CIPSEC present at the ICS Cybersec 2018 conference in Israel

Thursday, November 8, 2018
Tel Aviv, Israel

Comsec has attended the ICS Cybersec 2018 conference in Israel, on the 11th of October.

The conference was taking place for the 3rd time in Israel, and focused on the protection of critical infrastructures such as: electricity, water, oil and gas, transportation, communication, manufacturing and building management systems.

The conference hosted ICS experts and leaders who presented innovative solutions and live cyber-attack simulations.

Over 700 seniors from leading cybersecurity companies, consultants, CISOs and users attended this conference.

The following are some of the main points discussed during the conference:

Differences between OT and IT

Many security personnel make the mistake of thinking that there is no significant difference between OT and IT networks and the management of these networks and their security is done using the same means.

The conference discussed this issue and claimed that there are significant differences in the security of the OT network compared to the IT network:

  • In IT networks we are required to protect the information (confidentiality, integrity and availability) while in OT networks we are required to protect the lives of employees (Safety), and the reliability and productivity of the systems.
  • IT networks can use intrusion protection systems and allow automatic response to events, while OT networks are prohibited from interfering with communications traffic due to the risk of damage to the system's ongoing work, and therefore only monitoring systems can be used.
  • Network components and systems in IT networks are more up-to-date and contain many security capabilities, compared to components and systems in OT networks that are very old and therefore do not support even basic security capabilities (such as password enforcement, central identity, etc.) and are therefore more vulnerable. In addition, manufacturers no longer support some of the components even though they can not be replaced due to compatibility requirements for other systems on the network.
  • OT networks are often not exposed to the Internet as opposed to IT networks that are often connected to the Internet through several different interfaces (email, web, remote access, etc.).
  • Network traffic in OT networks is predictable since the network components perform the same operations over and over, as opposed to the network traffic in IT networks that is changing all the time.

Connecting OT networks to IT networks

When possible, the OT networks should not be connected to IT networks and vice versa, as the IT network's attack surface is wider and may allow unauthorized access to OT-sensitive systems.

However, connecting these networks is sometimes inevitable due to the need to provide remote support for remote controllers / communications equipment, the need to monitor the OT network using the SIEM system on the IT network, and other needs.

If networks need to be connected, access should be limited to the minimum and connectivity should only be enabled at certain times or even manually when required. Also, consider restricting one-way communication between networks using communication components such as diodes or dedicated security systems.

Embedded cyber protection and monitoring

During the conference, a number of leading cyber security manufacturers such as Checkpoint, Palo-Alto, Trend-Micro, Indegy, Claroty and others presented few of their solutions to ICS/SCADA networks.

In recent years, security solutions for ICS / SCADA networks have been widely developed and most of them focus on mapping components and monitoring the network to identify unusual behavior. Most solutions use static monitoring capabilities (Deep Packet Inspection) while some solutions, such as Indegy, combine static capabilities with dynamic actions to retrieve information from network devices using the ICS / SCADA protocols used by the systems.

In addition, many firewall solutions now support the separation of components in the second layer in the OSI model, the Data Link layer, cataloging the network components according to their type and function, and creating rules based on the component MAC addresses and other properties. This allows for basic network separation in ICS networks where separation to different network segments is not always possible.

Patch management in ICS ad SCADA networks:

Updating systems in OT networks cannot be as frequent as in IT networks because OT systems are required for continuous real-time work and fault due to poor updating may lead to the disabling of critical systems. The security practice for these networks is to install updates only when the update addresses critical security issues that are relevant to the organization and are likely to be exploited. In other cases, compensatory security controls should be preferred.

The perception is that sometimes installing updates can cause more harm than good.

New generation of PLC controllers

During the conference, Schneider Electrics presented their new Modicon M580 ePAC controller which offers an enhanced cyber-security features such as built-in Firewall, Built-in monitoring of firmware and software integrity, secure authentication mechanism, IPSEC encryption and more. This new generation of PLC controllers is a great news for the industry that has so far been left behind when it comes to security.

In conclusion, it seems that this industry comes to life in terms of security and many manufacturers understand the need and enter the market with dedicated security solutions (or at least adapting their existing systems to OT networks) to secure these sensitive networks while taking into account the different needs and constrains of the OT networks.