ICS Information Security Assurance Framework 19

ICS Information Security Assurance Framework 19

March 6, 2020 | Adeline Zhang

Government Affairs

  • SCADA System Architecture Used in Water Affairs

The SCADA system used in water affairs mainly consists of the operator workstation, engineering workstation, SCADA system of the water intake pump room, SCADA system of the drug dosing room, SCADA system of the backwashing system, SCADA system of the water supply pump room, and SCADA system of the dewatering pump room. Figure 4.13 shows the architecture.

  • Security Requirement Analysis

1. Portal website security analysis

Since the portal website of water affairs can be directly visited via the Internet, it has different kinds of visitors from both within and outside of China and can easily draw hackers’ attention. Main security threats are:

① By launching an SQL injection or cross-site scripting (XSS) attack, a hacker can easily obtain administrative privileges of the portal website and then further tamper with its web page code. The
hacker can replace the portal website with a phishing website or pornographic website, or publish sensitive remarks on the web page, causing an extremely reverse impact to the enterprise.

② After successfully obtaining control privileges of the web server, the attacker can use the server as a springboard to penetrate and scan the intranet or even launch an attack against the intranet, posing threats to the enterprise’s sensitive data. According to the security assessment result of the current host, after a hacker enters the intranet, he/she can easily comprise other servers.

Traditional border protection devices such as firewalls and intrusion prevention systems, though taken as indispensable modules to implement overall security policies, are unable to provide satisfactory protection against web application attacks due to their own product positioning and protection depth. Therefore, it is necessary to adopt a professional web protection system to effectively prevent various attacks and reduce website security risks.

2.Network border security analysis

The computer network itself is so vulnerable that it may suffer different attacks and damage at any time, some of which are even destructive. Main factors that damage network security are as follows:

① Network protocols are, by nature, insecure. The network is an open information system, which can connect to the Internet and communicate with any computers on the network. The network is at risk due to the vulnerability of the TCP/IP protocol.

② Virus worms spread rapidly. Once the intranet of water affairs is infected with viruses or worms, it will degrade the processing performances of the network and system, seriously threaten sensitive data, and even congest the network and cause service interruption.

③ Weaknesses of current firewall solutions. In such a situation where network applications and new threats spring up like mushrooms, either traditional firewalls or unified threat management (UTM) devices, or next-generation firewalls (NF) can no longer meet users’ requirements for network security protection. Specifically, traditional firewalls cannot effectively identify and control network applications and users, and current IP address-based access control is not reliable any more.

3.Business system security analysis

The security analysis of the business system evolves with the development of network environments. The work such as order management and file distribution in the system of water affairs is now done by computers and information storage and provision are performed in a digital way. Main factors that damage the security of business systems are as follows:

① System vulnerabilities impose serious threats to the business system. Malicious attackers could exploit system vulnerabilities to enter the system background by conducting malicious scanning or launching remote overflow attacks, so as to obtain, tamper with, and even destroy sensitive data, influencing the proper running of the entire network.

② Network security auditing is an especially serious issue. Traditional network security means, such as firewalls and intrusion detection systems, can manage and monitor abnormal network behaviors (such as controlling the validity of network connection and access and monitoring network attack events), but they cannot monitor network content access and authorized internal network access. Therefore, they are unable to detect information disclosure events and network resource abuse caused via legitimate network access (such as instant messaging, forums, online videos, P2P downloads, and online games). Also, it is difficult to effectively monitor and manage content and behavior and trace the source of security events. Therefore, a new security method is urgently needed to address the preceding issues. Audit forensics are essential in any security systems.

③ Human errors and service privilege management problems, for example, weak passwords, incorrect sharing, misuse of application systems, internal personnel’s unauthorized access to business application systems, unauthorized operations, or the operator’s incorrect inputs that lead to system breakdown.

  • Security Solutions

1. Portal website protection

Use a web application protection system to ensure the security of web application systems. The web application protection system is an overall solution that features pre-event prevention, in-process protection, and post-event remediation. As a middleman between the web client and the server, the web application protection system can protect the web server from being directly exposed on the Internet, monitor bidirectional HTTP/HTTPS traffic, and detect and protect bidirectional data at the network layer and web server/application layer, thereby reducing the security risk of websites and preventing all kinds of bandwidth consumption and resource consumption DoS attacks.

2. Network border protection

Use a network intrusion prevention system to ensure the security of network borders. The security protection system of network borders can intelligently identify and analyze protocols, detect protocol anomalies, and detect abnormal traffic, and therefore can effectively discover various Trojans and backdoors bound to any ports, detect unknown overflow attacks, zero-day attacks, and DoS attacks, and effectively defend against DDoS attacks, unknown worms, and rogue traffic attacks.

3. Network security audit

A security audit device should be deployed in the system of water affairs to fulfill the following functions:

① Content audit. It has in-depth content audit functions, so as to provide comprehensive content detection and information restoration for website access, mail receiving and sending, remote
terminal access, database access, data transmission, and file sharing. It can also customize the keyword database for fine-grained audit tracking.

② Behavior audit. It has the comprehensive network behavior audit function. According to the configured behavior audit policy, it monitors network application behaviors (such as website access,
mail receiving and receiving, database access, remote terminal access, file upload and download, instant messaging, forum, mobile application, online video, P2P download, and network game) and generates alerts and records events matching the policy in real time.

③ Traffic audit. It analyzes traffic based on protocol identification, collects statistics of various packet traffic in the network in real time, and comprehensively analyzes the traffic, so as to provide reliable support for making traffic management policies.

  • Security Protection Solution

Border Security Protection Solution

An ICS security gateway can be deployed between each station control system PLC/RTU and the industrial switch, in a bid to prevent malicious traffic or attacks from entering field stations through a city gate station.

Before the SCADA server, engineering workstation, and operator workstation, an industrial firewall can be deployed to conduct in-depth analysis of all data destined for the server, protecting this server from unauthorized operations, malicious control of illegitimate commands, and virus attacks.

Comprehensive Security Protection Solution

  • Divide security zones. The entire gas network system is divided into different security zones, with the purpose of conducting permission control for mutual access between the service system
    zone, accessing users, Internet egress, and core switch zone. The SCADA industrial control system zone is also divided. Improve the reliability of network security protection. Design a redundant
    architecture of key node devices in the core switch zone, mobile user access zone, and sensitive data access zone to form a hot backup, thereby ensuring the high reliability of the whole security
    protection system devices.
  • Deploy a database audit system and clearly define data access permissions. By deploying a database audit system in the sensitive data zone, we can audit users’ database operations in real
    time, including the creation, deletion, and modification of tables.
  • Strengthen data protection. Deploy a data disclosure prevention system to ensure that confidential data will not be leaked in the production, transmission, and storage links, and that even if the data is duplicated, it cannot be accessed.
  • Deploy a unified security management zone. After security protection measures are taken for the entire network system, effective management and O&M should follow. We can deploy the threat
    analysis system, vulnerability scanning system, and operation security management system (OSMS), which are effective for unified security management, and deploy ICS vulnerability scanning system, ICS security audit system, and ICS intrusion detection system in the central SCADA zone for security management of the entire SCADA industrial control system.

To be continued.