Improving cyber resiliency in Industrial Control Systems (ICS) environments requires a comprehensive, multi-tiered approach that can address both standalone and networked systems. We’ve found the following approach can support government agencies in augmenting their cybersecurity postures to ensure operations aren’t impacted in the face of attacks.
Develop a Foundation
As with any design, start by completing a comprehensive inventory of assets. For each asset, ascribe an individual record that is stored in a database. This database entry becomes the official record for that asset throughout its lifecycle, recording and date-stamping all patches, changes, and updates that occur. This forms a comprehensive configuration management record for each individual asset.
After you identify and record all assets, conduct a basic security check to identify vulnerabilities within computer assets. Compile and review these scans to determine if there are common vulnerabilities across all or most platforms.
This information should provide the foundation for implementing the initial cybersecurity update and establishing an in-house baseline for all assets. Now you can implement solutions to common vulnerabilities without affecting production and generate a backup image. You should also identify and develop any repeatable processes that are needed during this phase.
Develop a Plan for Cybersecurity Posture Improvement
Once you complete a comprehensive inventory and establish an initial baseline, design and develop a standardized plan to improve the foundation. While the ultimate goal is always RMF-compliant systems across the board, that might not be realistically achievable with older systems; in those circumstances, you’ll likely need to develop something that provides an acceptable level of security without compromising production results.
Evaluate each system’s cyber resiliency and then leverage current cybersecurity standards to develop a plan for improvement. Since no two legacy systems are the same, during development planning, try to leverage all standards that apply and keep the ones that don’t affect production. Also, you should finalize the development of any repeatable processes during this phase.
At this point, making cybersecurity posture improvements requires a centrally managed and located mechanism. We prefer to implement a cybersecurity lab to address deficiencies, as that allows us to utilize all facets of the system lifecycle and support tasks like configuration management with a minimal amount of personnel, effort, or recurring cost.
While a cybersecurity lab allows for all systems to be centrally managed, the necessary infrastructure requires processes and procedures to run smoothly. Standardized, repeatable processes and procedures ensure that daily, weekly, monthly, quarterly, and annual requirements are met with minimal oversight. Leverage the output from these standardized processes to determine reportable metrics and identify lessons learned.
Implement Cybersecurity Posture Improvements
The centerpiece of this phase is the implementation of the plan developed in Phase 2. This involves leveraging the cybersecurity lab to implement the improvements outlined in the improvement plan.
At the tactical level, this becomes sustainment operations and demands strict coordination between cybersecurity staff and production personnel to ensure proper compatibility with production schedules and available personnel. This phase becomes a continuous process that closely mirrors the RMF end-state for control monitoring.
Risk Management Framework (RMF) Implementation
RMF-compliant systems are the current standard for the Department of Defense. However, retrofitting existing legacy ICS systems represents a costly, time-consuming endeavor that could potentially result in a system that doesn’t function once secured — which would require a complete re-engineering effort that could affect production operations.
We recognize this potentiality as a significant risk when designing and developing a framework that addresses patching and other cybersecurity activities for legacy systems with an eye trained on improving cyber resiliency until the ICS completes its lifecycle, at which point new or replacement RMF-compliant systems are required.
Organizations that rely on multiple, often outdated platforms within an ICS need to address the cybersecurity risks they pose. Using a process like this one, these organizations can determine what assets they have, the security vulnerabilities each one possesses, and a plan for addressing these vulnerabilities until current, RMF-compliant systems are operational.