Loading ...
Loading ...
Loading ...
Cybersecurity considerations for electrical distribution systems
Securing the Network Management Module – 160
•
•
•
•
•
•
•
•
5.1.6.3 Intrusion detection and prevention systems (IDPS)
These are systems that are primarily focused on identifying possible incidents in an ICS network, logging the information about
them, attempting to stop them, and reporting them to ICS security administrators.
Because these systems are critical in an ICS network, they are regular targets for attacks and securing them is extremely important.
The type of IDPS technology deployed will vary with the type of events that need to be monitored.
There are four classes of IDPS technology:
Network-based IDPS monitors network traffic for particular ICS network segments or devices and analyzes the network and
application protocol activity to identify suspicious activity
Wireless IDPS monitors and analyzes wireless network traffic to identify suspicious activity involving the ICS wireless
network protocol
Network behavior analysis IDPS examines ICS network traffic to identify threats that generate unusual traffic flows such as
DOS attacks
Host-based IDPS monitors the characteristics and the events occurring within a single ICS network host for suspicious
activity
5.1.7 Policies, procedures, standards, and guidelines
For the defense in depth strategy to succeed, there must be well-documented and continuously reviewed policies, procedures,
standards, and guidelines.
Policies provide procedures or actions that must be carried out to meet objectives and to address the who, what, and why
Procedures provide detailed steps to follow for operations and to address the how, where, and when
Standards typically refer to specific hardware and software, and specify uniform use and implementation of specific
technologies or parameters
Guidelines provide recommendations on a method to implement the policies, procedures, and standards
5.1.7.1 Understanding an ICS network
Creating an inventory of all the devices, applications, and services that are hosted in a network can establish an initial baseline for
what to monitor. Once those components are identified and understood, control, ownership, and operational consideration can be
developed.
5.1.7.2 Log and event management
It is important to understand what is happening within the network from both a performance and security perspective. This is
especially true in a control systems environment.
Log and event management entails monitoring infrastructure components such as routers, firewalls, and IDS/IPS, as well as
host assets. Security Information and Event Management (SIEM) systems can collect events from various sources and provide
correlation and alerts.
Generating and collecting events, or even implementing a SIEM is not sufficient by itself. Many organizations have SIEM solutions,
but alerts go unwatched or unnoticed.
Monitoring includes both the capability to monitor environments and the capacity to perform the monitoring. Capability relates to
the
design and the architecture of the environment. Has it been built in a manner that takes into consideration the ability to monitor?
Capacity speaks to the resources (personnel, tools, expertise) needed to perform meaningful interpretation of the information and
initiate timely and appropriate action.
Through monitoring, the organization can identify issues such as suspicious or malicious activities. Awareness can be raised when
new (potentially unauthorized) devices appear in the environment. Careful consideration should be taken into account to ensure that
log and event management does not adversely impact the functionality or the reliability of the control system devices.
5.1.7.3 Security policy and procedures
It is important to identify “asset owners,” and to develop policies and procedures for a cybersecurity program. These policies need
to be practical and enforceable in order to be effective. Policies should also address access related issues, such as physical access,
contractors, and vendors.
Loading ...
Loading ...
Loading ...