ENISA Offers Incident Response AdviceTips for Industrial Control System Breach Investigations
Industrial control systems, used in a variety of sectors, including financial services, healthcare, public utilities and manufacturing, are increasingly vulnerable to cyber-attacks. Security professionals can follow recommendations outlined in a new white paper from the European Union's cybersecurity agency to help secure these systems and prepare incident response plans.
The document from the European Union Agency for Network and Information Security outlines the process responders should follow after a breach to analyze the incident and specifies the type of information that should be collected and analyzed.
"The ability to respond to critical incidents and be able to analyze and learn from what happened is crucial," the white paper states.
J.D. Sherry, a vice president of technology and solutions at Trend Micro, a security software company, notes: "Incident response planning is critical in ICS because it documents what kind of information the investigator will need."
Industrial control systems are designed to perform repetitive automated tasks, such as opening and closing valves, collecting data from sensors and monitoring the environment to issue an alarm when necessary. They're widely used in manufacturing; water and electric grids; medical devices and automated systems in healthcare; banking systems; and transportation systems, among others.
Systems Under Attack
The systems frequently have software vulnerabilities and have little built-in security, lacking code signing or basic authentication, making them highly vulnerable to attack, says Billy Rios, managing director of global consulting at ICS security company Cylance. Targeting these systems could disrupt critical operations, such as cause a water pump at a treatment plant to fail, or destroy centrifuges as the Stuxnet malware did in Iran's Natanz nuclear facility.
Since the industrial control systems are often used in sectors that are part of a nation's critical infrastructure, they are an attractive potential target for cyber-attacks from disgruntled insiders, dissident groups and nation-states, says Udo Helmbrecht, the executive director of ENISA.
ENISA's white paper focuses on attacks against embedded systems, supervisory control and data acquisition (SCADA) devices, programmable logic controllers (PLC), and distributed control systems (DCS) that may be deployed within the organization.
These systems should be "operated in a manner which allows for the collection and analysis of digital evidence to identify what happened during a security breach," Helmbrecht says.
Planning Before Deployment
The ENISA report emphasizes breach prevention and response planning when deploying industrial control systems. For example, those implementing the systems should make sure they're collecting all the data that would be needed to conduct an investigation in case of an attack.
Many network monitoring tools, such as log management and intrusion detection systems, can be used in the ICS environment to monitor the management and support systems that are connected to the actual embedded systems and components, Rios says.
But monitoring the SCADA and PLC devices is challenging because they generally have their own firmware, specifications and custom protocols, Rios says. The documentation for these devices may be incomplete, and the vendors generally do not offer any tools to provide an easy way to view what is actually on the device, Rios says.
"If you haven't done your homework beforehand, you won't survive the attack," Rios says.
When deploying new systems, controllers and sensors into an ICS environment, organizations have to make sure all the logic, specifications and programs loaded onto the hardware is backed up and securely stored somewhere else, Rios says.
As part of deployment, the organization needs to consider what kind of built-in logging the industrial control system has; identify other ways to collect more evidence, such as deploying a network monitoring agent; and document how to extract each type of data during the investigation, ENISA writes in its paper.
"The cornerstone of effective security management is the implementation of appropriate and well-measured controls able to balance the risk and provide mechanisms to counter and follow-up incidents," the paper says.
The ENISA report highlights the importance of in-depth ex-post incident analysis to learn from the attack. The forensics analysis should focus on identifying the target of the attack, inferring the attacker's intended goal and target, itemizing the vulnerabilities on that system and discovering the source of the attack, according to the white paper. With this information, the organization can take steps to defend against similar attacks.
The first step in incident response within the ICS infrastructure is to examine the system and identify all the impacted components, according to the paper. This way, the investigator will understand which firmware version the device had, how it was deployed and how it fit in within the overall network architecture. If industrial control systems are deployed with proper planning, the investigator will know where to find the necessary forensics data, such as network traffic data and operating system and transaction logs.
Because industrial control systems are highly customized and have their own unique firmware, an analysis after a breach is time-consuming, Rios says. A thorough understanding of what each process does, and knowing where to find forensics data, can help with post-incident investigation, he says.
ENISA says improving the quality and amount of data collected to analyze incidents will help organizations understand how to prevent similar attacks. The insights gained from investigations can also be used to deploy similar systems in a far more secure manner. More important, the information can be shared with others globally to strengthen overall defenses as well as develop a comprehensive and up-to-date view of what attacks on ICS infrastructure look like, according to the paper.
"Enabling inter-state collaboration is critical, as attacks may be targeted across a number of sites, from a number of foreign jurisdictions," ENISA writes in the paper.