Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/7/2018
10:30 AM
John Moran
John Moran
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Role of Incident Response in ICS Security Compliance

The data-driven nature of IR can provide many of the reporting requirements governing industrial control system safety, finance, consumer privacy, and notifications.

Regulatory compliance in industrial environments poses unique challenges not found in traditional IT settings. A leading source of this complexity stems from the pre-Internet, largely proprietary nature of industrial control system (ICS) networks, specifically their lack of open computing standards, which are taken for granted in IT networks. These closed ICS networks are extremely hard to update, and even harder to maintain in compliance with state, federal, and industry regulations.

In addition, most ICS networks lack built-in security components, notably automated asset management, proactive security monitoring, and real-time threat analysis and prevention. Plus, most of the applicable regulations and guidelines apply specifically to verticals such as healthcare and energy, and cover ICS only either indirectly or at a very high level. Consequently, the responsibility for security and incident response (IR) falls primarily on those who implement and utilize ICS, namely operational technology personnel, not the security team. 

5 Core Elements of ICS Compliance
Although specific regulations and standards vary, there are five key elements to consider when developing an ICS compliance program:

Asset management: Identifying and classifying ICS assets and the data they contain.

Identity and access management: Using role-based access control (RBAC) and authentication, authorization, and accounting (AAA) to manage ICS assets.

Risk assessments, vulnerability management, and change management: All of these functions involve identifying risks and vulnerabilities, and patching ICS assets, which can be challenging because different vendors provide varying levels of support and maintenance. 

Security controls: Isolating the ICS network from the rest of the organization's networks. The key tool is encryption — of data at rest and in transit — to ensure the integrity of applications as well as data. Other important tools are monitoring and logging network activity.

Physical security: Mostly, this means restricting physical access to the ICS devices. Because internal security capabilities of most ICS devices are often very limited, organizations must ensure that proper external controls are in place to fill gaps.

ICS Compliance Frameworks
US ICS-CERT has some of the most detailed recommendations for security and compliance specific to ICS, specifically, Recommended Practice: Creating Cyber Forensics Plans for Control Systems (2008) and Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (2009). 

Another good source of information for all organizations is the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems. It provides recommendations and best practices.

Most verticals have specific guidelines for what organizations should do in incident response. Generally, organizations should familiarize themselves with all existing frameworks, laws, and regulatory and compliance standards so they can use them to create effective plans, policies, and procedures.

Incident Response & ICS Compliance
Because meeting ICS regulatory compliance requirements involves documenting processes and procedures, the data-driven nature of IR provides many of the reporting elements to comply with the strictest regulations regarding finance, safety, consumer privacy, customer notifications, and so on.

For example, the foundation of ICS compliance is built on auditing of assets. Without proper auditing, an organization is forced to assume the worst when a breach or attack occurs — that everything has been infected.

Detection, also a central element IR, is tightly aligned with compliance. Being able to detect and respond to a breach when it occurs, instead of weeks or months later, enables organizations to limit or avoid regulatory sanctions, as well as public relations nightmares.

IR investigation and threat hunting, meanwhile, provide the audit trail for satisfying compliance mandates. If an organization suffers a breach it must be able to quickly determine when it happened, what damage was caused, and whether it has been remediated or not.

Finally, IR's ability to document workflows and findings can play a central role in complying with disclosure requirements and help meet the short deadlines for notifying all internal and external stakeholders.

Related Content:

 

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Moran is a product management, security operations, and incident response expert and currently holds the position of Senior Product Manager at DFLabs, where he is responsible for shaping the product road map, strategic planning, technology partnerships, and customer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.