{"id":236,"date":"2021-02-28T10:03:02","date_gmt":"2021-02-28T07:03:02","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=236"},"modified":"2021-02-28T10:09:15","modified_gmt":"2021-02-28T07:09:15","slug":"tips-tricks-3-how-to-assess-the-security-of-your-ics-architecture","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2021\/02\/28\/tips-tricks-3-how-to-assess-the-security-of-your-ics-architecture\/","title":{"rendered":"Tips &#038; Tricks 3: How to assess the security of your ICS architecture ?"},"content":{"rendered":"\n<p>If you have ICS devices that are responsible for operations and mechanical processes, then I hope you have at least 2 or more security zones in your organization. The philosophy of security zones is based on two principles: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Least privilege : Minimum access level\/privilege is given for users to perform a certain task.<\/li><li>Least route : A component [Asset] in an ICS network is connected and communicated to, only when it is necessary to perform a task.<\/li><\/ul>\n\n\n\n<p>There are two types for ICS zones: one category is based on location (physical)  and the other is based on functionality (logical) . Zones are communicated and connected via &#8220;conduits&#8221; such as cables. <\/p>\n\n\n\n<p>What is the goal of  a security zone? <\/p>\n\n\n\n<p>The goal is based on  allowed vs disallowed technologies&nbsp;within a zone or a conduit. It is to prevent a technology from affecting the entire zone either because it is vulnerable or misconfigured. <\/p>\n\n\n\n<p>How to test the security of a zone and how to harden it ?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Check asset  inventory list.<\/li><li>Evaluate risk and vulnerabilities.<\/li><li>Remove unnecessary assets from a zone.<\/li><li>Implement security controls. <\/li><\/ul>\n\n\n\n<p>Finally I would like to share with you three tips:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Don&#8217;t use dual-homed (ethernet with more than one network interface) computers to isolate a control network from a corporate network. <\/li><li>The two-zone design that is commonly used in industrial organization is not recommend, if it contains no demilitarized zone (DMZ). <\/li><li>A design that is based on at least three zones is the most secure option. <\/li><\/ol>\n\n\n\n<p>Establishing a Security zone is one of the basic defensive practices to secure an ICS. Asset owners should really consider it as a priority before thinking to invest on intrusion detection systems, threat monitoring and other fancy security technologies. You should build your castle first (security zone) as a first step towards a defense-in-depth strategy. Once you have established your zones, choosing a technology will be easier and eventually is built on rational and practical grounds, not on imagination or fiction or a salesman&#8217;s advice. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>References: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems . By Eric D. Knapp and  Joel Thomas Langill <\/li><li>SP 800-82 Rev. 2: Guide to Industrial Control Systems (ICS) Security <\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>If you have ICS devices that are responsible for operations and mechanical processes, then I hope you have at least 2 or more security zones in your organization. The philosophy of security zones is based on two principles: Least privilege : Minimum access level\/privilege is given for users to perform a certain task. Least route [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":248,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,4,3,31,33,24,32],"tags":[28,7,13,6,35,34,27],"class_list":["post-236","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-asset-identification","category-cyber-security","category-ics-security","category-risk-assessment","category-security-zones","category-tips-tricks","category-vulnerability-assessment","tag-asset-identification","tag-cyber-security","tag-ics","tag-ics-security","tag-security-conduits","tag-security-zones","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":18,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"predecessor-version":[{"id":256,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/236\/revisions\/256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/248"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}