Loading ...
Loading ...
Loading ...
Cybersecurity considerations for electrical distribution systems
Securing the Network Management Module – 161
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Existing (traditional) IT standards and policies may not apply (or have not been considered) for control systems. A gap analysis
should be performed to determine which components are not covered (or not adequately covered) by existing policies.
Relationships with existing policies and standards should be explicitly identified and new or supporting policies should be
developed. It is important that industrial control system administrators have proper authorizations and full support of their
management to implement policies that will help secure the ICS network.
5.1.7.4 ICS hardening
The goal for system hardening is to reduce as many security risks as possible by securely configuring ICS networks. The idea is to
establish configurations based on what is required and eliminate unnecessary services and applications that could potentially
provide another possible entry point to an intruder.
Minimum security baselines should be established for the various platforms and products deployed (operating system, application,
and infrastructure elements such as drives, meters, HMI devices). The following actions should be implemented where applicable:
Disable unnecessary services
Disable anonymous FTP
Do not use clear text protocols (e.g., use SSH v2 instead of Telnet)
Install only required packages/applications/features
Deploy antivirus solutions (where possible)
Disable or otherwise control use of USB devices
Establish a warning banner
Change default passwords (e.g., SNMP)
It may be easier to implement these actions on devices for which you control the base operating system platform. However,
several
of the items listed above can be configured from the product specific configuration options.
Changes such as these could potentially impact the functionality of a control system device. Extensive testing needs to be
conducted before deployment to minimize this impact.
5.1.7.5 Continuous assessment and security training
It is critical that ICS network administrators and regular users be properly trained to ensure the security of the ICS and the safety of
the people who operate and depend on it.
Ongoing vulnerability assessments are critical to identify issues and understand the effectiveness of other defensible network
elements.
Assessments should include testing and validating the following:
Monitoring capabilities and alerts are triggered and responded to as expected
Device configuration of services and applications
Expected connectivity within and between zones
Existence of previously unknown vulnerabilities in the environment
Effectiveness of patching
A program should be established for performing assessments.
The actual assessment should be performed by a qualified resource, which can be an in-house or third-party organization.
Regardless of who performs the assessments, in-house resources need to be involved in the planning, scoping, and supporting of
assessment activities and must be appropriately trained to do so.
Assessments should be conducted according to a methodology that is clearly defined to address:
Physical security
People and processes
Network security
Host security
Applications security (both internally developed and commercially off-the-shelf (COTS))
5.1.7.6 Patch management planning and procedures
A patching and vulnerability management process should be established based on the timely awareness of issues and appropriate
action. This process should take all of the elements that make up the control system environment into consideration.
Information resources should be identified for vulnerability and advisory information for the various components in the environment.
These should include vendor-specific sources as well as other public or commercial services that provide vulnerability advisory
information. For example, the National Vulnerability Database (NVD) provides information related to vulnerabilities identified in
Loading ...
Loading ...
Loading ...