14. Industrial Control Systems (ICS) and Internet of Things (IoT) – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_14

14. Industrial Control Systems (ICS) and Internet of Things (IoT)

Morey J. Haber1 
(1)
Heathrow, FL, USA
 

Industrial Control Systems (ICS)

Critical infrastructure systems that span manufacturing, transportation, water supply, and energy all depend heavily on information systems for their monitoring and control. Historically, Industrial Control Systems (ICS) relied on physical separation (segmentation) as the primary means for security. However, modern control system architectures, management processes, and cost control measures have resulted in increased integration of corporate and ICS environments. While these interconnections increase operational visibility and flexible control, it can also increase risks that previously did not occur with isolated ICS. Through an interconnected network, the ICS system can be exposed to threat actors that have already exploited and compromised the Internet and corporate networking, or by insiders misusing their privileges. ICS-CERT1 (Industrial Control Systems Cyber Emergency Response Team) provides ICS-CERT alerts2 to assist owners and operators in monitoring these threats and provides actionable guidance to mitigate threats to ICS systems.

ICS-CERT encourages sound security practices using “defense-in-depth” principles, including, but not limited to, the following measures displayed in Table 14-1 mapped to PAM.
Table 14-1

ICS Risk Matrix Mapped to Privileged Access Management

Risk Vector

ICS-CERT Recommendation

Privileged Access Management (PAM)

Secure Passwords

Remove, disable, or rename any default system accounts wherever possible.

Implementing a privileged password management solution that supports enterprise password management, password rotation, active session management, and session recording is an effective method to eliminate many of these common challenges.

Implement an automated password and privileged session management solution offering secure access control, auditing, alerting, and recording for any privileged account. PAM strengthens the security of ICS and interconnected environments by:

1. Ensuring no device has a default password

2. Guaranteeing each device has a unique, complex password

3. Automatically rotating passwords based on age and usage

4. Limiting administrative access and communications

Strong Password Management

Establish and implement policies requiring the use of strong passwords.

Reduce Risks of Brute Force Attacks

Implement account lockout policies to reduce the risk from brute force attempts.

Minimize Network Exposure

This activity includes the implementation of firewalls and network segmentation. This can reduce the attack surface for bad actors and reduce the risks of lateral movement within a compromised environment.

Implement a PAM solution that can also be deployed as a secured enclave model to ensure all privileged accounts (employees, contractors, and third parties) do not have direct access to manage these devices. This model ensures that only approved devices and restricted network paths can be used to communicate with secured resources, which would include control system HMI computers (human-machine interfaces).

Using this best practice model for securing sensitive servers and networking devices ensures that all administrative activities are proxied through the management server to ensure that each session is approved, tied to a specific individual, and is properly audited and that passwords are automatically rotated after each session is complete.

Secure Remote Access

This activity includes deployment and appropriately updating remote access solutions, such as VPN, if required.

ICS-CERT recognizes that remote access solutions such as a VPN are only as secure as the connected devices. Secure remote access via a PAM solution is a better approach since there is no protocol tunneling.

PAM solutions can bulletproof your remote access infrastructure with complete control and audit access to privileged accounts, such as shared administrative accounts, application accounts, local administrative accounts, service accounts, database accounts, cloud and social media accounts, devices, and SSH keys.

Enabling Secure Remote Management:

1. Vendors should access ICS resources using PAM and existing remote access facilities.

2. Vendors authenticate via PAM and request a session to managed resources, which can include a system running ICS control software. Note that this session be restricted to a specific device as well as to a specific control system application, further reducing the risks of compromise and lateral movement.

Third-Party Vendors

Monitor the creation of administrator-level accounts by third-party vendors.

  

3. Vendor uses a native remote desktop tool (tool (MSTSC/PuTTY, etc.) or an RDP/SSH session, which is proxied through PAM for session monitoring.

4. All vendor activities are logged and optionally recorded to comply with security and compliance policies.

Vulnerability Management

Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities.

A vulnerability management process can proactively identify security exposures, analyze business impact, and plan to conduct remediation across network, Web, mobile, cloud, virtual, and IoT infrastructure.

1. Discover network, Web, mobile, cloud, virtual, IoT infrastructure.

2. Profile asset configuration and risk potential.

3. Pinpoint vulnerabilities, malware, and attacks.

4. Analyze threat potential, return on remediation, and more.

5. Isolate high-risk assets through advanced threat analytics.

6. Remediate vulnerabilities including default and weak passwords.

  

7. Report on vulnerabilities, compliance, benchmarks, etc.

8. Protect approved and shadow IT devices from attack.

Threat Detection

ICS-CERT recommends that organizations monitor for suspect activities and to report their findings to ICS-CERT for incident response support and correlation with other similar incidents.

User behavior and risk analysis enable information technology and security professionals to identify the potential breaches and the indicators of compromise from specific incidents.

Security information and event managers (SIEMs) and threat analytic solutions can set baselines for normal behavior, observe changes, and identify anomalies that signal critical threats via the following steps:

1. Aggregate users and asset data to centrally baseline and track behavior.

2. Correlate diverse asset, user, and threat activity to reveal critical risks.

3. Measure normal behavior in asset and user changes to flag in-progress threats.

4. Isolate users and assets exhibiting deviant behavior.

5. Generate reports to inform and align security decisions.

Any threat detection deployed by an organization must consider all the available security data and correlate the results. Threat detection should not rely on only one event and source.

While ICS represents a specific vertical targeted by PAM technology, the benefits for any implementation are easy to recognize:
  • Discover all managed and unmanaged assets across your interconnected corporate and ICS infrastructure.

  • Automatically discover and inventory privileged accounts used by third-party vendors.

  • Provide central control by securely storing all credentials and SSH keys in a secure database.

  • Reduce the risk of lost or stolen vendor credentials by systematically rotating passwords for all managed systems.

  • Implement secure vendor enclaves to isolate ICS and vendor devices to reduce the risks of malware and attack.

  • Verify that no default passwords exist on any managed system or device.

  • Manage all managed devices automatically using smart rules and store a unique password per each device.

  • Automatically rotate each device’s password based on age or after each remote vendor session.

  • Provide a complete workflow for device access, including an approval process for when remote vendor access is required.

  • Record all or select remote sessions with playback to document and review what occurs when a device is accessed.

  • Provide detailed reporting of all credentials used and requested when remote activity occurs.

Based on these recommendations, and the security guidance provided by ICS-CERT, ICS devices can be securely managed against privileged attack vectors.

Internet of Things (IoT)

The Internet of Things (IoT) introduces a unique set of threats based on privileges and asset attack vectors. By definition, IoT devices are single-purpose assets with embedded operating systems to perform a specific function. They possess unique characteristics, including the capability to interact with a physical environment, localized role-based access, and potentially a web server to provide the specified functionality. IoT devices include everything from network-based cameras, digital video recorders, thermostats, and lighting to digital personal assistants. The list of network-based IoT devices is growing every single day. In addition, these devices can be categorized for commercial use, like biometric door locks, to home use, like Bluetooth door lock keypads and thermostats. While these types of devices have existed for years, they have only recently been grouped and labeled IoT based on their mass adoption and, more importantly, their mass identification of security risks and privileged attack vectors. Therefore, as IoT devices become more commonplace, there is a need to ensure that they do not represent an unnecessary security risk to standard business operations. Unfortunately, it has already been proven that many of these devices are insecure by design, have unresolvable flaws, and can be leveraged to compromise an entire organization with something as simple as a default credential or faulty embedded operating system. These represent an easy target for a threat actor. Therefore, for any IoT deployment, consider these seven recommendations to mitigate privilege security risks:
  1. 1.

    Segment Networks

    Using basic capabilities in modern network routers and switches, all IoT devices should be networked using separate wireless networks and VLANs. All communications from IoT networks should be explicitly blocked from critical servers, databases, and workstations that should not communicate directly with the devices. This helps ensure that, even if an IoT device is compromised, it cannot directly be leveraged to steal critical information. If possible, all IoT network communications should be monitored to the Internet and other trusted networks to identify any anomalous behavior.

     
  2. 2.

    Manage All Credentials

    Almost all IoT devices ship with default passwords for initial configuration. We understand, based on previous chapters, how much of a risk these can be. End users should change all usernames and passwords on these devices to complex passwords and unique usernames and consider changing at least the passwords periodically. This is where a password management solution can assist in mitigating any threats and keep the passwords on every device unique to avoid password reuse.

     
  3. 3.

    Limit Connectivity

    Never place IoT devices of any type directly on the Internet with public IP addresses. It is just a matter of time before they will be compromised or subject to a DDoS attack. IoT devices are based on very simple networking technology and not robust enough to thwart all the potential IP traffic that contains malicious code on the net.

     
  4. 4.

    Identify Shadow IT

    Shadow IT is another buzzword for rogue devices and unsanctioned assets. Make sure any IoT devices placed on your network are approved and adhere to the security considerations outlined previously. Shadow IT based on IoT could easily violate many of your security policies and introduce a threat. Standard network discovery tools can find these rogue devices and help place them under proper management.

     
  5. 5.

    Demand a Vulnerability Service-Level Agreement (SLA)

    Request from the manufacturer a service-level agreement for patching critical vulnerabilities once they are identified. This will help you ensure IoT devices selected for your organization will stand up to regulatory scrutiny and patch compliance initiatives. Also, make sure these questions are asked during an RFP or procurement process to ensure the vendor has the proper maturity for managing risks.

     
  6. 6.

    Remediate Security Flaws

    Document a process and ensure all IoT devices can be patched promptly if a flaw is found, and without extensive disruption to the business. Some devices are very difficult to remediate and may have hidden labor costs to manage one at a time. This includes making sure that you maintain the latest firmware on all IoT devices to mitigate any emerging threats that could be leveraged against the devices.

     
  7. 7.

    Role- and Attribute-Based Access

    Any security model present within these devices is flexible enough to be integrated into an Active Directory or a Radius server. As a longer-term goal, all credentialed access to these devices should be centrally managed and properly organized within existing identity and access management solutions. If it cannot be managed in this way, it may present a new risk via rogue accounts and an easy target for a threat actor due to the limited management capabilities. Finally, if managed devices lack a role-based access model, or if they are not feasible to manage in this capacity due to operational reasons, consider a least privilege solution for IoT and network devices.

     

IoT devices are just another piece of technology that businesses are enabling for convenience. They are not mature compared to their server and desktop counterparts, and everything from default credentials to backdoors presents a real privileged risk to an IoT environment. As immature as IoT devices are, they should be treated as young children. They need restrictions, governance, and should be monitored.