Regulatory compliance in industrial environments poses unique challenges not found in traditional IT settings. A leading source of this complexity stems from the pre-Internet, largely proprietary nature of industrial control system (ICS) networks, specifically their lack of open computing standards, which are taken for granted in IT networks. These closed ICS networks are extremely hard to update, and even harder to maintain in compliance with state, federal, and industry regulations.
In addition, most ICS networks lack built-in security components, notably automated asset management, proactive security monitoring, and real-time threat analysis and prevention. Plus, most of the applicable regulations and guidelines apply specifically to verticals such as healthcare and energy, and cover ICS only either indirectly or at a very high level. Consequently, the responsibility for security and incident response (IR) falls primarily on those who implement and utilize ICS, namely operational technology personnel, not the security team.
5 Core Elements of ICS Compliance
Although specific regulations and standards vary, there are five key elements to consider when developing an ICS compliance program:
Asset management: Identifying and classifying ICS assets and the data they contain.
Identity and access management: Using role-based access control (RBAC) and authentication, authorization, and accounting (AAA) to manage ICS assets.
Risk assessments, vulnerability management, and change management: All of these functions involve identifying risks and vulnerabilities, and patching ICS assets, which can be challenging because different vendors provide varying levels of support and maintenance.
Security controls: Isolating the ICS network from the rest of the organization's networks. The key tool is encryption — of data at rest and in transit — to ensure the integrity of applications as well as data. Other important tools are monitoring and logging network activity.
Physical security: Mostly, this means restricting physical access to the ICS devices. Because internal security capabilities of most ICS devices are often very limited, organizations must ensure that proper external controls are in place to fill gaps.
ICS Compliance Frameworks
US ICS-CERT has some of the most detailed recommendations for security and compliance specific to ICS, specifically, Recommended Practice: Creating Cyber Forensics Plans for Control Systems (2008) and Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (2009).
Another good source of information for all organizations is the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems. It provides recommendations and best practices.
Most verticals have specific guidelines for what organizations should do in incident response. Generally, organizations should familiarize themselves with all existing frameworks, laws, and regulatory and compliance standards so they can use them to create effective plans, policies, and procedures.
Incident Response & ICS Compliance
Because meeting ICS regulatory compliance requirements involves documenting processes and procedures, the data-driven nature of IR provides many of the reporting elements to comply with the strictest regulations regarding finance, safety, consumer privacy, customer notifications, and so on.
For example, the foundation of ICS compliance is built on auditing of assets. Without proper auditing, an organization is forced to assume the worst when a breach or attack occurs — that everything has been infected.
Detection, also a central element IR, is tightly aligned with compliance. Being able to detect and respond to a breach when it occurs, instead of weeks or months later, enables organizations to limit or avoid regulatory sanctions, as well as public relations nightmares.
IR investigation and threat hunting, meanwhile, provide the audit trail for satisfying compliance mandates. If an organization suffers a breach it must be able to quickly determine when it happened, what damage was caused, and whether it has been remediated or not.
Finally, IR's ability to document workflows and findings can play a central role in complying with disclosure requirements and help meet the short deadlines for notifying all internal and external stakeholders.
Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.