Using ICS network architecture to strengthen cybersecurity across critical infrastructure installations

Critical infrastructure installations continue to be targeted by rising threats and vulnerabilities from cyber criminals, including state-sponsored hackers. Constructing an appropriate design and adopting robust ICS network architecture with relevant firewalls helps prevent network traffic from passing directly between the corporate and ICS (industrial control system) networks. The organizational architecture could also be structured to deliver separate authentication mechanisms and credentials for users of the corporate and ICS networks. 

Ideally, when designing ICS network architecture, it is usually recommended to separate the ICS network from the corporate network. This is because the nature of network traffic on these two networks is different – Internet access, FTP, email, and remote access are generally allowed on the corporate network but should be blocked on the ICS network. In addition, bringing about rigorous change through control procedures for network equipment, configuration, and software changes may not be possible on the corporate network. 

Additionally, when ICS network traffic is carried on the corporate network, it could be intercepted or be subjected to DoS (denial of service) or man-in-the-middle attacks. By building separate ICS network architecture, security and performance problems on the corporate network should not be able to affect the ICS network.

Network segmentation and segregation are one of the most compelling architectural concepts an organization can implement to protect its ICS network. These techniques aim to minimize access to sensitive information for those systems and people who don’t need it while ensuring that the organization can continue to operate effectively. This can be achieved using several techniques and technologies depending on the network’s architecture and configuration.

Another essential tool available to the critical infrastructure sector is zero trust, where no network is implicitly considered trusted. The zero trust structure ropes in a maturity model that makes it a continuous journey grounded in a mindset, design principles, processes, and risks. It assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location, such as local area networks versus the internet, or asset ownership such as enterprise or personally owned. Authentication and authorization (subject and device) are discrete functions performed before a session to an enterprise resource is established.

The zero trust framework focuses on protecting resources such as assets, services, workflows, and network accounts, not network segments, as the network location is no longer seen as the prime component of the security posture of the resource. 

Industrial Cyber reached out to experts in the ICS sector to determine the challenges critical infrastructure organizations face when working on their ICS network architecture. 

“The ongoing OT networks consolidation creates implicit cyber vulnerabilities,” Tom Gilbert, CTO & SVP engineering at Blue Ridge Networks, told Industrial Cyber. “Unfortunately, connectivity enables unintended addressability by would-be attackers. They gain a stealth presence in corporate business networks intending to mount lateral attacks into the ICS infrastructure,” he added.

A common challenge for ICS owners and operators is the difficulty in maintaining the plethora of existing tools, systems, and vendors, Brian Tuck, vice president of sales Americas at DriveLock, told Industrial Cyber. “Another challenge is implementing new security features and controls retrospectively across an ICS Architecture that may have been initially deployed many years prior and with limited security in the initial design. It can be like trying to install new fire sprinklers in a twenty-year-old skyscraper.”

“Although this security may have seemed adequate for the time, the volume of threats we now face, and the sheer speed and delta of the attack used by adversaries continue to evolve at an alarming rate,” according to Tuck. “Once simple tasks, such as configuration management, vulnerability scanning, OS and applications patching of existing systems have now become an administrative nightmare.”

When talking about challenges and solutions, ICS owners must think in terms of speed and automation as well as security, Tuck said. “As an example, ultra-successful ‘born in the cloud’ companies like Uber, eBay, Airbnb, and Salesforce were all established with virtually no infrastructure, risk, or capital, compared to traditional ICS operations usually costing $Billions. Cybercriminals are very similar, quickly established, often trading tools, experience, and even professional services for hire on the Dark Web,” he added.

“In order to protect ICS architectures effectively, owners must adapt to these new norms, security must become as agile just as agile, critical data and operational systems must be encrypted, period,” Tuck pointed out. “Protective features and controls must be automated, where detection and remediation must be allowed to operate at machine speeds, at the ‘speed of the adversary,’ delivered via integrated, cloud-based services, utilizing robotic process automation (RPA) techniques.”

Gilbert said that many of these networks grew from the bottom up with disparate standalone segments by determining the steps critical infrastructure installations must adopt to shore up their inefficiencies brought about by improper ICS network architecture. “And, they were ‘managed’ locally by plant personnel and/or the vendors whose products used them. Over the last few years, these networks have been consolidated using high-speed Ethernet switches/routers. This provides remote manageability by IT personnel. It also lays the groundwork for data collection and movement towards cloud infrastructure,” he added.

While ICS system owners and operators often apply common design principles and standards such as PLC and SCADA to build ICS architectures, they also share other common attributes, such as Windows or Linux-based operating systems, cloud, hybrid, or on-premise models, Tuck said. “That said, every ICS architecture is, by its operational design, functionality, and requirements, unique.”

“In order to mitigate any common vulnerabilities and lower risk, many ICS system owners are adopting National Cyber Security standards, recommendations, and platforms such as NIST 800, CMMC, and the International Security Standard ISO 27001 across their ICS architectures,” Tuck said. Steps include implementing less complex yet integrated measures that strengthen the architecture such as device and application controls, predictive whitelisting that hardens endpoints from both internal and external attacks, multi-factor authentication (MFA), privileged access management (PAM) for system users, and regular updates to Microsoft macro setting configurations and patching, he added.

Tuck also added that many ICS owners and operators already run highly sophisticated security operations centers with specialist incident response teams, utilizing the latest integrated cyber intelligence feeds and advanced software tools. These teams are constantly monitoring for vulnerabilities and external and internal threats. 

“However, these operations centers are starting to focus more on the human element, often called the ‘human firewall,’” according to Tuck. “Attributes here include user education programs, phishing and or social engineering awareness campaigns, and or direct intervention to help mitigate common mistakes, inappropriate access, and or simple misconfigurations, which often account for a large percentage of problems, data breaches, or system failures,” he added.

As part of zero trust models, Tuck said that continuous automated authentication and behavioral analytics solutions play an ever more significant role in protecting the ICS architectures. “The ‘Trust no one, verify everything’ always on, always watching is now a becoming common goal or practice for many ICS system owners,” he added.

Looking into the effect that the rising number of cybersecurity attacks and vulnerabilities have on the ICS network architecture within the critical infrastructure sector, Gilbert said that no one wishes to lose the benefits of OT network connectivity. “Also, the best IT cybersecurity tools are often ineffective for ICS systems. What is needed is connectivity without addressability from unauthorized users. Network segmentation is being widely adopted to resolve this conundrum,” he added.

Tuck said every attack and new vulnerability found on any ICS architecture adds to an accumulative effect in terms of risk, workload, and stress on all the others. “Even if your ICS installation has not yet been attacked, you cannot ignore any newly identified or published threat, actual attack or a potential vulnerability such as a zero-day has to damage your critical infrastructure, every threat must be prioritized and acted upon,” he added.

“When discussing ICS architectures, we often consider existing hardware, systems, and software as existing collateral,” according to Tuck. “However, even if your existing architecture is older, you can’t simply solve the problem by throwing out $100m worth of equipment, you have to think about your return on equity (ROE) and maximizing the commercial value of your architecture while balancing and mitigating the associated risks of an operation.”

However, one often overlooked factor in this equation is the ‘human’ collateral or equity, Tuck said. “ICS owners and operators often spend just as many millions on hiring, building, and training specialist security teams. Constant patching of vulnerabilities and unrelenting cyber-attacks puts a huge strain on the Security Team itself.”

“We know that automation of mundane yet critical security tasks, such as vulnerability scanning, patching, and code inspection, can have a tremendously positive impact on security teams,” Tuck said. “However, automated and active defenses, such as predictive whitelisting, behavioral analysis, automated device and applications controls, and ‘active’ (constant) authentication solutions even more so.”

He added that the cyber security skills crisis is real, with absenteeism and staff turnover significantly impacting operations. “If we accept this trend may continue for some time yet, ICS owners need to consider automated security solutions with ‘active defensive capabilities’ rather just ‘reporting features,’” Tuck said.

Analyzing the role that zero trust network and endpoint protection solutions play in bolstering ICS network architecture, Gilbert said that network segmentation is only effective if it can carefully control access to each segment. “This is what zero trust is about. But, even if an authorized user is correctly authenticated, their PC or mobile device is the most dangerous element in any network. The productivity applications we all use are complex and readily exploited by malware. The objective of the malware is often to steal legitimate users’ credentials to enable remote attackers into the protected networks,” he added.

“Unfortunately, the detection lag time by anti-malware products has left high-value targets vulnerable,” Gilbert said. “Another essential component of zero trust is multifactor authentication which makes credential theft highly difficult or impossible.”

The adoption of Zero Trust ‘trust nothing and no-one’ methodologies and the resulting endpoint hardening are having a significant impact on bolstering the security of ICS network architectures, Tuck said. However, he added that speed and action are critical factors in any incident response.

According to Tuck, any system or control measure can be automated and preconfigured to search for actively, detect, deny, block, prevent human error, and close an open vulnerability stopping an attack before it starts. “This is far more valuable than a solution or technique that simply alerts an operator for human intervention or clean up and analysis after the fact. Prevention is always better than cure,” he added.

“Given the scale and criticality of enterprise ICS architectures adding another complex point solution that in the end requires manual interpretation and intervention to an already complex and fast-paced environment will only add stress on the security team, potentially leading to further delays and an escalation rather than de-escalation of risk factors,” Tuck said. “I believe Zero Trust solutions that can be automated, are aligned with, and enable security platforms like NIST, CMMC and SCADA will bring the most benefits and security for ICS owners and operators. Security professionals must ensure the availability and continuity of services. Our job is to make the complex simple and the simple compelling,” he concluded.