Industrial Control System Cybersecurity Practices

Industrial Control Systems Cybersecurity
Industrial Control Systems Cybersecurity

Industrial Control System Cybersecurity

Guidance for Industrial Control System (ICS) Cybersecurity was released on May 22, 2020.  This two page infographic is a joint release from the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy (DOE), and the UK’s National Cyber Security Centre (NCSC).  This release addresses the urgent need for owners and operators to adopt new technologies and improve operational efficiencies to secure critical infrastructure.

Manufacturing and Infrastructure Highly Vulnerable

A number of recent cyberattacks to industrial targets illustrate the degree of vulnerability and the costs of breached security.  In February 2020 a natural gas compression facility was attacked.  This led to a two day shutdown of the vital facility.  On May 10, 2020 Iran’s port, Shahid Rajaee, was a the victim of an attack.  Subsequently the port was inoperable for days. 

Most industrial sites are comprised of legacy IT systems that predate cybersecurity requirements.  Additionally, many facility managers or maintenance personnel have insufficient expertise in IT and requisite cybersecurity protocols.  Therefore many complex systems have high vulnerabilities that are extremely difficult to secure. 

Most Prevalent ICS Weaknesses and Risks

CISA has identified the following weaknesses and risks to Information Technologies (IT) and Operational Technologies (OT):

Boundary Protection

Unauthorized activity in critical systems is often undetected.  Additionally, there are often insufficient boundary protection between a facilities Industrial Control Systems (ICS) and its enterprise systems.

Principle of Least Functionality

Because of the complexities of industrial sites, there are ever increasing vectors for malicious access to critical systems.  This provides opportunities for rogue internal access.

Insufficient Identification and Authentication

The report sites a lack of traceability and accountability of personnel that have access to large facilities and has special concern for those with administrator access.

Physical Access Control

Inadequate controls on physical access to large facilities is a major problem.  Unauthorized personnel can modify, copy, or delete device programs and firmware.  They can tap into networks, vandalize assets, and add rogue devices to retransmit network traffic.

Recommended Industrial Control System Cybersecurity Measures

A number of recommendations were made in this report.   These recommendations include the following:

Risk Management

The first action taken should be to develop an effective Information Security Management System (ISMS) to identify potential threats.  This process would include compiling and maintaining an inventory of all ICS assets.  Once this has been accomplished policies and procedures can be created.  These procedures should include adequate training of all personnel and provide practice incident responses.  These policies and procedures should establish rules of cybersecurity behavior and promote a culture of information exchange for constant improvement.

Physical Security

Control of physical access is crucial.  Lock downs of electronics, multi-factor authentication, and establishment of controlled spaces are important measures. 

ICS Network Architecture, Perimeter Security, and Security Monitoring

Recommendations include:

  • Network segmentation
  • Multiple layer topologies that prioritize security to most critical communications
  • Configuration of firewalls to control traffic between ICS and corporate IT
  • Restrict persistent remote connection to networks
  • Catalog and monitor all remote connections
  • Measuring baseline network traffic
  • Creation of alarms for network Intruder Detection Systems (IDS)
  • Set up Security Incident and Event Monitoring(SIEM) to monitor, analyze, and correlate eventlogs from across the ICS network to identify intrusion attempts.

Host Security

  • Test all patches in off-line test environments before implementation.
  • Implement application whitelisting on human machine interfaces.
  • Harden field devices, including tablets and smartphones.
  • Replace out-of-date software and hardware devices.
  • Disable unused ports and services on ICS devices after testing to assure this will not impact ICS operation.
  • Implement and test system backups and recovery processes.
  • Configure encryption and security for ICS protocols.

CVG Strategy

CVG Strategy is committed to assisting manufactures establish effective cybersecurity systems.  Our Cyber Security consulting and training programs give you the necessary knowledge to ensure that safeguards are consistently applied to protect valuable information and production assets.  We can help your business develop an effective ISO 27001 ISMS.  We also have expertise in NIST 800-171 and can help with CMMC Certification.  Contact Us today to see how we can help.

Product Test Management Services Help During Pandemic

Product Test Management Services
Product Test Management Services

CVG Strategy Offers Product Test Management Services

Product Test Management Services can assist in keeping product development schedules on track during the Covid-19 pandemic.  Many product developers are already behind schedule due to lock downs.  Sending engineering staff on travels to laboratory may not be a desirable option at this time.  CVG Strategy can help by providing a number of services to ensure that your product test and evaluation are performed properly. 

Solutions for Product Testing

The CVG Strategy test and evaluation team have decades of experience in product test management.  We can provide everything from defining test requirements to creating final test report summaries.  We have expertise in climatic, dynamic, ingress, product safety, EMI/EMC, and electrical test methods.  Services we provide include:

  • Test Standard Research
  • Life Cycle Environmental Profile for Reliability Analysis
  • Susceptibility Analysis
  • Test Requirement Analysis
  • Design of Required Simulation and Monitoring Equipment
  • Vibration Test Fixture Design
  • Test Plan Development
  • Test Scheduling
  • On Site Test Witnessing
  • Subject Matter Expertise for Pre and Post Test Evaluation

Third Party Advocate for Your Product

Product Test Laboratories, by definition, are limited in their ability to act as an advocate for your product.  Additionally, because of their customer load, they are unable to provide in depth attention to details such as product modes of operation.  Testing is complicated, expensive, and important for product verification and validation.  Attention to details can catch intermittent susceptibilities and vulnerabilities that can lead to product recalls and liabilities.  They can also prevent under or over test conditions that would invalidate test results. 

The collection of pertinent data is very important in testing.  It is essential for post test analysis of failures.  It is also necessary for test replication where sensor placements and device under test set up are critical.  CVG Strategy can provide through all of its services an attention to detail that is borne out of experience in hundreds of test programs.

Sectors of Product Test Management Service Experience

CVG Strategy has experience in the test and evaluation of many product sectors.  These include:

  • Defense
  • Commercial
  • Automotive
  • Aerospace
  • Ingress Protection
  • HALT and HASS

We can provide Subject Matter Expertise to assist in design analysis and troubleshooting for these sectors that can prevent recurrent test failures.

See How We Can Help

Contact Us today to see how we can help keep your product development on schedule.  We also offer EZ-Test Plan Templates for a number of test standards. 

 

Cyberspace Solarium Commission Report Urges Action

Cyberspace Solarium Commission Report
Cyberspace Solarium Commission Report

Cyberspace Solarium Commission Report – March 2020

The Cyberspace Solarium Commission Report, released in March 2020, paints a grim picture of the level of cyber vulnerability in the United States.  It stresses the need for immediate action from both the public and private sectors to deter looming catastrophe.  The report focuses on strategic approaches to defend the United States against cyberattacks and the necessary policies and legislation to implement them.

A Layered Approach to Deterrence Recommended

To achieve a reduced probability of critical cyberattacks the report recommends three necessary layers of deterrence.  To achieve this deterrence the United States must:

  1. Work with allies and partners to promote responsible cyber behavior.
  2. Deny benefits to adversaries who exploit cyberspace by securing critical networks.
  3. Impose costs by maintaining a credible capacity and capability to retaliate against cyber actors.

This approach to deterrence should incorporate a “defend forward” concept to disrupt and defeat adversaries.  This would be accomplished by actively observing, persuing adversarial operations and imposing costs for those actions.  These costs as defined should be “short of armed conflict”.

Six Policy Pillars for Implementation

To implement an effective national cybersecurity strategy six pillars have been defined for implementation of the three layered approach.

Reform the U.S. Government’s Structure and Organization for Cyberspace

Proposed governmental reforms include rapid and comprehensive improvements at a all levels.  This would begin with an updated National Cyber Strategy from the executive branch.  Along with this, creation of cyber oversight committees in the House and Senate should be created.  A Senate-confirmed “National Cyber Director” is also advised.  Along with these actions, the strengthening of the Cybersecurity and Infrastructure Security Agency (CISA) is recommended.

Strengthen Norms and Non-military Tools

While there has been significant international norms established for responsible cyberspace behavior, little if any enforcement is taken against cyberthreat actors.  To mitigate this the report urges the Department of State to work with allies to employ law enforcement, information sharing, diplomacy, and sanctions, to support a “rules-based international order.

Promote National Resilience

A resilience to cyberthreats in both the public and private sector is required to deny adversaries a benefit from their actions and reduce confidence in actors from achieving their strategic ends.  This resilience could be addressed through:

  • Strengthening CISA.
  • Develop a planning mechanism in consultation with the private sector to develop contingent planning for significant cyber disruptions.
  • Codifying Cyber States of Distress tied to Response and Recovery Agencies and Funds.
  • Improvement of the Election Assistance Commission.
  • Governmental promotion of digital literacy through advancement of public awareness.

Reshape the Cyber Ecosystem Towards Greater Security

These efforts would include raising the baseline level of security by providing a National Cybersecurity Certification and Labeling Authority.  They would also involve creating laws making hardware, firmware, and software final goods assemblers liable for damages from known unpatched vulnerabilities.  Mention is also made for creation of national standardizing requirements for the collection, retention, and sharing of user data.

Operationalize Cybersecurity Collaboration with the Private Sector

Private sector entities must have primary responsibility for creating and maintaining viable Information Security Management Systems (ISMS), but the government can greatly assist these entities.  This could be accomplished by using government resources and intelligence capabilities to support businesses.

Preserve and Employ the Military Instrument of Power – and All Other Options to Deter Cyberattacks at Any Level

Efforts in this regard include comprehensive assessment of the Cyber Mission Force, a vulnerability assessment of weapon systems, and a sharing between governmental agencies and the Defense Industrial Base of potential threats.

CVG Strategy and Cybersecurity

CVG Strategy is committed to helping the private sector develop and adapt viable solutions to rapidly changing cyberspace threats and requirements.  Contact Us today with your questions.

U S Restricts Huawei Semiconductor Technology Usage

U.S. Restricts Huawei's Semiconductor
U.S. Restricts Huawei's Semiconductor

The U S Restricts Huawei’s Semiconductor Manufacturing Capabilities

The U S will Restrict Huawei semiconductor manufacturing by limiting the use of technologies for design and manufacture.  This planned action was announced by the Bureau of Industry and Science (BIS) on May 15, 2020.  The BIS is implementing this action to protect national interests by preventing Huawei from acquiring semiconductors that are the direct product of certain U.S. software and technologies. 

Huawei on Entity List Since 2019

The Department of Commerce placed Huawei and its foreign affiliates on the Entity List in 2019.   The Entity List is a list of individuals or entities subject to specific export license requirements.  Since being placed on this list Huawei has skirted regulations by commissioning the production of semiconductors abroad.  Secretary of Commerce Wilbur Ross stated “This is not how a responsible global corporate citizen behaves.  We must amend our rules exploited by Huawei and HiSilicon and prevent U.S. technologies from enabling malign activities contrary to U.S. national security and foreign policy interests.”

EAR Rule Changes

The Export Administration Regulations (EAR) will make targeted changes to regulations to address the issue.  The following foreign-produced  items will now be subject to EAR export control:

  • Items, such as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology.
  • Items, such as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States.  Such foreign-produced items will only require a license when there is knowledge that they are destined for reexport, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.

Changes Urged by Lawmakers

The Department of Commerce’s actions come after lawmakers encouraged the Trump administration to make restrictions on the exports of emerging technologies.  Many have felt that the U.S. has been too passive in protecting U.S. interests in the worldwide semiconductor market.  Sen. Ben Sasse, R-Neb., applauded the rule, calling it “long overdue.” In a May 15 the senator was quoted as saying “Modern wars are fought with semiconductors, and we were letting Huawei use our American designs.”

China Reacts to Restrictions

In response to these restrictions, China’s Commerce Ministry is considering placing U.S. companies on its so-called unreliable entity list and stopping purchases of aircraft from Boeing.  China views these actions as a “serious threat” to its semiconductor industry.  These comments were made on May 17, 2020.

Om May 18, 2020, Huawei chairman Gou Ping said that U.S restrictions “ignore the concerns of many companies and industry associations.” Huawei also said the rule will “undermine” the global semiconductor industry. “The U.S. is leveraging its own technological strengths to crush companies outside its own borders,” the company said. “This will only serve to undermine the trust international companies place in U.S. technology and supply chains.”

Cybersecurity Alert for Healthcare and Essential Services

cybersecurity alert for healthcare
cybersecurity alert for healthcare

Cybersecurity Alert Issued by United States and United Kingdom

A cybersecurity alert for healthcare and essential services was filed jointly by the United States and the United Kingdom.   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) issued the alert on May 5, 2020.  These agencies have detected Advanced Persistent Attacks (APT) against organizations involved in Covid-19 responses.  Targeted entities include healthcare, pharmaceutical, academia, and research organizations.  Local governmental agencies are also being attacked.

System Vulnerabilities Being Exploited

CISA and NCSC have reported numerous incidents of APT actors scanning pharmaceutical and medical research organization external websites for vulnerabilities.  These actors are exploiting a Citrix vulnerability known as Citrix CVE-2019-19781.  They are also gaining access through vulnerabilities in Virtual Private Network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.

Healthcare Organizations Subjected to Password Spraying

Healthcare organizations in a number of countries are being subjected to large-scale password spraying campaigns.  Password spraying is a brute force style of attack.  The cyber actor uses  tries a single and commonly used password against many accounts and then will attempt another. Because of the time between attempts at a single site rapid or frequent account lockouts are prevented.

Recommended Forms of Mitigation

In its cybersecurity alert for healthcare CISA recommends risk based holistic approaches to organizational cybersecurity consistent with the National Institute of Standards and Technology (NIST). 

CISA other recommendations for mitigation in this alert included:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Protect the management interfaces of your critical operational systems.
  • Set up a security monitoring capability.
  • Review and refresh your incident management processes.
  • Use modern systems and software.

CVG Strategy

According to recent studies, organizations are unprepared to meet the challenges of modern cybersecurity.  CVG Strategy can help by implementing Information Security Management Systems (ISMS) that will protect your organization’s vital data and information systems.  Our Subject Matter Experts can guide your business through a variety of solutions including NIST 800-171.  Contact Us to learn more

FEMA Ruling on Medical Resources for Domestic Use

FEMA Ruling on Medical Resources
FEMA Ruling on Medical Resources

FEMA Temporary Ruling on Allocation of Personal Protective Equipment (PPE)

A Federal Emergency Management Agency FEMA ruling on medical resources will be effective until August 10, 2020. This action has been taken in response to the immediate need for Personal Protective Equipment (PPE) caused by the COVID-19 epidemic.  Recent studies have shown that COVID-19 is possibly transmitted through contact with respiratory droplets or contact with surfaces that have the virus on them.  Because the virus may be spread by people not showing symptoms the need for PPE is urgently required to protect health workers and people with underlying health conditions.

Action Taken in Response to Executive Orders

FEMA’s ruling is part of a response to a series of executive orders given by President Donald Trump.  These orders include:

Provisions of FEMA Ruling on Medical Resources

Banning of Exports

The ruling allocates that scarce or threatened materials shall not be exported without explicit approval of FEMA.  Because of this, any items covered under this ruling will be held by the U.S. Customs and Border Patrol (CBP) until FEMA determines to allow export or return for domestic usage.  In making these determinations FEMA will: consider:

  • Domestic requirements for the item,
  • Overall effect on the supply chain,
  • Any hoarding or price gouging circumstances,
  • Quantity and quality of items,
  • Humanitarian considerations,
  • International considerations.

Exception for Continuous Export Agreements

FEMA will not purchase these items from shipments made by or on behalf of U.S. manufacturers with continuous export agreements with foreign customers.  This would pertain to orders in effect since at least January 1, 2020, so long as at least 80 percent of such manufacturer’s domestic production of covered materials, on a per item basis, was distributed in the United States in the preceding 12 months.

Investigations and Requests for Information

FEMA has been empowered to undertake investigations and issue requests for information to enforce these rulings.  Failure to comply fully with these ruling may result in a fine of not more than $10,000 or imprisonment for not more than one year, or both. 

Documentation of Changes

Due to the nature of the ongoing situation FEMA may also determine that additional items will fall under these rules.  This may occur if the item is crucial to national defense requirements and will not cause significant disruption to the domestic markets.  As required by the Administrative Procedure Act (APA), FEMA must publish notice of any changes in requirements on the Federal Register.  Therefore persons or parties with interest in these changes will then be able to submit data, views or arguments prior to final execution.

CVG Strategy

CVG Strategy is committed to helping businesses maintain compliance to U.S. export laws.  We have decades of experience and expertise in Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR).  Contact Us to see how our experts can help.