——————- This post is dedicated for control DMZ security controls not a comprehensive OT CS strategy! ——————- As per CISA recent report, Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions As per recent SANS report IT is the largest attach entry point to OT . What can you do? 1. 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 ▪️Establish Control DMZ ▪️all inbound and outbound traffic to and from OT must stop at DMZ ▪️every traffic is inspected twice ▪️use segmentation inside the DMZ ▪️If possible, use two pairs of firewalls north firewall under IT, south firewall under OT control. ▪️ISA/62443 Island mode control ▪️Separate IT operations form OT operations especially AD, SIEM ,Patch Management 2. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 ▪️Deploy NIDS at choke points ▪️monitor boundary firewall log ▪️deploy Honeypots 3. 𝗢𝘁𝗵𝗲𝗿 𝘁𝗵𝗶𝗻𝗴𝘀 𝘁𝗼 𝗸𝗲𝗲𝗽 𝗶𝗻 𝗺𝗶𝗻𝗱: ▪️no sliver bullet ▪️the control is as strong as its user and configuration ▪️beware of dual homed devices ▪️periodic audit and tuning ▪️be ware of transient asset ▪️Take care of usb devices ▪️Keep your incident response plan near and ready what else? you tell me! #icscybersecurity #otcybersecurity #cybersecuritybitsandbytes
Is there any documentation that explains remote access to the IO network while observing IEC-62443?
Controls and traffic control flaw needs to happend also inside the plant network, not just at the DMZ: so you mitigate the impact in case of something happen.
For anyone who’s worked in DoD this concept isn’t new and I’m glad to see civilian adoption in OT environments
Really interesting post Mohamed Atta. What about the use of data diodes, SOAR, EDRs and improve the SOC with threat inteligente information? What of these technologies do you think can be deployed and integrated easily in an OT enviroment?
Well said!
Well said Mohamed Atta it is really great article, however I have one concern related to layers 0,1 from Purdue model , is possiable to use kinds of security access control devices like Cisco ISE or Aruba Clear pass at industrial access switches layer? Since the insider intruder can connect easily to any free port of insudtrial switches and as you know in OT environments many Ethernet field devices use default VLAN 1 so they will be easily accessible , using of security access control will prevent unwanted access even is intended or unintended , is there any successful story for that in OT environment?
Enterprise Security Architect at Air Traffic Control the Netherlands
1moBefore you buy and apply any OT security technology throw all your (security) money at establishing professional BASIC OT systems management processes, under OT leadership. This means separate from IT management: 1. Systems ownership, 2. Change management (including asset management, life cycle management, vulnerability management), 3. Incident Management, 4. Backup & restore management, 5. Identity & Access management (including network/operations segmentation and proper OT DMZ management). 6. Third party management. If you have these processes, in any basic, professional, manner implemented and running, you have made major advances in the reduction of your OT risk levels. Establish ownership, responsibilities, sound management processes before throwing (away) any money on tech. Do proper systems management and get security for free.