and industrial, still have “flat” network topologies. This is often due to organizational growth. This holds true especially for ICS companies. Security has been the primary concern of industrial facilities. As IoT devices become more common in these networks, it has made this an area of attack that must be dealt with.

A common analogy Picture your family coming over during the winter holidays. During their stay, they will ask you to provide your Wi-Fi password.

Since you trust your family, it is likely that you will reveal the password. You can then allow other devices to join the same network as you do your business if the guest network is not turned on. This is because guest devices can store your Wi-Fi password. If one of these devices has been compromised, then it will have the same access to the entire network. You could also be able to compromise the computer that you use for your bank transactions.

It is no longer enough to assume that security measures are adequate. The weakest link in a network could also be a member of your family. It is best to say no to family members, change your Wi-Fi password when they go, or enable segmentation (a guest network that has limited access) to prevent them from using your Wi Fi network. By doing this, compromised devices would not be able to access the confidential network’s internal networks.

Security takeaway As many devices as you can. While it is obvious that installing firewalls and other protective technology can cost a lot, this could prove to be more costly in the end.

3. Assessment of Vulnerability

An entity’s vulnerability is assessed to identify any known vulnerabilities. Knowing where potential weaknesses are in your organisation is essential for preventing attacks as well as maintaining operational efficiency.

While vulnerability assessment is primarily used to detect security gaps, it can also lead to the device becoming offline when there are too many information requests. This occurs more frequently in the ICS industry. In some instances, it could lead to a PLC going offline while a production line is running.

Organizations could benefit from being able see the possible security holes on the device as well as the applications and services that are currently running.

A common analogy You own a convenience shop and are closing it for the night.  An inspection of the space would show that the stores’ access points are locked and secured.  The inspection should also cover basement and roof access points.  This inspection would include locking the safe and leaving the cash drawer open.  Final step: The motion detectors or alarm system could be turned on and locked the store.

What would you do if you realized that one of your security system was failing? Would you take immediate action to fix the issue before leaving the store unattended.  The importance of conducting an impromptu risk assessment before you leave the store is up for grabs is a part business operations.

Security take-away Every business should carry out a vulnerability assessment. A solution is not a panacea for security. You need to have more than a tool that alerts you.  How much more efficient your business could be if every vulnerability was identified and presented with remediation recommendations, including which patch is required to fix it.

Your team will be able to save hours of research and time. A separate vulnerability assessment tool should be used with the patch management system. This is another important aspect.  You should never assume that there is a security problem fixed simply because the patch was installed. Although a patch may appear to have been applied successfully, it could still leave some vulnerabilities behind when the system is scanned again.

It is a great idea to utilize your vulnerability solution for detecting the threat, then inform the patch management system to apply the suggested patch. The vulnerability solution will in turn launch a scan to confirm that all has been remedied. double check each other’s work.

4. Continuous Monitoring

Security hygiene should be a top priority. Continuous monitoring is a must. People often don’t know where to start with this, and are usually directed to frameworks that can assist.  All frameworks emphasize asset discovery as the first step in security. Continuous monitoring and, in particular configuration management, integrity monitoring and security monitoring must be implemented for every device once that has been achieved.

Integrity monitoring is commonly referred to as File Integrity Monitoring (FIM), but the “file” aspect is not strictly true, as monitoring should be on all elements found within the organization, not just files. Any damage can be avoided if you could see the moment a crucial configuration changes and are able react immediately.

A common analogy Imagine that you own a tiny sweet shop located in the center of town. You decide not to invest money on security devices such as CCTV cameras. The school bus pulls up and the entire group of children walks into the shop. Your attention gets pulled to all the right places and you notice that there’s a lot going on. When everyone has left, you notice that a jar of your most expensive sweets has been halved, and you don’t recall selling a single item that day. It is time to review your receipts and see if there was an oversight or omission in the rush. You could do the same thing as looking at your log data to see if you have missed certain transactions.

You are right. There were not any sales on that sweet. You and many other organizations do the same thing: you sweep it under your rug and vow to be even more careful next time. Imagine that you installed a CCTV camera. It would be easy to determine who opened and modified the contents of the jar.

A large supermarket employs people to keep an eye on the CCTV cameras. If a person attempts passing the point of sales without paying for stolen goods, security could respond and stop them.

Security take-away Although the above example seems intuitive, we also know that many people use this method of security. This increases the importance and necessity for configuration and integrity management over vulnerability management.  With an individual making a real change, there is not likely to be too much damage in a network.


While the notion of changing management might seem controversial, it is essential to emphasize that every type of security precaution should be implemented. Each one has their benefits and value when used together. To achieve a comprehensive security picture all four of them (FIM and configuration management), log management, vulnerability assessment, and log management) must be implemented in tandem.  It is important to segment the network in order to reduce damage.

If any of these items were left out, it would be easy for malicious actors to exploit.

Tripwire ICS Security Suite covers all of the layers mentioned in my previous post. With Tripwire Log Center and Tripwire Enterprise with Tripwire Data Collector, you’ll have the assurance of interconnected, automated highly visible ICS security best practices. When your OT environment’s security system is running smoothly, you can put your focus where you want it: on safety, quality and productivity.

Trending Articles

Continue to the category


Please enter your comment!
Please enter your name here

- Advertisment -spot_img

Most Popular