OT/ICS Secure by Design
The pro’s don’t bother with vulnerabilities; they use features to compromise the ICS
This quote I found in Dale Peterson blog . I strongly agree with it, because many ICS/OT devices still suffer from insecure by design features. However, that doesn’t mean that NIST vulnerabilities and CVEs don’t matter ! It does matter and it could lead to serious harm sometimes. The goal in OT/ICS security is not to focus on NIST database only, but must also make a huge priority for design issues by doing something about it. Asset owners and vendors should focus on both types of vulnerabilities . Relying on NIST CVEs for OT/ICS is only scratching the surface. We security professionals should look for OT/ICS documents features that allow us to manipulate the system and try to change or hide these features that lead to an impact or a security incident.
There are other types of vulnerabilities not just design and CVEs of course. In fact according to NIST , it classifies them in its document 800–82 to 6 types:
- Policy and Procedure vulnerabilities
- Architecture and Design Vulnerabilities
- Configuration and Maintenance Vulnerabilities
- Physical Vulnerabilities
- Software Development Vulnerabilities
- Communication and Network Configuration Vulnerabilities
In this article, I try to focus on the design type. Why ? Recently I saw some OT/ICS vendors trying to develop secure by design features in their products. Also, I don’t want to forget the excellent project “Top 20 Secure PLC Coding Practices” that was a product of OT/ICS community cooperation, many thanks to them.So, back to the vendors, Big vendors such as Honeywell‘s implementation of secure boot and built-in firewall in its PLCs, Siemens application of communication encryption and other vendors who have started to add security features, please go there and have a look. I think they are working to overcome the most critical issue “insecure design” and prepare for more secure future towards its customers. Also, I saw a good white paper by Bedrock Automation, where they apply their concept “intrinsic security” , in another word “secure by design” to its products. They have listed their secure components as:
- Metal (For protection)
- Ports (remove or close unnecessary ports , otherwise authentication is required)
- Pins and Electromagnetic Interference (EMI)
- Electromagnetic Pulse and Cyber Defense (EMP)
- Cryptography and Strong Encryption
- Secure boot
- True Random Numbers
- Security Hardened Operating Systems
- Evaluation Assurance Level
- Anti-Tamper for Cyber Defense
- Secure Supply Chain and Key Management System
- Public Key Infrastructure (PKI)
- Hardware Root of Trust
As we can see their specs vary from design , network , software and physical security. I’m not advertising any OT/ICS vendor , but I mention them because its part of what I do that is related to my area of research. I’m not going to rank or analyze these secure features. Maybe I will do it in another article. The point of this article , many of OT/ICS professionals in the past lost hope of seeing “secure by design”come to surface, see this 2013 blog post for example. This is over ! we are finally seeing efforts of OT/ICS vendors in this direction and that is excellent.
The security features mentioned above are implemented deeply at level 0–1 in the ics Purdue model. Other vendors have also started to monitor this level which could help those that don’t have the above new generation hardware such as Siga , Mission Secure , and Fortiphyd . I haven’t covered all vendors by the way.Those vendors have developed solutions that identify process variable anomalies. Its like what our friends Nozomi , Claroty and others do, but at a lower level than our friends. Level 0–1 security was a topic of many OT/ICS experts such as Joe Weiss who has been shouting for securing level 0–1 for a long time .
Finally , I have left with you MITRE ATT&CK for ICS. It’s a great database of techniques and tools that are used by adversaries to attack OT/ICS. It lays out many types OT/ICS devices and how they get compromised. Go there, learn it and find out what applies to you. Maybe you don’t have “secure by design” OT/ICS system yet. This database can guide you on how to protect your assets from adversaries.