If you have ICS devices that are responsible for operations and mechanical processes, then I hope you have at least 2 or more security zones in your organization. The philosophy of security zones is based on two principles:
- Least privilege : Minimum access level/privilege is given for users to perform a certain task.
- Least route : A component [Asset] in an ICS network is connected and communicated to, only when it is necessary to perform a task.
There are two types for ICS zones: one category is based on location (physical) and the other is based on functionality (logical) . Zones are communicated and connected via “conduits” such as cables.
What is the goal of a security zone?
The goal is based on allowed vs disallowed technologies within a zone or a conduit. It is to prevent a technology from affecting the entire zone either because it is vulnerable or misconfigured.
How to test the security of a zone and how to harden it ?
- Check asset inventory list.
- Evaluate risk and vulnerabilities.
- Remove unnecessary assets from a zone.
- Implement security controls.
Finally I would like to share with you three tips:
- Don’t use dual-homed (ethernet with more than one network interface) computers to isolate a control network from a corporate network.
- The two-zone design that is commonly used in industrial organization is not recommend, if it contains no demilitarized zone (DMZ).
- A design that is based on at least three zones is the most secure option.
Establishing a Security zone is one of the basic defensive practices to secure an ICS. Asset owners should really consider it as a priority before thinking to invest on intrusion detection systems, threat monitoring and other fancy security technologies. You should build your castle first (security zone) as a first step towards a defense-in-depth strategy. Once you have established your zones, choosing a technology will be easier and eventually is built on rational and practical grounds, not on imagination or fiction or a salesman’s advice.
- Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems . By Eric D. Knapp and Joel Thomas Langill
- SP 800-82 Rev. 2: Guide to Industrial Control Systems (ICS) Security