ICS/OT Cybersecurity Self Analysis – Physical Security
Originally posted on the Cutaway Security Linked In on March 22, 2023.
Let’s consider some practical steps for a ICS/OT Cybersecurity Self Analysis. Today, let’s cover physical security at your substation, pumping station, or compressor station. We feel this checklist is a good start. Do you have items to add? Let us know in the comments on Linked In.
- Verify all cameras are working and cover each gate and building doors.
- Identify if cameras are connected via coaxial cable, ethernet, or wireless. For ethernet, check if it can be unplugged and used. For wireless, confirm it is a secure network and not on the process network.
- Confirm camera recordings can be exported and saved.
- Walk fence line and review if gates are locked. Check for low points where erosion makes it easy to move under the fence. Check for exterior objects (e.g. trees, walls) that help get over the fence.
- Check if gate exit mechanisms can be used to easily unlock the gate from outside the fence line.
- Review each external control cabinet (watch out for bees / wasps nests) and confirm each cabinet is locked.
- Review each external control cabinet for tamper tape or sensors that indicate the door has been opened.
- Review each external cabinet for network and process documentation (these should not be in external cabinets).
- Review the devices in external cabinets to ensure their physical security mechanisms are enabled (e.g. PLC keys).
- Check each door into buildings to ensure they lock.
- Check each door frame to ensure the throw is protected (e.g. shifted foundations can expose throws to tampering) and prevents under-the-door / over-the-door tools.
- Check doors for tamper tape or sensors that indicate the door has been opened.
- Check buildings for ladders that lead to roof access. Verify these accesses are locked and determine if tamper tape or sensors are used to indicate the door / hatch has been opened.
- Review buildings for unexpected wireless antennas (e.g. cellular modems on generators for vendor / integrator maintenance).
- Check control cabinets, network racks, and server racks inside each building to ensure doors are on, locks are available and used, and to determine if tamper tape or sensors are used to indicate the door has been opened.
- Review site personnel and physical security team’s unauthorized access checklists to determine if the cybersecurity team is notified when these events occur.
- For critical cabinets or closets, determine if cameras are used to monitor and record access.
- Determine if physical walkthroughs are regularly conducted to review site, control cabinets, network racks, and server racks for unauthorized devices and network connections.
The information obtained from this review is to be used for risk analysis. Not everything needs to be “fixed.” For instance, lack of tamper detection is a vulnerability but the team / leadership may accept the risk due to cost or other compensating controls.
Go forth and do good things,
Don C. Weber
#otcybersecurity #itcybersecurity #industrialcybersecurity #physicalsecurity #criticalinfrastructure