Auditing Industrial Control Systems is linked to the OT deployment of the company. Therefore, any audit will need to understand the nature of this technology and analyze its position in the factory that is being audited. This post is an extension to the previous one, where I wrote about audits at ICS a context.
In their article at Control Engineering, Emmet Moore and Jeff Bates identify three inventory tasks that must be done during audits. The components that should be identified and analyzed are: physical assets, network connections, and the data flow.
Inventory the assets
If a company is not aware of the existence of a system, they are not going to be able to protect it once implementing the countermeasures. Thus, a backdoor will be created that will make the whole factory vulnerable to attacks on that spot.
The long lifespan of machines, the specialization of users, untracked systems… A common issue at many manufacturing plants is the lack of knowledge of their own assets. It does not mean that machines are working on their own, but rather that there is not a centralized repository where engineers can find a list of sensors, controllers and actuators, as well as their replacements. Relevant information about the assets should be integrated in the inventory: warranty status of the components, the contact address of the vendor, who is the operator of a machine… During this phase, assets considered critical should be identified.
Inventory the network
After identified the assets of the company, there should be researched how they contact each other. Sensors and actuators will have a controller which might use a database or the computing power of another gadget. There might not be a single topology at the factory, with different processes using their own. For example, a typical PLCs would control robots via Modbus, which is a bus master-slave connection, while more modern sensors might be using a publisher-subscriber protocol like MQTT.
The result of this examination should be a complete understanding of the connections and protocols that connect the factory components, as well as the input and output doors with the outside world. In the case of services provided by a third party, the most common example are cloud services, the SLA should be audited and compared with the needs of our systems and its real performance.
Inventory the data flows
Through the networks travel all kind of data: personal data, real-time metrics, action requests… Some of them share the same protocols and gateways, while could use proprietary legacy ones. To properly analyze the data flows, they should be identified and categorized according to their nature and needs.
The data must be protected against unauthorized accesses, so credentials should be used for users outside and inside the factory. Credentials that, as stated before, should not be easily falsificated. Those accesses and their action should be logged if the conditions of the process or infrastructure allows it.
Isolationist focus on ICS
Due to the isolated nature of ICS during the past decades, old protocols and devices lacked protection against attacks. While the times before the arrival of the internet seem far away, industrial systems are durable, so it is not unusual to have old machines working under legacy protocols or systems like old versions of Windows. Updating those protocols is tempting, but the criticality of some systems, technical limitations (lack of computing resources) or the cost of replacing the machines could prevent it. In that case, there should be strict controls that serve as interface between the unprotected systems and any other network.
This idea of creating “secure islands” of ICS components is a common recommendation to avoid malware infection via networks. This segments should be able to communicate to each other only if indispensable. Those connections should be gateways available only from white-listed VPN connections and analyzed by a firewall. As mentioned during the previous post, the separation between OT and business IT should be the stricter one, often relying in a DMZ structure.
Analysis of users
The last analysis should be done to the final users. They usually are the most vulnerable part of the chain, so knowing their deficiencies is a the first step towards solving them. User related policies (clean desk, passphrases…) are indispensable to protect our systems from outside and inside attacks.
 Emmett Moore III and Jeff Bates, «ICS security audit in three steps», Control Engineering 65 (August 2018), 96.
 Sergiu Gatlan, «53 Percent of ICS Networks at Risk Because of Legacy Windows Systems», Softpedia News, 23 October 2019, accessed 1 December 2019, https://news.softpedia.com/news/53-percent-of-ics-networks-at-risk-because-of-legacy-windows-systems-523367.shtml.
 Federal Office for Information Security, Industrial Control System Security: Top 10 Threats and Countermeasures, 6, accessed 1 December 2019, https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS/BSI-CS_005E.html.
 Scott Wooldridge, «SCADA/Business Network Separation: Securing an Integrated SCADA System», Automation.com, accessed 1 December 2019, https://www.automation.com/library/articles-white-papers/hmi-and-scada-software-technologies/scadabusiness-network-separation-securing-an-integrated-scada-system.