Most manufacturing organizations understand the importance of implementing cybersecurity protections for their OT network. But frequently, the network is where the cybersecurity strategy stops. While network security is an important layer of defense from cyber threats, no single protective measure or security control can provide complete cybersecurity protection. Much like a moat is just one of the many defenses in place for a castle, an effective cybersecurity strategy requires a defense-in-depth approach. Including system- and application-level security controls to harden new cyber assets installed on the floor as part of this approach is one of the important layers of defense.
As a result, PCs deployed in the OT space should be a key target when developing a hardening strategy. This is because engineering workstations, maintenance laptops, panel PC HMIs, and front-end servers often use COTS operating systems (OSs) developed for general use. These OSs ship with a wide variety of software and services included whether the PC was purchased for use in gaming, an office environment, or on the factory floor. To be effective and secure, PCs require configuration for the specific environment and purpose for which they will be deployed. Having a plan in place to support the hardening of new OT PCs is critical to minimizing the opportunities for an exploitable vulnerability, also known as the attack surface.
Let’s look at six strategies you should consider developing to harden the security of your OT PCs before ever connecting the new equipment to your network.
Strategy 1: Keeping or Allowing Only Necessary Services and Software
Each unneeded feature active on the PC increases the attack surface. One of the easiest and most critical steps to reduce the attack surface is to eliminate unnecessary software and services from the PC. By removing software and services such as games, messaging applications, app store integrations, and Cortana or other voice search features, you are inherently reducing the access points into the PC. This also should include removing or carefully controlling default features that are usually not needed for OT operations such as printer discovery and file sharing.
Another useful technique is to implement allow-listing (whitelisting). This practice uses application blockers to prevent applications other than those that are approved, or on the “allow list,” from operating on the PC. However, this type of denial/allow-by-exception approach involves explicitly understanding what you do and do not need for your operations.
Strategy 2: Implementing PC-Level Firewalls
For the purpose of this post, we are only referring to the strategy needed for a software firewall implemented on the PC and not the network as a whole. Many OT networks have a firewall at critical points such as a business-network crossover that provides protection between these two networks, but many of these same OT networks are flat on the OT side. While this practice is a discussion for a different post, the result is that the network firewall often does not provide protection within the OT network.
Most PCs now come with firewalls configured to block inbound traffic by default. This is the right starting place, but many OT PCs utilize software that requires inbound connections. It is a common, but incorrect, practice to disable OT PC firewalls to fix a problem with inbound connections to OT PCs. Instead, required inbound connections should be identified, and explicit allowance made beforehand only for those known cases. Users should not have to accept application-generated requests on the floor.
While the importance of inbound firewalls is usually clearly understood, it is also critical to implement outbound firewall rules too. Doing this mitigates issues such as reverse tunnels and limits the paths for malware to propagate. Much like the practice of application allow-listing, firewalls should only allow for defined communication flows. Therefore, it is important to know what you need and to only allow access to the PC for these items.
Strategy 3: Developing a Proactive Plan for Patching
Just because your OT PC is new does not mean the software is up to date. Before you ever connect the PC to the OT network, you should put a patching plan in place. This plan should include a responsible party for patching and a schedule that will ensure your PC stays up to date with software updates. You also need to develop a back-up plan or test environment that will allow you to roll back to a prior version if something does not go to plan during an update. By having a plan in place, you can also avoid the common conversation about not having time for downtime that usually occurs when it is time to perform updates. Finally, use your plan to bring your new OT PC up to date before connecting it.
Strategy 4: Logging and Synching Network Data
As part of your OT PC guidelines, it is critical to put a plan in place for collecting the necessary log data to detect or respond to an undesirable event. This could be a malicious attack but could also be an inadvertent misconfiguration that negatively impacts your systems. Thus, logging needs to be enabled before you need it, otherwise the information may be irretrievable after the fact. Networking-related processes and access attempts, as well as OS and software installation changes may all be relevant events to log.
Effective logging needs appropriate supporting systems as well. This means logs should be collected in a central location to facilitate review and preservation and time synchronization should be provided for OT PCs. This way, if an event does occur, it is easy to access the data and correlate events between multiple cyber assets and human interventions.
Strategy 5: Creating Access Control
An access control strategy should involve both role-based security and user authentication. All users should be given individual access, typically through unique log-on credentials, and that access should have limitations that correspond with the functions required for their job. This also means that if the system is rebooted for any reason, it should not automatically provide interactive access without authentication. Default local admin accounts should be disabled or renamed and only used in special circumstances.
Strategy 6: Being Consistent with Physical Security
While you may train operators to never plug-in an unauthorized device to a USB port, you cannot rely on the honor system alone. Your software configuration should match expectations set during user training, which may mean you should install and configure port blocker software to prevent unauthorized devices from accessing the PC. Physical port blockers will help reinforce expectations and prevent inadvertent connections. Additionally, you should disable automatic mounting or execution of software on any OT PC. Therefore, if training is violated, negative consequences can still be mitigated.
Eliminate Holes in Your Cybersecurity Strategy by Hardening Your OT PCs
There is no silver bullet to cybersecurity. As with safety, cybersecurity requires multiple layers of protection so that an unforeseen, accidental, or newly developed hole in one layer does not create a direct path to failure. Malicious actors are constantly uncovering new vulnerabilities even in cybersecurity-conscious systems, and are often motivated by the ability to extract lucrative crypto-currency “ransoms.” Hardening new OT PCs is an important cybersecurity layer you should include as part of your defense-in-depth strategy when building your cybersecurity program.
Global Industrial Cyber Security Professional, Tim Mullen
ACE would like to congratulate Tim Mullen for becoming certified as a Global Industrial Cyber...
Understanding Your Organization’s Cyber Posture
As the plant floor becomes more connected, ensuring proper cyber protections for industrial control...