Security in ICS and OT digitalization -
comprehensive cyber resilience for Industrial Control Systems
As OT and IT converge, it is time for an all-encompassing approach to securing mission-critical digital assets.
So how do you prevent a cyber-attack on your mission-critical ICS devices when the barriers between OT and IT are blurried by wireless sensor networks or by the use of cloud-based applications at shop level?
Start with the essential controls recommended by NERC CIP or IEC 62443, start with full visibility about connected devices and the changes happening on them.
Many models have been derived to describe the requirements for cyber security in the world of Industrial Operational Technology, the world of cyber-physical systems where an attack has the potential for severe real-life damages (see our infographic 'A History of ICS Cyber Incidents & Attacks'). Common to all is that essential controls are needed at intersections and on assets to detect malicious changes, whether they are made to a system's configuration settings, alter critical data, or drop malicious files. Malicious change as the root cause for almost all cyber incidents needs be detected and controlled to safeguard the availability of assets and the processes they enable. This is exactly what NNT's ChangeTracker Gen7 R2 with its unique feature set for Industrial Control System is designed for.
How to Converge OT and IT Networks and Protect Industry Digitalization
DOWNLOAD NNT’S ICS/OT SOLUTION BRIEF
discover and highlight any dangerous behaviour
Both standards, NERC CIP and IEC 62443, mandate to have the ability to monitor the digital infrastructure to enable the following:
- develop and maintain a baseline configuration of assets
- authorize and document any change to a baseline
- continuously monitor and alert about any malicious change
- apply hardened configuration settings to any new asset added to the infrastructure
Our ICS feature set will not only help you to automate these tasks, and help you to document your security measures for audit purposes. As it is part of the larger functionalities of ChangeTracker Gen7 R2, you are gaining visibility across the domains of Operational Technology and Information Technology. As the demarcation between the two fades away, this is what is needed to stay ahead of the technological changes coming along with the digitalization labeled Industry 4.0 making use of wireless sensor networks, cloud and container applications, or factory virtualization (Digital Twin, Virtual Power Plant).
In an ever-connected, highly automated environment, every assets needs serious care and attention in terms of cyber security and resilience. Secure configuration baselines, change control, and vulnerability management are non-negotiable.
NNT make the entire process of creating a baseline configuration as easy as possible.
NERC CIP requires a baseline to encompass operating systems, firmware, applications, custom software and many more.
Change Tracker's simple Wizard UI walks you through the process so anyone can create their own Baselines within minutes!
In addition, to further simplify that process, there is an unlimited supply of published hardened build standards, such as the Center for Internet Security (CIS) Benchmarks or the DISA Security Technical Information Guides (STIG), ready to be used and amended where needed.
Simple, UX-driven workflows make the maintenance of a configuration baseline straightforward, providing all the flexibility needed to promote changes to the baseline as they are required. It works to keep everything secure in Industrial Control, starting with systems like PLCs, HMIs, Historian and including advanced cloud and container infrastructures.
For example, following routine patching where not just product versions may change, but also the associated open ports and underlying filesystem, registry and configuration settings, you decide if you want to ‘promote changes to the baseline’. You can also assign basic logic to the promoted changes to either replace or extend the Baseline.
A number of security frameworks reference the need for change control, integrity monitoring and an established configuration standard or hardened build standard. You’ll find the need for such a baseline or Gold Build Standard in all compliance frameworks (for example, NIST 800-53 CM-2 and CM-3, CIS Control 5.2, PCI DSS Requirement 2) but especially NERC CIP 007-3 and 010-3 as a means of guaranteeing security.
Without a consistent build how else can you expect security to be maximized?
The NERC CIP 010 process is shown in the diagram and the NNT Baseline Configuration management process allows you to follow this cycle
An actuator is the other basic element in industrial control. Actuators are the 'response' to monitoring and control, to effect changes on valves, motors, pumps.
Accessing the control network to manipulate actuators can lead to catastrophic events in a cyber attack.
13 April 2021
This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SoMachine Basic software.
13 April 2021
This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in Advantech WebAccess/SCADA browser-based software.
13 April 2021
This advisory contains mitigations for an Improper Resource Shutdown or Release vulnerability in JTEKT TOYOPUC programmable logic controller products.
13 April 2021
This advisory contains mitigations for Out-of-bounds Write, and Use of Out-of-Range Pointer Offset vulnerabilities in Siemens Nucleus DNS products.
13 April 2021
This advisory contains mitigations for an Infinite Loop vulnerabilities in Siemens Nucleus real-time industrial software products.
Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.
Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.