The industrial networks at their source were designed to maximize functionality, with little attention focused on cyber security. As a result, the performance, reliability, and flexibility of SCADA systems are robust, while security controls are weak, making these networks potentially vulnerable to service interruption, process redirection or operational data manipulation that can result in serious outages. production in companies.
Risk Analysis is the primary way to understand cyber security threats and control needs. This activity is usually performed with a focus on a specific installation, since in addition to the logical environment, the physical is also analyzed. Risk analysis can be conducted in plants in operation (Brownfield) or in the design phase (Greenfield). When risks and threats are identified prematurely, controls are assimilated with lower cost and maximum efficiency.
The risk analysis of automation networks follows the following steps:
Static Risk Analysis
- At this stage of the risk analysis, the network diagrams, the operational environment (datacenter) and the physical and logical security audit questionnaires of the automation network are aligned with the best practices of ANSI / ISA-99, ISA-IEC 62443 , NIST 800-82 and ISOs 27001 / 27002. Visits to the customer's premises allow our consultants to identify existing physical and logical security controls or countermeasures in networks, assessing, as far as possible, the conditions under which controls are installed and in use and suitability. The evaluation will be carried out by completing forms with a list of controls that make up the risk knowledge bases of the standards described above.
Dynamic Risk Analysis
- In this step, automated data collection of the automation network in TAP mode (non-intrusive) will be done at the application level. At the beginning of the dynamic analysis the architecture of each client automation network will be analyzed and a planning will be elaborated to grant visibility of Internet traffic and threats, as well as other perimeters such as borders with corporate networks, control systems (for the network of automation), datacenter and process network, as well as links to third parties and external VPN connections or regulatory entities.
Risk Analysis Report
- The data collected by the static analysis will be processed according to qualitative criteria, with qualitative probability and impact scales. For each threat / vulnerability set will be assigned, from information collected in interviews with the local team, a probability of occurrence and an impact (depending on the consequences). Complementarily, the data coming from the dynamic analysis will carry out the verification and generate evidence of the information coming from the static analysis of risks. The result of the union of static and dynamic analysis information will be consolidated in the Risk Analysis Report to be delivered to the client. The report will be delivered in Portuguese and will serve as the basis for the preparation of the Industral Cyber Security Plan (PSCI).
The Industrial Cyber Security Plan (PSCI) is the tool developed for the purpose of guiding, defining objectives and deadlines related to the implementation of cybersecurity controls for industrial networks of the analyzed automation plant.
Considering the client's reality, the plan describes the technological and process solutions and the implementation steps to meet the security needs of the analyzed scope. The time horizon of the PSCI is 3 years and it describes the correlation of all the data collected, of the static and dynamic analyzes, in a coherent planning so that the client increases its degree of conformity with the norms considered for the project.
Industrial governance should be implemented in accordance with the best practices of the IEC 62443 standard. The first step in establishing governance is the development and implementation of a specific security policy for the area of automation. The Automation Security Policy is an instrument designed to establish rules for the proper use, control and protection of the automation environment and the assets that make up this environment, preserving its availability, integrity and confidentiality, and ensuring the continuity and competitiveness of the business.
Composed of a set of documents with standards and technical guidelines for industrial automation security that deal with the strategic aspects of the organization and its policy on key issues for governance, the policy details security controls for key items such as edge security, in industrial network protection, in data security, or combat malware and education of users on cyber security. The policy should be aligned with the company's strategic planning and in accordance with current standards and best practices, such as IEC 62443 and NIST 800-82. TI Safe consultants understand that each customer has its needs, unique characteristics, so each policy is developed together with those responsible for the automation plant in order to keep in line with the company's vision.
TI Safe is a provider of managed security services focused on industry-proven industrial environments, with current contracts with major Brazilian critical infrastructure companies.
These services are provided through the ICS-SOC, Critical Infrastructure Cyber Security Operations Center, which operates 24x7x365 and has state-of-the-art features, technology and processes for managing, preventing, detecting and responding to network incidents that can not stop.
Photo: ICS-SOC TI Safe
The TI Safe ICS-SOC provides five levels of managed services with cumulative capabilities, divided into two main categories, Monitoring and Management (1 and 2 levels) and Industrial Intelligence (3, 4 and 5 levels).
Figure: Levels of services offered by TI Safe ICS-SOC
MONITORING & MANAGEMENT
1 Level: Equipment Management and Security Reports
- Management of security equipment (Firewalls, IPS, and others) located in the client's plant.
- Monitoring of the state of operation of the equipment and correction of problems that are preventing its correct operation.
- Permanent parameterization of equipment.
- Access register via VPN for new authorized users.
- Software updates, operating system, patches, etc.
- RMA of equipment (replacement in place, being the RMA box sent by the manufacturer according to contract term)
- Providing daily and weekly reports on cyber threats detected and blocked by equipment. Other customized reports can be developed according to customer demand.
2 Level: (1 Level Services) + Policy Collection and Occurrence Monitoring
- Attendances performed according to requests made via the support attendance control system (SCAS) and approved according to client change management routines.
- Attending to changes in security settings (ports, segments, security zones, etc.).
- Attending to security policies (adding, changing, or removing policies).
- Optimization of existing rules and policies.
- Active monitoring of security solutions (attacks, malware, APTs, 0 day, vulnerabilities, etc.).
- Investigation and reporting of events detected by security solutions (eg malware presence report, suspicious traffic).
3 Level: (2 Level Services) + Event Correction and Industrial Monitoring
- Use of SIEM tool with real-time log analysis for threat detection purposes.
- Correlation of events so that possible relationships between them are identified, indicating the potential occurrence of incidents.
- Centralized management of cyber security information.
- Use of industrial IPS to monitor critical control variables in real time of the operating network.
- Generation of compliance reports.
- Management of incident cases and issuance of customer service tickets.
4 Level: (3 Level Services) + Incident Response and Vulnerability Management
- Vulnerability Management: Use of the industry-leading automated tool to conduct controlled scans of previously selected equipment on the TA network at scheduled intervals. Once a vulnerability is detected, its impact is assessed, corrective measures are identified and, when authorized, executed. Your status is tracked and reported until closing.
- Generation of periodic vulnerability reports.
- Controlled response to incidents of industrial cyber security, in partnership with the client's team.
5 Level: (4 Level Services) + Artificial Intelligence and Digital Research
- Big Data Security Analysis: Analyzing large amounts of data to discover threats and then presenting and viewing the results.
- Integration between local event databases and threat intelligence on global attacks.
- Enhancement of data through the use of sources such as geographic data, DNS data, network access control integration and IP and domain reputation service.
- Forensics and identification of loopholes in the automation network.