In 2015, the DHS Interagency Security Committee released the “Securing Government Assets through Combined Traditional Security and Information Technology White Paper”. This document outlines the risk-management framework process that can be applied to physical security systems, such as closed-circuit video equipment or video systems, intrusion detection systems and electronic PACS. Key to these recommendations is bringing physical security specialists, facility engineers and managers, IT, system integrators and property owners to the table to conduct assessments and develop an SSP. Another consideration in the procurement process is to initiate the converged systems’ baseline risk assessment in planning and design phases and conduct factory acceptance testing in the construction phase and full-site acceptance testing (including penetration testing) for system turnover.
An underlying fundamental concept of the NIST SP 800-82 R2 “Industrial Control Systems Security Guide” is the concept of “inbound protection and outbound detection.” All control systems should be on a separate network with multiple levels of demilitarized zones (DMZs) and sub-networks. [In computer security, a DMZ is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet, but the result of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.]
Control systems behave in very predictable ways with data frequency, packet size and other attributes fairly constant and amenable to white listing. New OT firewalls able to perform deep packet inspection and OT passive monitoring tools that identify anomalous traffic provide in- bound protection. Continuous monitoring provides an outbound detection capability. Control systems generally do not send megabit or gigabit files to remote servers, either in an organization’s known network or connected vendors. Exfiltration of data and covert command and control channels to unrecognized IP addresses are key signs of compromise. NIST SP 800-82 R2 also has new controls for acquisition, life- cycle software development and penetration testing. New continuous monitoring tools have been created specifically to evaluate and manage control-system protocols.
Facility owners and operators also will need to add penetration testing tools to their tool bag. Traditional hacking tools now have add-on packages with OT exploits. Other tools can expose any IP device and provide a wealth of information about the device, system, organization and other data.
Security Auditing
The security team should perform a monthly security audit, including documentation. Such an audit verifies that an organization’s software and hardware are functioning as intended, reviews event and audit logs, identifies and addresses potential vulnerabilities, confirms patch management is current, notes whether continuous monitoring is functional, identifies indicators of compromise or exploitation, and ensures appropriate action is taken in a timely manner.
When conducted on a monthly basis, a security audit process compares baseline and previous configurations to identify any systemic changes. This document is used in conjunction with IT policies and procedures, ITCP and ICP documents.
The security team, consisting of members listed within the ITCP, should include, at a minimum, the information system security officer, system administrator and security coordinator(s). Among the tasks are the following:
- Situate all building-control systems into a DMZ and properly configure them so the human machine interface and building controllers cannot be found on Shodan.
- Register the team with ICS-CERT to receive alerts and advisories.
- Exercise the ITCP at least annually.
With the number of hacks on the rise, it is no longer a question of if a building controls system will be exploited. It is only a question of when.
This article was first written for and published in the October 2015 issue of the Journal of the National Institute of Building Sciences (JNIBS), a publication of the Washington, D.C.-based National Institute of Building Sciences. It has been reproduced here with permission from the institute. Receive free issue(s) by subscribing.