Device Hardening

Password management is one of the fundamental tools of device hardening yet are often neglected in industrial control systems. Policies and procedures on password management should be maintained and adhered to.

Password Management Guidelines

• Enable password authentication on all e-mail and web servers, PACs, Ethernet interface modules and embedded web servers.

• Change all default passwords immediately after installation, including those for:

  • User and application accounts on Windows, SCADA, HMI The user interface of a device, for example, a keypad, screen or mouse and other systems.

  • Scripts and source code

  • Network control equipment

  • Devices with user accounts

  • FTP Servers

• Only grant passwords to people who need access, avoid displaying passwords during password entry and prohibit password sharing.

• Require passwords that are difficult to guess, they should contain at least 8 characters and should combine upper-case and lower-case letters, digits and special characters when permitted.

  Tip - A good way to make your password difficult to crack is by combining three random words to create a password, for example, ChickenYogurtBike.

• Require users and applications to change passwords on a scheduled regular basis.

• Remove employee access accounts when employment is terminated.

• Require use of different passwords for different accounts, systems and applications.

• Maintain a secure master list of administrator account passwords so that they can quickly be accessed by authorized staff in the event of an emergency.

• Implement password management in a way that does not interfere with the ability of an operator to respond to an event such as an emergency shut down.

• Do not transmit passwords via e-mail or in any other way over the insecure internet.

Another aspect of device hardening is device-level access control, for example, a device that maintains an access control table with a list of approved addresses, therefore it would only accept access requests that originate from those addresses. This type of access control is useful in controlling access between different areas of a plant.

Access Control Guidelines

Access control should be implemented at all levels:

• Servers

• Workstations

• Firewalls

• Switches

• Devices

Use access control lists to record the addresses from which a Transmission Control Protocol (TCP) connection request is allowed.

The following managed Ethernet switch features can be configured to harden the switch and provide additional protection against unauthorized users:

Select from the options below to display the details required:

SNMP

SNMP v1, v2 and v3 are supported by managed Ethernet switches. By default, SNMP v1 and v2 are activated with default passwords, public for read access and private for read/write access.

See Risk Mitigation for details.

Ethernet Switch Configurator Software Protection

The Ethernet Switch Configurator Software protocol allows users to assign an Internet Protocol (IP) address, subnet mask and default gateway A combination of hardware and software that interconnects incompatible networks or networking devices. Gateways include, packet assembler/disassembler and protocol converters IP to a switch. As part of device hardening, after assigning the IP parameters to the device, disable the Ethernet Switch Configurator Software function or limit the access to read-only.

Ethernet Switch Port Access

A malicious user with physical access to an unsecured port on a network switch could plug into the network behind the firewall to defeat its incoming filtering protection. Ethernet switches maintain a table called the Content Address Memory (CAM) that maps individual medium access control (MAC) addresses on the network to the physical ports on the switch. In a MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses filling the CAM table. Once the CAM table is full, the switch becomes an Ethernet hub allowing all incoming packets to be broadcast Messages that are sent out to all devices on the network on all ports. The attacker then could use a packet sniffer, for example, Wireshark, running in promiscuous mode to capture sensitive data from other computers, for example, unencrypted passwords, e-mail and instant messaging conversations, which would not be accessible were the switch operating normally.

The following device hardening methods help mitigate these vulnerabilities:

• Disable unused ports.

• Lock specific MAC addresses to specific ports on the Ethernet switch.

• Lock specific IP addresses to specific ports on the Ethernet switch.

Supervisory Control and Data Acquisition (SCADA) systems are used in industrial control for data collection, human interface and data analysis. Simple access to process control functions and criticality to the process, are vulnerable devices on the control system network due to SCADAs typical PC-based architecture.

Steps required to harden the SCADA system include:

• Only grant physical access to the hosting server to system administrators or similar authorized personnel.

• Keep logical access to the physical server within a dual-firewall demilitarized zone (DMZ), along with other systems such as workstations, Historian, and SCADA Gateways A combination of hardware and software that interconnects incompatible networks or networking devices. Gateways include, packet assembler/disassembler and protocol converters and Servers. Use industrial stateful firewalls or (Next-Gen) industrial deep packet inspection firewalls.

• Provide dedicated operator and developer access to the server via web clients, do not install developer tools on a running production server. These tools should only be installed on dedicated developer workstations.

• Harden the PC server and its operating system via strong and unique user and administrative account passwords. Hardening of servers, particularly user account management and patching should be a continuous process improvement.:

  • Use enterprise grade operating systems, for data execution prevention (DEP) and user account controls (UAC) capabilities provided by these operating systems.

  • Patch any operating system to current required levels on a documented, monitored schedule.

  • Disable or remove unused programs and services.

  • Run SCADA with non-administrative privileges only.

  • Do not install designer/development tools on production servers.

  • All file systems should be New Technology File System (NTFS).

• Limit information access by configuring roles.

• Do not allow web and e-mail access on systems directly on or accessing the SCADA system. Disable or severely restrict web and e-mail access for any system in the control room.

• Use web clients instead of internet display clients.

• Use multiple digital signatures.

• Where possible, test any changes, for example patching and installation, in a dedicated closed test environment prior to production release.

• Implement Microsoft Windows authentication, using Active Directory for central management where possible.

  • Do not use the existing IT Active Directory infrastructure but implement a dedicated Active Directory infrastructure for the OT environment.

• Routinely track and monitor audit trails to identify suspicious activity and remedy activity immediately.

• Configure mirrored servers such as the historian in the DMZ for external/enterprise access. Do not allow direct access on the control system network.

• Validate there are no Internet Protocol (IP) addresses for non-required devices on the access list.

• Where possible use whitelisting products on all SCADA servers and clients instead of anti-virus products. Whitelist products tend to be less resource-intensive than anti-virus tools and offer stronger protection against zero-day threats.

  • If anti-virus products are used, keep the software and virus definitions current. Consider a risk-benefits assessment to help determine appropriate scheduling as anti-virus updates can affect production.

• Configure SCADA to authenticate username and password against Windows authentication. Use systematic password maintenance procedures like those used in IT-managed systems.

• Allow no e-mail or web access on the SCADA server or on machines that connect to the server.

• If the SCADA server cannot be physically located in a secure location, establish some form of access control process.

• Disable or remove CD-ROM and diskette drives where installed.

• Disable universal serial bus (USB) ports not used by peripherals, for example, keyboards. Dedicate USB drives to the SCADA and only use to import or export data. Scan the USB drive for malware before connection to the SCADA.

• Do not leave remote units open, establish and enforce procedures to log out of or screen-lock SCADA web clients.

• Assign roles to limit physical access to plant areas and keep unauthorized personnel out of areas of non-responsibility, this means that if an intruder is able to penetrate, access is limited to a specific area, not the entire plant.

Historian is a centralized reporting tool for industrial control environments, because it has many touch points to other industrial systems, for example SCADA, it is vulnerable to cyber-attacks. This should be hardened as follows:

• Locate client, server, and database components on separate machines where possible.

• Patch Microsoft (MS) Structured Query Language (SQL) databases on a documented, monitored schedule to ensure MS SQL system administrator passwords are strong and differ from other passwords.

• Harden all hosting servers and client workstations.

  See Hardening Supervisory Control and Data Acquisition Systems for examples of relevant server and client hardening methods.

• Locate the database server and Historian server within the same DMZ as the SCADA.

• Use Access Control Lists (ACLs) to control client access to the Historian web portal in the industrial firewall that separates the control network The portion of the control system network where process data is transferred, including Supervisory Control and Data Acquisition (SCADA) to Programmable Automation Controller (PAC) traffic and PAC to PAC traffic from the enterprise network.

In many cases, industrial control systems include older devices that are not equipped with sufficient device hardening features. Where necessary, to improve the hardening, an external device can be applied in combination with an installed end device.

Segregation behind an industrial firewall is recommended to provide these features.

The single combined unit can also take advantage of a firewall's ability to limit network traffic, restricting access to allow only data requests from specific originating devices and even limit access to specific data register areas or use of specific function codes.

Industrial PCs can host software applications, for example, SCADA servers, Manufacturing Execution System (MES) Clients and development environments. These are hardened PCs designed for the rigors of industrial environments, for low maintenance and can be installed in electrical enclosures for additional physical security. When such systems are enclosed, the keyboard, mouse and display access can be implemented using an Internet Protocol (IP) based Keyboard, Video, Mouse (KVM).

Industrial PCs can also be used as platforms to host network intrusion detection systems such as Snort®. This is an open-source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. It combines the benefits of signature, protocol, and anomaly-based inspection.

Industrial PCs can also host proxy server applications, controlling traffic into and out of the DMZ, thereby providing additional isolation of the control room infrastructure from the enterprise. These systems are also suitable for hosting network management applications such as Configuration Manager.

There are many commercial PC systems available for engineering workstation needs, regardless of the PCs selected, they must be hardened and managed using the same methods used to harden industrial PC systems. Key hardening techniques include, but are not limited to:

• Strong password management

• User account management

• Methods of least privilege applied to applications and user accounts

• Removal or disabling of unneeded services

• Removal of remote management privileges

• Systematic and timely patch management

Unlike industrial PC systems, which may be located in the more trusted control or device networks, these engineering workstations should be located within the operations network.

To reduce vulnerability to attacks, systems should be patched to the latest vendor-recommended software and firmware levels. This is particularly true with computer systems, for example SCADA hosts, that provide an element of control for the deeper layers of the industrial control networks The portion of the control system network where process data is transferred, including Supervisory Control and Data Acquisition (SCADA) to Programmable Automation Controller (PAC) traffic and PAC to PAC traffic. It is also true of devices on the control and field level networks.

Patch management and deployment approaches include automatic, semi-automatic and manual. In all cases patch updates should be systematically planned, tested and executed. It is vital that before releasing any patch to a production system, a system backup with the ability to roll back configurations rapidly is created.

There are numerous ways to keep informed about the availability of new patches. These include subscriptions to security bulletin services, for example, www.microsoft.com/security/ and www.sans.org/newsletters/newsbites. In addition, vendor websites for devices, application software and operating systems should be monitored for updates.

More advanced server patching can be accomplished by hosting a patch management server in the DMZ supporting Windows Server Update Services (Microsoft WSUS server). This is a local repository of Microsoft hotfixes and service packs for operating systems and applications such as MS SQL Server. Local machines within the control room can connect to this server for patch management. Groups of patches would be predefined, tested and authorized by system administrators prior to deployment.

Firmware patching of other industrial control systems devices such as programmable automation controllers (PACs), network switches, routers, firewalls and distributed I/O may require system down time and should be performed on a carefully planned schedule. Some patches may address urgent issues and should be installed as soon as possible, regardless of the planned patch management schedule. The patch management plan should have specific guidelines for such exceptions. Even in these exception cases, include testing and backup procedures in the release plan.

Several utilities allow firmware to be deployed from the control room to the field level devices. These include Operating System (OS) Loader and web-based access. Use a dedicated machine in the operations network to deploy firmware but note that some field devices cannot be remotely patched and require local access. In these cases, connect only with a security-approved laptop free of malware.