Layering Network Security Management Solutions on an Industrial Network
We at Rumsey are excited about our new relationship with Tripwire. Why is that you may ask? Because it has the ability to bring you the best practice of network configuration and compliance management, something that has been a key aspect of cyber security for years in traditional corporate networks but a large gap within plant networks. We think this is a game changer for security in manufacturing - increasing visibility, making security monitoring easy and providing built-in templates for a fast start.
So, what is Tripwire and how can it help you?
Industrial network and control security requires an assessment of existing assets and their configurations to determine weaknesses and gaps, a practice common in corporate environments but previously inaccessible to the plant environment and support teams. Tripwire Configuration & Compliance Management (Tripwire CCM for Industrial Automation) delivers this in a “no-touch” or “low-touch” manner for Allen-Bradley control systems, firewalls, switches, databases, and application servers – such as your HMI/SCADA and Data Historians. Tripwire CCM can accelerate your ability to do that assessment, know where you stand in terms of security in the plant, and has best practices built in so you don’t have to be a cybersecurity expert. Sounds good right? If so, you may be wondering – why not use one of the existing solutions already out there?
What Makes this Breakthrough?
One Good Question, Two Good Reasons.
- Traditional solutions are built for enterprise assets – to monitor security settings and conduct known vulnerability audits on critical servers, end devices such as laptops and desktops, and network components such as switches / routers. While we certainly have those devices on the plant floor, we also have 1 more type of device – in many cases more important than anything else - our PLCs.
Unfortunately, enterprise solutions will not go past the standard IT type device, let alone understand what a PLC is, or be able to alert your organization if there are any current security vulnerabilities for it. Nor will it understand what a secure profile might be for a plant floor server, switch, etc. since the standards by which these are based are immensely different.
- Traditional solutions are resource intensive. Quite frankly, our industrial networks are too sensitive and the likelihood it might be brought to its knees with a traditional solution is high. To function in the industrial world a solution would need to be “low-touch” or “no-touch”.
Let’s Look at #1. How does Tripwire CCM address critical “plant assets”?
This is why we are excited, it does in a few ways:
- Standard Security Policy Monitoring - Tripwire treats Industrial Assets, such as Plant Workstations and Servers, just as it would Enterprise Workstations and Servers – it identifies these, then compares the current configuration settings against recommended standards based security templates. However, you have a policy library with more than 700 templates of security frameworks, including those from Industrial Standards Organizations such as ISA/IEC 62443-3-2, NIST SP800, NERC CIP, and others, all available to you and your IT team to utilize.
If your critical plant servers, such as your FactoryTalk Directory, FT View Server, FT Batch Servers, FT Historian Servers, etc. are not configured to match the secure template, you can be alerted that an asset has failed the audit and provided a remediation path. Also, if a setting on a server changes that bumps it out of conformance, you can be alerted. This ensures all of your plant servers are given the same care as the enterprise ones; that they are consistently, continuously secure, but without implementing potentially harmful enterprise policy templates.
- Industrial Configuration Check for Switches, Routers, Firewalls and Remote Access – For core network components, the Tripwire solution provides validation of network device configurations, assurance that required network segmentation configurations are set to the security standard templates, and assurance or alerting if they “drift” from the industrial policy. Tripwire can also identify any remote services and validate the configuration of remote access products to ensure they match established policy. Finally, Tripwire can monitor remote access logs to identify anomalous or suspicious activity, such as access and authentication outside a specified time window or with unusual accounts.
- PLC Change & Vulnerability Reporting – Here is where it gets interesting. Did you know in 2015 there were 371 security alerts and vulnerabilities published by the major Automation vendors? This number has increased 7-fold since 2010, as reported in the 2016 ICS Vulnerability Trend Report by FireEye. While you may think your control systems are safe due to proprietary hardware and software, custom-built malware designed to penetrate Industrial Controls environments already exists. Heard of Stuxnet? That was the 1st major reported instance, however Irongate followed and unfortunately, hacking kits for SCADA devices are widely available.
When was the last time you or your plant engineers collected every PLC Firmware Revision and did a comparison against known vulnerabilities? Yes, I know you are thinking it, that would be nearly impossible to manage. Correct. Even if you did it once, how could it ever be sustainable to do that daily, weekly or even monthly? It isn’t.
BUT, checking for security alerts and vulnerabilities is a top priority in a security program and standard practice. In fact, the #1 item in the Top 5 CIS Critical Security Controls is “inventory of authorized and unauthorized devices” followed by #2, “Inventory of authorized and unauthorized software”.
All major corporations use some type of management and vulnerability monitoring to check server or end devices for required updates throughout their enterprise IT assets. Did Service Pack 2 get pushed to your laptop last month? Didn’t get affected by Wannacry or Petya? That’s because your device was recognized as vulnerable to a security alert that came out by your enterprise conformance and configuration monitoring solution. Your IT group was alerted and they determined and implemented the appropriate remediation.
So how do we get the same level of visibility implemented for our critical plant assets, like PLCs, without bringing down the plant network? The Outlook exchange server may be the heart of our company but the PLCs are the heart of our plant. See the upcoming “Part 2” for more on low-touch and no-touch solutions.