Hardening the components of your system means locking down the functionality of the various components in your system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities. This is especially important in modern control systems which utilize extensive commercial off-the-shelf technology. In such systems, it is critical to disable unused functions and to ensure that configurable options are set to their most secure settings.
For example, a lot can be done to harden a Windows server or workstation. There are often many unnecessary applications such as games or music players included in the default installation. These should be removed from the computer when installed as part of a control system. It is also important to disable or block unnecessary communication interfaces and the services available on these interfaces.
For example, many PLCs come with web servers running on them – unless web access to a PLC is a core part of the operations, it should be turned off. Once the computers and controllers are deployed, additional steps are necessary to maintain the security. This includes maintaining anti-virus signatures and applying security patches. It is important to remember that patches are needed for applications as well as the operating system – a common attack vector today is to exploit unpatched Acrobat Reader software running on ICS workstations.
Used properly, vulnerability scanning tools such as Nessus, along with special audit files such as Bandolier, can be very helpful in identifying the presence of known vulnerabilities. They can also verify that servers and workstations have been properly configured for security. However, as we noted earlier, live testing of a production control system can be very risky. We recommend using these tools at FAT, SAT or when production is shutdown, such as during a maintenance turnaround.
Servers and workstations are not the only components of a control system that require hardening. Network equipment and embedded control products also require secure configurations, blocking of unused communication interfaces, and software maintenance. We recommend working with the manufacturers of ICS components to obtain their recommendations for hardening. Many of the vendors have created useful guidelines on what works from a security point of view and will not impact their systems. This information should be documented in a security manual provided as part of the manufacturer’s security certification.