banner

Starting Cybersecurity Program for Small ICS / OT Teams

This morning I was thinking about completing an article I was writing about KPIs and OKRs. The more I wrote, the more I realized I was just regurgitating research and making pity comments. Which means, it was crap. So, I refocused and turned to AI to help me. I ask Google’s Gemini the following question.

Considering the 5 ICS Cybersecurity Critical Controls, outline a quick win plan to achieve and measure success. The plan should be for a team that is leading a small administrative and operations team of 5 people. Each of the 5 areas should have three things to understand within the first month and set up timelines for the next four months to address the top issue in each.

Feel free to check out Gemini’s response [Edited: link removed since it leaked other Gemini queries in addition to the original content.]

After reading the results, I do not think it hit the mark. But, I do think it is usable with modifications. Here are my modifications. Jump on Linked In and tell me about what your team would change to this approach.

Alright, let’s craft a quick win plan for a small ICS cybersecurity team (5 people) focusing on the SANS  5 ICS Cybersecurity Critical Controls. We’ll prioritize understanding within the first month the team can use to outline a four-month timeline of milestones for addressing the top issues in each control.

The 5 ICS Cybersecurity Critical Controls:

As usual, I will re-order these as I feel will provide the ICS / OT team with the best methods for ensuring availability and reliability of operation. For security assessments I typically start with remote access, but for a program, the ICS IR plan is more important as it goes to being prepared for recovery.

  1. ICS Incident Response Plan
  2. Secure Remote Access
  3. Defensible Architecture
  4. ICS Network Visibility and Monitoring
  5. Risk-based Vulnerability Management

SANS ICS Whitepaper on The Five ICS Cybersecurity Critical Controls: https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/

Month 1: Understanding and Assessment

During the first month, the team will focus on understanding the current state of each control within their environment. This is crucial for identifying quick wins. The team should gather information but only spend a limited amount of time. Team members should not be required to update documentation or make it more complete, at this stage. Some of this effort might be discovering what the parent organization is requiring or getting a better understanding of current regulatory requirements.

ICS Incident Response Plan

  • Understand:
    • Contact list for key personnel to include team, vendors, and leadership.
    •  The team’s roles and responsibilities during an incident.
    • Existing incident response plans (if any) and their relevance to ICS.
    • The communication channels for reporting and responding to incidents.
  • Top Issue: Team does not understand roles during events and incidents.
  • Measurement: Contact list with primary and secondary contacts and offline contact information. Initial table-top session with action items for next steps.
  • CutSec Comment: Gemini recommended documenting an IR plan first. I recommend focusing on generating a contact list for key personnel. Then, sitting those key personnel down to discuss what THEIR understanding about the process. Let the team pick and drive next steps that benefits operations. Cybersecurity SMEs can help fill the gaps for the team when they do not understand a topic or requirements.

Secure Remote Access

  • Understand:
    •  Document all physical, wired, and wireless remote access to the operational environment.
    • Document the current method for managing authorized access to each method of remote access.
    • Review the process for managing and auditing access to distinguish between authorized and unauthorized access.
  • Top Issue: No method for business unit owners, responsible for operations, to review access to their area of responsibility.
  • Measurement: Inventory of all remote access techniques and documentation of how and who reviews access to determine authorized and unauthorized access.
  • CutSec Comment: Gemini recommended improving authentication. That is actually a rookie mistake when it comes to protecting ICS/OT operations. The key is understanding ALL the methods for remote access, first. Then start looking at how these remote access methods are managed.

Defensible Architecture

  • Understand:
    • The current network architecture and segmentation of the ICS environment.
    • The placement and configuration of firewalls and other security devices.
    • The physical security measures in place to protect ICS assets.
  • Top Issue: Flat network architecture with minimal segmentation.
  • Measurement: Network diagram documentation, and a list of all installed firewalls and other security devices.
  • CutSec Comment: Gemini’s recommends are not bad here. We’ll leave it alone for brevity. When considering ISA/IEC 62443 security programs the requirement here would be to conduct a High-Level Risk assessment, which is just gathering ALL of the documentation for the part of the operations being reviewed.

ICS Network Visibility and Monitoring

  • Understand:
    • The current monitoring tools and techniques used to detect security events.
    • The types of logs and alerts that are generated by ICS devices.
    • The process for analyzing and responding to security alerts.
  • Top Issue: Limited or no real-time monitoring of ICS network traffic.
  • Measurement Documentation of current monitoring tools and logs, and a list of all security alerts currently generated.
  • CutSec Comment: Gemini assessment here is correct. Logging and monitoring are still issues that plague ICS/OT organizations. Understanding what is currently being done is key. No need to buy products, configure and use what you currently have correctly.

Risk-based Vulnerability Management

  • Understand:
    • Review the CISA KEV to familiarize the team with the concept and the resource.
    • Review current state of inventory of all ICS hardware and software and determine if operational criticality have been assigned.
    • Determine if inventory information can support CISA KEV process.
  • Top Issue: Ineffective vulnerability management program focused on operations.
  • Measurement: Documentation of the current state for ICS asset inventory and a list hardware and software that are currently included on the CISA KEV list.
  • CutSec Comment: A mixed back from Gemini on this one. Asset management is important but vulnerability scanning is NOT the way to start a program. Many organizations have used CISA Known Exploited Vulnerabilities Catalog to help focus their efforts. If they are saying it has protected their operations, perhaps the team should investigate what that process looks like.

Months 2-5: Implementation and Improvement

After the first month of results the team and leadership should now have a clear understanding of the current state. The team should set the direction for the next five months and express this to leadership. Leadership should accept this with simple modifications to help prioritize efforts and provide help through assistance from corporate teams, vendors, integrators, and third-party cybersecurity teams.

The following would be an example of possible, achievable, follow on efforts over the next month. Wash, rinse, repeat to achieve steady improvements and protections for operations.

Month 2

  • ICS Incident Response Plan: Conduct a table-top exercise that reviews unauthorized access to the most likely avenue a threat actor will gain access to operational assets.
  •  Secure Remote Access: Implement a stronger password policy.
  • Defensible Architecture: Create a plan to improve access, segmentation, and data flow to critical ICS operational assets.
  • ICS Network Visibility and Monitoring: Configure basic network traffic monitoring.
  • Risk-based Vulnerability Management: Perform an initial vulnerability scan.

Measuring Success

Measuring success is different from organization to organization. Individual leadership should be guiding teams to what is affected measures of success. I am not going to lay those out here. After these initial successes the team should be able to set up milestone that are focused on preserving operations. Leadership’s inputs should be help the team remain focused on prevention, detection, response, and recovery. The 5 ICS cybersecurity critical controls can help drive this direction with more granular detail coming from industry standards, such as the guidance in the updated ISA/IEC 62443-2-1 standard.

Go forth and do good things,

Don C. Weber