Flat networks have been a security issue for decades. IT networks solved this risk years ago by using hierarchical switches and network segmentation, but flat networks are still quite common in manufacturing environments. With the increased information demand in industrial control system (ICS) environments, many manufacturers have connected their ICS networks to their IT networks on without proper isolation, reintroducing flat networks and their security risks. Because they lack security segmentation, malicious hackers who gain access to a phone, computer, fob, or IoT device on the IT network can navigate their way into the ICS networks. With attackers increasingly shifting their focus to industrial plants and manufacturing companies, flat networks are reemerging as a key vulnerability in operational resilience for manufacturers. In this case a cyberattack can quickly become a physical breach.
Following are five important tips for reducing the risk inherent in flat networks.
- Stop traffic between networks with Access Control List (ACL) Rules
Virtual LANs (VLANs) are an important part of a well-designed network, but they don’t make a network secure. To stop malicious threats, all non-essential traffic must be stopped from traversing between manufacturing network segments and other areas by setting up proper ACL rules. In modern networking, ACLs can be implemented at the switch level, at edge routers between facilities or in firewalls. Creating the appropriate ACLs at each level creates the best defense in depth, but at a minimum, ICS networks should have ACLs that only allow production information in the manufacturing environment and stop all traffic from office systems. A VLAN without the proper ACLs to protect it does nothing to improve security over a flat network.
- Perform physical walkdowns
In ICS environments, it’s common to have one expert running the system who knows where every cable is, what every machine does, how every sensor operates and where every Modbus register is buried. When she or he leaves or retires, their knowledge often goes with them. Over the last decade, we’ve asked for even more from these experts, as the requests for production data, remote service and remote connectivity have increased. They almost always get it done, but not always with security in mind. It’s important to do physical walkdowns to inspect equipment and connectivity to identify any changes or undocumented access. Unfortunately, we are never surprised when we find devices that should not be on a network – devices no current employee even knew existed. For example, during one recent walkdown of a client’s hardware development lab, we found a device that had a physical DSL line tied into the backbone of the lab network. No one could even figure out how the service bill for the DSL line was being paid. Stories like this are not uncommon and should help encourage us to keep a deep and current understanding of our manufacturing environments.
How often should you conduct a walkdown?
If your company is new to the process, walkdowns should be conducted quarterly. Over time, if you find nothing has changed and everything is working well you can move to annually. However, if you retool your process, do another walkdown.
A one-and-done approach for walkdowns is not effective. Especially in the current work-from-home environment, if an employee wanted to have remote access to production networks without having to physically come in, they may install a backdoor that no one knows about. Without periodic walkdowns you’d never find these potentially critical security issues.
<<< Start >>>
<<< End >>>
- Lock down network connectivity via switches
Restricting access to your networks is important in helping you begin or continue to understand and trust devices that are connected to your network. This can be done both physically and through switch programming. Physically, switches should be in an access-controlled area, whether a network closet or a locked cabinet in the manufacturing environment. We’ve seen routers and switches sitting on desks, mounted to walls, or even sitting on top of locked cabinets, rather than within. Physically making it difficult to plug a device into your network helps keep devices from spreading malware to your network. It’s foundational to having a known-state network.
Even basic managed switches have the ability to turn ports on/off and limit connectivity by MAC address. Using these built-in features helps keep the network pristine and is another layer to stop accidental or targeted malware from jumping into your manufacturing environment. Turning off ports that are not active by design is the minimum you want to have at your network level. There are also advanced and expert-level Network Access Controls in modern switches that can be extremely effective in monitoring and actively stopping changes in network connectivity, but in manufacturing environments, these solutions can cause significant grief to integrate.
- Enable machine logging (It’s easier than you think)
When you get hit with malware, the most important part of incident response is finding the attackers’ point of entry, in addition to whatever backdoors they might have created to continue their network access. Getting back up and running quickly will be pointless if the attacker is still in your network waiting patiently to bring your environment down again. Logging is key to finding how an attacker gained entry to your network and moved within it, making it crucial to your incident response. Recently, we have begun seeing attackers disable machine logs to hide their activities. If you set up your logs gathering in advance and you’re no longer receiving those logs, it is an easy indicator that someone is doing something bad on your network or you have a machine down.
Getting started with logging
Logging doesn’t have to be hard or costly and you don’t need a fancy system to enable it. What is important from a preparedness standpoint is that you’re getting the logs - regardless of what aggregation system they use. Here are a few tips to jumpstart your logging efforts:
Balance low-cost or free tool investments with the cost of required expertise to install and maintain those tools.
- Enable built-in logging features. Windows logs and firewall boundary logs are two of the most important that are included with your systems, yet are often overlooked in manufacturing environments.
- Set up reporting. Use an aggregator, free or paid, so someone can track and be notified when there are logging changes. You don’t need a fulltime employee to monitor them daily but knowing when they change or have an exception notification is best practice.
- Modify the rule sets for collecting and transporting logs to match your business; avoid many of the stereotypical manufacturing environment cautions by collecting logs in off-peak hours.
- Use community-based log aggregator aids such as Microsoft community Windows log aggregators, DoD configuration standards (STIGs) for reference, or open source tools (e.g. ELK or Security Onion) for an aggregation platform. No need to reinvent the wheel (or log expert) when so much information is available.
- Protect your intellectual property
During an era when an exceptionally large amount of IP theft is occurring in the US for exfiltration to other countries, it is very important to look at manufacturing processes and controllers as a source of data exfiltration and take steps to protect the proprietary data they contain. For example, are your PLC and HMI tag names too descriptive? Too often we see tags give away detailed information because people logically name tags by their function. Combined with the ability to download ladder logic or design files, an attacker can easily reverse engineer a manufacturing process.
On becoming a harder target
By checking that your manufacturing environment has at least basic coverage in each of these five areas, you can make your company much less likely to suffer a destructive or catastrophic loss due to malware attacks. If you already have the basics covered, use these areas to self-assess your security maturity and continually improve your manufacturing environment’s security posture.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.