If you’ve seen Jurassic Park you probably know what this line. If you haven’t, the scene is this… There is a goat that is tied to a stake on a platform with a cage around it and raised up from the ground inside the T-Rex cage. The goat is tied to the stake and of course the T-Rex eats the goat.
Image may be NSFW.
Clik here to view.
So what in the world does this have to do with control systems?
I have had the fortune of being able to speak at different events over the past couple of years and in an effort to explain to IT and OT how to protect control systems I used the Jurassic Park goat example in this context… The control system is the goat. It has to be there and it has to be tied to the stake. It is vulnerable and not able to protect itself. We have to put a cage around it to keep the T-Rex out.
Some manufacturers are making strides to harden their systems and that helps, but as I have said time and time again… this alone will never fully protect the system. When designing the system, thought must be given to several aspects such as:
- If the system does not need to be accessed by anyone other than the building engineer staff and there is 24/7 staff, don’t expose it. Keep it air gapped. What is an air gap? The system is not connected to the corporate network and/or the internet.
- If the system needs to be accessed by others on the corporate network and/or remote engineering staff, segment the network so that it does not “touch” the corporate network and routed specifically for those that have a need to access it and use a secure remote access that only specific people can use.
- Every user has to have a unique user and a means of password expiration, no greater than 90 days.
- NOTE: Older systems do not have the ability to initiate password expiration. More manufacturers are adding this feature today, but not all.
- NOTE: For systems that cannot be set up to auto expiry, a manual process will need to be implemented.
- Vendors should only have access on an as needed basis, which includes the Integrator during installation.
- Vendor and integration employees must have a unique user and a means of password expiration, no greater than 90 days.
- Remove manufacturer’s default username and password from the new devices you are installing and instruct the customer on how to change these users so that they can take ownership of their system.
- Audit existing field devices and remove default username and passwords. Instruct the customer on how to do this as well. They own the system, they should own the user management.
- If the system is not air gapped and will be exposed to the internet, use commercial grade IT devices to interconnect. If you are not qualified to install and configure these devices and there is no customer IT department who can and will take ownership of these devices, contract a licensed and bonded IT firm to do the work. This is a layer of liability you must decide to assume or not to assume because if there is ever a breach and forensics trace the breach to these devices, you could be liable.
- When possible, incorporate an AD or LDAP.
- When possible, use secure connection options.
- When possible,use certification.
- Change default ports of equipment.
- Design physical security into the system.
- Front end PC/Server needs to be located in a locked cabinet and not located on or under someones desk, even if the room has a lock or card access.
- Remove the keyboard, mouse, and monitor from the PC/Server.
- Secure field devices, switches, routers, etc. in lockable panels with unique keys that must be checked out to be used.
- Incorporate intrusion detection into panels.
- If audit and access logs are available, activate and configure them to retain historical data if in the event a breach occurs for forensics.
There are more steps that need to considered and implemented. This is a starting point. Ultimately integrators decide what their best practices are to be and part of that decision includes determining what their appetite for liability is.