This last part of the four-part series presents the best practices when implementing digital security schemes in industrial settings. At the onset of the planning phase for deploying new security measures, gaining visibility and managing production-centric endpoints in addition to IT-centric endpoints is crucial.
Understanding the device inventory, configuration, patch status, and vulnerability points is also an important step to establish a baseline to build on and improve. In addition, backing up the configurations of various devices is an important element of any strategy to protect industrial endpoints.
- Restricting physical access to the industrial network and devices: As crucial as the cybersecurity and access of the industrial network is the physical access to the devices in the industrial facility. Appropriate monitoring of access and tracing of personnel who have access to various facility areas are basic steps that need to be in place. Additionally, video surveillance of access points related to critical infrastructure is essential to understand access issues when security problems occur quickly. Policies, procedures, and employee training are also crucial to implement a zero-trust environment and create a security culture.
- Protecting individual ICS components from exploitation: As mentioned often in this blog series, endpoint security is the lynchpin of modern industrial control security. Trust listing and lockdown capabilities are invaluable in ensuring that only the right personnel and devices can access the endpoints. Disabling unused ports/services and restricting user privileges while tracking and monitoring audit trails is a good best practice that can prevent, deter, detect, and mitigate malware.
- Restricting unauthorized data modification: Capturing baseline configurations and subsequent changes to industrial settings ensure that all changes are authorized. Implementing digital and business processes/protocols to manage changes essential for operations can help identify mistakes and deliberate modifications that can harm the operation or humans.
- Detecting security events and incidents: A systematic threat identification system integrated into one comprehensive view can help stakeholders get a complete picture of all the dimensions of modern security threats. Rule-based alarms and alerts triggered on anomalous data patterns will help in the early identification of threats or could indicate compromise and requires heightened awareness and constant monitoring. Once deviations or a possible compromise appear, incident workflows should automatically drive remediation efforts to contain the damage and restore normalcy.
- Maintaining functionality during adverse conditions: Once a breach happens, a threat mitigation plan needs to be activated. Building a threat mitigation plan that is in sync with architectural details of the security implementation can help contain threats and mitigate spread. Functionality to isolate sections of the operation or network to contain breaches is essential. Similarly, the need to ensure operations can continue while dealing with hacks/breaches requires capabilities to run devices and controls even if there’s a disruption in network access.
- Restoring the system after an incident: A post-incident triage of the specific exploited vulnerabilities must occur to eliminate future recurrences. Restoring the system to its original state post-incident requires the existence of a good backup and restore facility in the security scheme. Additionally, a thorough review of the security procedures is needed to ensure no repeat problems with the same vulnerabilities.
Securing industrial facilities and networks requires a systematic approach that considers all the above aspects. Weighing costs, process complexity, and the impact of critical infrastructure security breaches upfront is an essential step for stakeholders to be a step ahead of the numerous threats that confront industrial networks.
