ICS Information Security Assurance Framework 4

ICS Information Security Assurance Framework 4

January 18, 2020 | Mina Hao

Technical Trend of ICS Information Security

1.3.1 General Introduction

As the application of IT technologies in industrial fields is expanding in breadth and depth, ICSs are facing an increasing number of security risks. ICSs’ original security protection systems which
feature border separation and protection tend to be associated and integrated with business. With the emergence of new application forms such as industrial clouds and industrial big data, ICS security products need to surpass the existing products in terms of functions and application form, so as to better adapt to new applications.

1.3.2 Introduction to Major ICS Information Security Products

Currently, ICSs adopt the following categories of information security technologies: protection, isolation, monitoring, detection, and O&M management.

Protection

  • Network protection: Unlike traditional IT firewalls, industrial firewalls make an in-depth analysis (from the IP layer to the application layer) of packets reaching industrial networks, using the whitelist mechanism to restrict access to resources such as IP addresses and protocol function code, as well as restrict operation behavior.
  • Host protection: A host whitelist mechanism or a trusted system for host application software is built to check whether related software or applications can run in the current system and prevent the execution of the software/applications outside of the whitelist and launch of the related processes.

Isolation

  • GAP: In a 2+1 or 3+1 manner, two hosts communicate with each other through a Network Security Separated Card. Alternatively, another host is used to dispatch policies to both hosts
    to implement limited communication between them. Currently, GAPs are extensively used in the petroleum and petrochemical and metallurgy sectors.
  • Forward and reverse isolation devices: Internal and external hosts communicate with each other via a single-byte response mechanism as no TCP/IP connections are set up between
    the intranet and extranet. Such devices still need to perform verification based on digital certificates, and therefore limited communication needs to be established between the intranet and extranet. Currently, this kind of devices is widely used in the electric power sector.
  • Industrial isolation gateway: Currently, this kind of product adopts the 2+1 isolation method or alternatively two firewalls are directly interconnected to effectively filter and handle packets
    using OPC (OLE for Process Control), Modbus, and S9 protocols. This system is especially useful for fine-grained control of such operations as reading and modifying OPC’s point tables.

Monitoring

  • Industrial control audit: With a communication behavior baseline built through customization or automatic learning, this kind of product can identify abnormal communication behavior, alert for operations involving such behavior, and provide relevant handling suggestions.
  • IDS for ICSs: Through in-depth packet parsing, such products can perform signature analysis and anomaly detection to identify attack behavior of malware that gets into or hides in ICSs, in a bid to effectively perceive and spot attack behavior.
  • Industrial monitoring and alerting platform: Through management and correlative analysis of security logs, network logs, and host logs, this kind of platform identifies and reproduces
    potential malicious behavior in industrial fields, by taking account of characteristics of industrial field operations.

Detection

  • Scanning for Industrial control vulnerabilities: This kind of product probes IT operating systems, databases, application software, and devices (such as industrial controllers like PLC and DCS) which are commonly seen on industrial fields, in order to identify security vulnerabilities in them.
  • Discovery of industrial control vulnerabilities: This kind of product tests the protocol robustness via technical means like fuzz testing. By sending a malformed packet of a designated protocol
    to a device under detection, such a product checks whether this device can properly handle such packet, as demonstrated by discovery of vulnerabilities in systems through a denial of service (DoS).

O&M Management

  • Industrial jump server: implementing security audit and identity management of the O&M process. Currently, if industrial software cannot be installed on the master device in industrial
    fields, an interface for connection to software like SCADA is integrated and configured to implement communication with the master device and monitor the O&M process.
  • Mobile industrial O&M auditing: This kind of product monitors operations of external onsite O&M personnel to spot potential malicious behaviors mingled with O&M operations, as well as record and block such behavior.

1.3.3 Issues and Difficulties Facing ICS Information Security Technologies

Currently, ICS information security enters a new epoch of converging information security and ICS security. ICS security products are still in the age of version 1.0 and lag far behind IT information security and IT systems in terms of adaptation, even though ICS security products are strongly associated with business application. Besides, due to inadequate integration with business and the lack of innovative security detection ideas, ICS security products fail to perform adequate in-depth detection of attack behavior potentially existing in business, and thus cannot deliver security protection that truly works.

On the other hand, with the popularization of new applications (including industrial clouds and industrial big data) in industrial sectors, there are bound to be changes to industrial control forms. Information security technologies, when adapted to these new forms, definitely need to be integrated with business. However, integration of ICS information security technologies does not fully unfold until a breakthrough is made in the technological direction and applications.

 

To be continued.