{"id":638,"date":"2022-02-21T20:24:45","date_gmt":"2022-02-21T17:24:45","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=638"},"modified":"2022-02-21T20:24:45","modified_gmt":"2022-02-21T17:24:45","slug":"ot-ics-secure-by-design","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2022\/02\/21\/ot-ics-secure-by-design\/","title":{"rendered":"OT\/ICS Secure by Design"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-style-large is-layout-flow wp-block-quote-is-layout-flow\"><p>The pro\u2019s don\u2019t bother with vulnerabilities; they use features to compromise the ICS<\/p><cite>Ralph Langner<\/cite><\/blockquote>\n\n\n\n<p>This quote I found in <a rel=\"noreferrer noopener\" href=\"https:\/\/dale-peterson.com\/2013\/11\/04\/insecure-by-design-secure-by-design\/\" target=\"_blank\">Dale Peterson blog<\/a> . I strongly agree with it, because many ICS\/OT devices still suffer from insecure by design features. However, that doesn&#8217;t mean that NIST vulnerabilities and CVEs don&#8217;t matter ! It does matter and it could lead to serious harm sometimes. The goal in OT\/ICS security is not to focus on NIST database only, but must also make a huge priority for design issues by doing something about it. Asset owners and vendors should focus on both types of vulnerabilities [2]. Relying on NIST CVEs for OT\/ICS is only scratching the surface[2]. We security professionals should look for OT\/ICS documents features that allow us to manipulate the system and try to change or hide these features that lead to an impact or a security incident. <\/p>\n\n\n\n<p>There are other types of vulnerabilities not just design and CVEs of course. In fact according to NIST , it classifies them in its document <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-82\/rev-2\/final\" target=\"_blank\" rel=\"noreferrer noopener\">800-82<\/a> to 6 types:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Policy and Procedure vulnerabilities<\/li><li>Architecture and Design Vulnerabilities<\/li><li>Configuration and Maintenance Vulnerabilities<\/li><li>Physical Vulnerabilities<\/li><li>Software Development Vulnerabilities<\/li><li>Communication and Network Configuration Vulnerabilities<\/li><\/ul>\n\n\n\n<p>In this article, I try to focus on the design type. Why ? Recently I saw some OT\/ICS vendors trying to develop secure by design features in their products. Also, I don&#8217;t want to forget the excellent project &#8220;<a rel=\"noreferrer noopener\" href=\"https:\/\/plc-security.com\/\" target=\"_blank\">Top 20 Secure PLC Coding Practices<\/a>&#8221; that was a product of OT\/ICS community cooperation, many thanks to them.So, back to the vendors, Big vendors such as <a href=\"https:\/\/process.honeywell.com\/us\/en\/products\/control-and-supervisory-systems\/programmable-logic-controllers-plc\/controledge-plc\">Honeywell<\/a>&#8216;s implementation of secure boot and built-in firewall in its PLCs, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.siemens.com\/\" target=\"_blank\">Siemens<\/a>  application of communication encryption and other vendors who have started to add security features, please go there and have a look. I think they are working to overcome the most critical issue &#8220;insecure design&#8221; and prepare for more secure future towards its customers. Also, I saw a good white paper by <a href=\"https:\/\/bedrockautomation.com\/revolution\/\">Bedrock Automation<\/a>, where they apply  their concept &#8220;intrinsic security&#8221; , in another word &#8220;secure by design&#8221; to its products. They have listed their secure components as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Metal (For protection)<\/li><li>Ports (remove or close unnecessary ports , otherwise authentication is required) <\/li><li>Pins and Electromagnetic Interference  (EMI)<\/li><li>Electromagnetic Pulse and Cyber Defense (EMP)<\/li><li>Counterfeiting<\/li><li>Cryptography and Strong Encryption<\/li><li>Secure boot<\/li><li>True Random Numbers<\/li><li>Security Hardened Operating Systems<\/li><li>Evaluation Assurance Level<\/li><li>Anti-Tamper for Cyber Defense<\/li><li>Secure Supply Chain and Key Management System<\/li><li>Public Key Infrastructure (PKI) <\/li><li>Hardware Root of Trust<\/li><\/ul>\n\n\n\n<p>As we can see their specs vary from design , network , software and physical security. I&#8217;m not advertising any OT\/ICS vendor , but I mention them because its part of what I do that is related to my area of research. I&#8217;m not going to rank or analyze these secure features. Maybe I will do it in another article. The point of this article , many of OT\/ICS professionals in the past lost hope of  seeing &#8220;secure by design&#8221;come to surface, see this 2013 blog post for example. This is over ! we are finally seeing efforts of OT\/ICS vendors in this direction and that is excellent. <\/p>\n\n\n\n<p>The security features mentioned above are implemented deeply at level 0-1 in the ics Purdue model. Other vendors have  also started to monitor this level which could help those that don&#8217;t have the above new generation hardware such as <a rel=\"noreferrer noopener\" href=\"https:\/\/sigasec.com\/\" target=\"_blank\">Siga<\/a> , <a rel=\"noreferrer noopener\" href=\"https:\/\/www.missionsecure.com\/\" target=\"_blank\">Mission Secure<\/a> , and <a rel=\"noreferrer noopener\" href=\"https:\/\/www.fortiphyd.com\/\" target=\"_blank\">Fortiphyd<\/a> [1]. I haven&#8217;t covered all vendors by the way.Those vendors have developed  solutions that identify process variable anomalies. Its like what our friends <a rel=\"noreferrer noopener\" href=\"https:\/\/www.nozominetworks.com\/\" target=\"_blank\">Nozomi<\/a> , <a rel=\"noreferrer noopener\" href=\"https:\/\/claroty.com\/\" target=\"_blank\">Claroty<\/a> and others do, but at a lower level than our friends. Level 0-1 security was a topic of many OT\/ICS experts such as Joe Weiss who has been shouting for securing level 0-1  for a long time [3]. <\/p>\n\n\n\n<p>Finally , I have left with you <a rel=\"noreferrer noopener\" href=\"https:\/\/collaborate.mitre.org\/attackics\/index.php\/Main_Page\" target=\"_blank\">MITRE ATT&amp;CK for ICS<\/a>. It&#8217;s a great database of techniques and tools that are used by adversaries to attack OT\/ICS. It lays out many types OT\/ICS devices and how they get compromised. Go there, learn it and find out what applies to you. Maybe you don&#8217;t have &#8220;secure by design&#8221; OT\/ICS system yet. This database can guide you on how to protect your assets from adversaries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"references\">References:<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li><a href=\"https:\/\/www.linkedin.com\/pulse\/pivot-process-variable-anomaly-detection-dale-peterson\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.linkedin.com\/pulse\/pivot-process-variable-anomaly-detection-dale-peterson\/<\/a><\/li><li><a href=\"https:\/\/www.langner.com\/2019\/03\/what-does-insecure-by-design-actually-mean-for-ot-ics-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.langner.com\/2019\/03\/what-does-insecure-by-design-actually-mean-for-ot-ics-security\/<\/a><\/li><li><a href=\"https:\/\/www.controlglobal.com\/blogs\/unfettered\/the-ot-paradigm-is-broken-technically-and-culturally-it-must-be-fixed\" target=\"_blank\" rel=\"noreferrer noopener\">http<\/a><a href=\"https:\/\/www.controlglobal.com\/blogs\/unfettered\/the-ot-paradigm-is-broken-technically-and-culturally-it-must-be-fixed\">s:\/\/www.controlglobal.com\/blogs\/unfettered\/the-ot-paradigm-is-broken-technically-and-culturally-it-must-be-fixed<\/a><\/li><\/ol>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The pro\u2019s don\u2019t bother with vulnerabilities; they use features to compromise the ICS Ralph Langner This quote I found in Dale Peterson blog . I strongly agree with it, because many ICS\/OT devices still suffer from insecure by design features. However, that doesn&#8217;t mean that NIST vulnerabilities and CVEs don&#8217;t matter ! It does matter [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,3,130,48,67,135,129,5],"tags":[119,122,127,118,131,125,121,6,133,124,117,126,47,134,132,120,123,128,27],"class_list":["post-638","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-ics-security","category-insecure-by-design","category-ot-security","category-plc","category-purdue-model","category-secure-by-design","category-vendors","tag-attck-for-ics","tag-bedrock-automation","tag-claroty","tag-cve","tag-dale-peterson","tag-fortiphyd","tag-honeywell","tag-ics-security","tag-level-0-1","tag-mission-secure","tag-nist","tag-nozomi","tag-ot-security","tag-purdue-model","tag-ralph-langner","tag-siemens","tag-siga","tag-top-20-plc","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=638"}],"version-history":[{"count":43,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/638\/revisions"}],"predecessor-version":[{"id":684,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/638\/revisions\/684"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}