Change is part of daily industrial operations. Detecting a change and assessing the validity of that change are critical to effective ICS cybersecurity. Let’s say, for instance, that two lines have been removed from an SIS configuration file. Now let’s say this change blinds the operator to the availability of the SIS.
How will you know this configuration change occurred? This particular change happens deep in the bowels of a configuration file. Unless you are collecting sufficiently detailed data and comparing it to a known good baseline, how would you ever detect it? If this change was the result of a malicious attack, it could simply be the first step of a coordinated effort to cause damage and injury.
Was the change authorized? It’s not just about the bad guys that you have to worry about. According to The Global State of Information Security Survey 2015, although many times unintentional, employees are the “most-cited culprits of incidents.” Knowing invalid changes from the valid ones can lead to process improvement and training opportunities that enhance plant performance. It can also surface the effects of successful attacks.
Do you have the ability to remediate unauthorized change quickly and verily? In our example, an engineer would need to add back the two lines of code. A closed loop process is the only way to know the work was done correctly. Software automation can provide workflow-driven processes that record and verify remediation of unauthorized changes.
Based on our example, an effective ICS cybersecurity response would look like this:
- DETECT: Discover change by having detailed configuration data across all major control assets.
- NOTIFY: Automatically initiate an appropriate response workflow based on asset risk category.
- ASSESS: Determine change authorization status and remediation recommendation.
- REMEDIATE: Update configuration to appropriate state and implement policy or process change to prevent future recurrence.
- AUDIT: Utilize workflow data records to confirm proper remediation and report if compliance related.
How would your organization fare in this example – would it be the best of times, or the worst of times?