Risk assessment and evaluation
NIST based risk assessment
The compliance frameworks regarding ICS/OT cyber security assessment are scarce, however the NIST 800-82 is one of the best available. This framework is specially crafted to measure the cyber security controls of industrial security devices and appliances and contains models and recommendations for the most important aspects, like segmentation, port handling, physical and business continuity risks. Architectural (both physical and virtual) security best practices and guides are also a part of the framework as the demonstration of common risks related to these systems.
Like the traditional IT threat landscape, the ICS/OT landscape is changing dynamically, therefore this framework is evolving as well, the current revision is the second in line. By going through the control points of this framework we can ensure the identification of the non-compliant items in the environment and the security maturity of the organization. The evaluation of these enables the organization, to create an action plan to find the most pressing items regarding security and non-compliance risk and eliminate them.
The NIST 800-82 audit is highly recommended for organizations operating ICS/OT systems and devices, who want to achieve compliance (both in terms of frameworks and regulatory compliance) and/or want to know their cyber security and technological risks.
Crown Jewels Analysis
This analysis is an assessment from business and continuity perspective. It can identify the critical IT/OT assets which can halt the complete organization when they malfunction or stop, and by doing this, they can compromise the continuity for the whole organization.
By doing a Crown Jewels Analysis, we first map the goals of the organizations and then identify the processes and procedures regarding these. For ICS/OT systems, the goals are usually in the CIA triad (Confidentiality, Integrity, Availability). While doing this, we also do a drilldown in the goals and processes, procedures, to identify all the ICS/OT related risks, organization-wide.
After mapping the dependencies, we enumerate the possible internal and external impacts on them and by doing this, we conclude an assessment score about all the elements of the infrastructure (like CVSS in IT), to identify the high and low risk parts. Because of this algorithmic scoring, we can concentrate on the implementation of security systems, where they are really needed. This method is suitable for mapping the processes, based on dependencies and due to this analysis, we can specify the non-compliant items and operational flaws.
Crown Jewels analysis is suggested for critical infrastructure and ICS/OT operators, who are mostly based on ICS systems and want to minimize the negative impacts of security-related and other unwanted events, by improving the defences of the critical components.
Risk Assessment based on IEC 62443
IEC 62443 is the de-facto standard regarding ICS/OT security, created by the IACS (Industrial Automation and Control System) community. This is the community of ICS expert organizations and the controls created by them are an aggregation of their knowledge. This framework is regularly updated to follow the trends of Cyber/ICS security and containing controls about the following fields:
- Human resources security
- Reputational loss
- Regulatory and Compliance violations
- Confidential data breach/loss
- Business losses
- National Security related impacts
The industrial controls are ensuring compliance on the following fields:
- Hardware and Software (DCS, PLC, SCADA)
- ICS Networks
- Monitoring and detection
Besides the technical security, physical security is also in scope, as the requirements of relevant documentation. By complying to this framework, organizations can ensure the intactness of the CIA triad regarding their manufacturing processes and equipment, can easily identify and manage vulnerabilities and risks, and can also evade unforeseen events.
Compliance to IEC 62443 is suggested to organizations, who are working in the fields of manufacturing, implementation, engineering and control of ICS systems.
PCAP-based Risk Assessment
In this technical examination, we use a passive monitoring device to store and analyse the complete network traffic of a chosen network/ICS/OT segment. This enables the organization to describe the communication, devices, protocols within the designated segment via passive fingerprinting technology (without any active intervention), to assess the network-related risks.
The main scope of this assessment is the network, however in case of industrial protocols, like Modbus, Pcom, BACNet, we can assess further, as we can also store the values and data within the registers of devices operating on these protocols, hence creating a baseline and by doing this, we can detect anomalies.
At the end of this assessment, we create a report and a network map regarding the vulnerabilities of various network and ICS devices. This report also contains the risks and the remediation steps for these vulnerabilities.
ICS Ethical hacking
The goal of the Vulnerability Assessment is to gain insight into the ICS/OT environment. Due to the special nature of this infrastructure, the assessment is less intrusive than its IT counterpart. The methodologies for the Black, Grey – and Whitebox testing are the same, but the toolsets are different and rely more on manual assessment.
An ICS/OT assessment contains the following:
- Network and device mapping
- Analysis of the network segmentation, protocols and communication
- Industrial router and switch assessment
- PLC, IED and RTU device assessment
- Device and Server Gateway assessment
- SCADA and HMI device assessment (OS and Application layer)
By doing this vulnerability assessment, operators can gain valuable insight about the Security Posture of the Industrial Controllers and their surroundings, and can receive information about vulnerabilities, and their risks and remediations.
Red Teaming is a simulation based on real-world scenarios, where the Red Team attacks the organisation’s defending Blue Team and infrastructure (usually Security/Operations), with tools usually used in cyberattacks.
This is different from traditional Vulnerability Assessment situations, as the Red Team can usually move freely within the boundaries of the exercise and have less constraints. This means, that seasoned ethical hackers can use all of the tools in their arsenal and they don’t have to consider the business continuity risks (therefore it’s best to create these exercises on a non-production training ground). The goal of this simulation is to bring them as close to real world attacks as possible.
In case of War Games, Black Cell’s Ethical Hackers stand in the red corner and the client’s Operations/Security team are in the blue.
This exercise is an excellent way to improve the organization’s human and technological defences and to create a complex assessment regarding the present state of previously mentioned defences for the management.
Incident and Event Management
The Black Cell SOC is capable of the handling and remediation of Security Incidents and also to lower their potential harms. We have to differentiate between security events and incidents, as not all of the events can escalate into an incident. For example a phishing email is just an event until someone clicks on it and leaks sensitive data.
As per the above, the escalation of these events can be mitigated if the organization can properly identify and handle them, with the necessary priorities and care. If the organization lacks the capabilities for successful event handling, then it will escalate into an incident and immediate response will be necessary in order to lower the possible risks and damages.
In the process of incident handling by Black Cell, our Incident Response, Ethical Hacking and Forensics specialists are working hand-in-hand to investigate and triage of security events for our clients, and categorize them according to their severity to respond to the true positives immediately.
Various compliance frameworks (like ISO 27001, PCI DSS, IBTV and other regulations) can require a detailed and precise Security Event and Incident handling plan. Our solution experts can help our clients in the creation of the proper incident handling processes, procedures and regulations and they can also help keep them up-to-date and well-exercised.
After an incident (like Malware Infection, Breaches or Data Leaks) our Forensics experts can help investigate regarding the following important questions:
- What happened exactly?
- Who did it (Insider/Outsider)?
- When did it happen?
- How did it happen?
- Which devices/systems were affected?
- Which accounts were affected?
During a forensics investigation, Black Cell’s experts collect and store all the evidence regarding the incidents in a forensically sound way and then assess and evaluate them, in search for the answers for the above questions.
To speed up the investigation, log files (Firewall, IDS/IPS, AD, DLP, etc.) from the incident are loaded into the SOC division’s Forensics SIEM system. Of course, forensics is not just about logs, we also collect and analyse various artefacts from the environment, like MFT, Prefetch and shadow files, Memory Images, Registry and others.
During the forensics examination, we also evaluate the perimeter and endpoint security devices, to gain insight about the possible misconfigurations, anomalies and vulnerabilities.
ICS Vulnerability Intelligence
The ICS/OT Vulnerability Intelligence is usually the first line of defence in case of a heterogenous industrial infrastructure, what contains different devices from different vendors, which can run different version numbers. Irregardless if we talk about Siemens, Omron, Lantronix, Moxa, Honeywell or other devices, the Security and Operations staff can see their vulnerabilities in a single pane of glass. This capability is also agent or other software-less, as it’s entirely cloud-based and doesn’t collect data from the on-premise infrastructure.
Its intuitive and easy-to-use interface can be easily filled up with data about the device models and their firmware version and if there is a new vulnerability for the devices, the system immediately alerts the operators linked to the device or device group.
In many cases, the system can alert in near 0-day speed, thanks to its extensive Open and Closed sourced intelligence sources, therefore the operators can have insight regarding their devices before the actual CVE scoring. This leaves a broader time window to react to these vulnerabilities.
Unlike public CVE scores, Threat Intelligence is cumulative and descriptive regarding vulnerabilities, therefore it doesn’t just contain them, but also includes the risk assessment and mitigation steps.
ICS Threat Intelligence
The Cyber Threat Intelligence (CTI) is about information gathering, analysis, integration, evaluation about possible threat actors in Cyberspace. Its most important attribute is contextualization, where the possible attack mechanisms, indicators, vectors, conclusions and defence tips can be seen in a single pane of glass.
The purpose of these information is not just to support the various, human decision-making positions (like leadership, security operations, incident handlers), but to also support security appliances (like perimeter firewalls, IDPS systems, Email filters, SIEM systems). The CTI system creates machine-readable feeds from various sources, by processing, analysing and concluding them; it assigns them various indicators (IoCs) and translates them into a common CTI feed protocol (CybOX, STIX, TAXI, etc.) to make them available for the various security appliances.
Security Operations Centre (ICS/OT SOC)
The SOC is the backbone of an organization’s cybersecurity. They work around the clock and their main tasks are the prevention and reconnaissance of IT Security Incidents and if they happen, the handling. The SOC is also a proactive department, continuously researching new ways to handle threats and to evaluate the various IT Security processes of the organization in order to prevent incidents.
Black Cell’s managed SOC can meet the requirements of the small and medium sized enterprises. With this complex platform, these businesses can enjoy a holistic, layered defence, which can help ensure the safety of the enterprise around the clock, both to our national and international customers.
Our CERT (Computer Emergency Response Team) team has been certified by the Carnegie Mellon University.
Black Cell’s incident handling team contains experts from four different departments of IT Security, to ensure that every shift can handle the most complex incidents.
These departments are:
- Ethical Hacking/Offensive Security
- Defensive Security/Log analytics
- Threat Hunting
- Cyber Threat Intelligence
Besides IT Security, our network engineers and product support colleagues are also available to help.
The foundation of SOC are the Playbooks and Use Cases, which are unique to the field of ICS/OT. Our Playbooks and Use Case are based on the industry standard MITRE ATT&CK for Industrial Control Systems matrix and international best practices, therefore we can ensure our industry-specialized SOC can be both operationally and functionally effective.
ICS/OT Security Solutions
Secure data entry into ICS/OT networks. As the industrial networks are usually not sealed and separated perfectly tight and communicate with one other, IT segments (like BI, ERP, databases, etc.), there is a need to sanitize the communication between them. The malware attacks Stuxnet, IRONGATE, BlackEnergy, CRASHOVERRIDE, Havex, Triton showed that the ICS/OT devices are more prone to malicious code-based attacks, as, due to their business continuity goals, they are not up-to-date in terms of hardware and firmware.
As there is need of data input regarding ICS/OT devices, it’s important to clean and remove any malicious code from this input. The OPSWAT Metadefender is made for this purpose, with up to 20 virus scanning engines. The scanning is made on-premises and can also be air-gapped to ensure a data leak free environment.
Zero-day and other APT threats are usually undetectable by classic, signature-based virus scanning engines, therefore the OPSWAT Metadefender Content Disarm and Reconstruction (CDR) first unpacks the files and then removes the possibly dangerous elements (eg.: DDE, macro, metadata, scripts, etc.) and then recreates the files, without the possible malicious items.
The OPSWAT Metadefender KIOSK is a data input and medium verifier terminal. This terminal lies at the perimeter of the ICS/OT network and helps sanitize the input data automatically. With this, the users can upload the data into the KIOSK, it will check it automatically (both virus and CDR-wise) and will automatically forward it into the proper shares of the closed network. The OT op1erators can then use the clean files.
By buying Indegy, Tenable created the first, dedicated ICS/OT cyber security platform.
In the past there were dedicated solutions for protecting ICS devices and for their vulnerability management, but the Tenable.OT is the first one that merges the two functionalities:
- By passively monitoring the data flow and providing ICS Threat Intelligence, it can detect attacks and anomalies
- With on-demand or periodical active scans, it can assess and manage the ICS/OT vulnerabilities
The Tenable.OT is a replacement for Nessus Industrial Security and is also expanding its capabilities, from a simple, scan-based application to a holistic security platform.
The Tenable.OT platform consists of one or more security appliances, which are continuously monitoring the larger network segments and also smaller sensors which are dedicated to smaller zones (like isolated OT zones).
Functions and capabilities:
- Active threat defence
- Supports Incident Response
- Total network transparency, asset discovery
- Active and passive detection
- Change monitoring, device integrity
- Vulnerability scanning and risk assessment
- Signature and behaviour-based analytics
Nessus Industrial Security
Nessus is the industry leading application for vulnerability assessment and management.
The Nessus Industrial Security solution is custom-tailored for the vulnerability assessment of industrial infrastructures.
It can interpret the mayor industrial protocols, like BACnet/IP, CIP, DNP3, Ethernet/IP, ICCP, IEC 60870-5-104, IEC 60850, IEEE C37.118, Modbus/TCP, OPC, openSCADA, PROFINET, Siemens S7, TPKT, OPC, Profinet and is capable to assess both the devices and their communications.
It supports most of the devices from well-known suppliers, like Siemens, ABB, Emerson, GE, Honeywell, Rockwell/Allen- Bradley and Schneider Electric. It identifies and analyses the vulnerabilities found on these devices.
During the assessments, Nessus avoids the more intrusive checks, therefore it doesn’t disturb the environment’s BAU functions and Business Continuity.
Besides Vulnerability assessment it’s capable of creating and maintaining an ICS/OT asset inventory. With passive monitoring, asset management and active scanning, Nessus provides both environmental transparency and vulnerability management.
Tofino industrial firewalls
The Tofino Firewalls made by Belden have dual functions; they are not just separating the ICS/OT devices from the production/IT networks, but can also interpret industrial protocols, like Modbus, OPC, Ethernet/IP, ABB RemSys, S7Comm, GE, DNP3, Omron FINS, ProfiNet, etc.
Due to the interpretation of industrial protocols the Tofino devices are not just enabling/disabling the communication, but can also decide which functions to enable within the specific protocols. For example, in case of the Modus protocol, Protocol Enforcement can configure the available function codes, and the read/write capabilities for registers. This capability is especially useful when the organization needs to achieve the least privilege principal on its network.
As these devices are specially made for industrial usage, their configuration is easier for OT operators, than the usual IT security devices’.
Due to the business continuity requirements, these firewalls mount a native “bypass” function, which is especially useful when testing. When the appliance is in testing/bypass mode, it lets through all the traffic and just testing its ruleset, which enables the OT personnel to check the firewall rules before actually enabling them.
EWON Secure Industrial VPN routers
Ewon is the expert of industrial remoting and VPN systems.
These devices have dual functions: they don’t just separate PLC and ICS/OT devices from the production/IT network as a firewall, but connects them to management systems via VPN, with GSM, 4G/LTE or Ethernet.
The EWON automatic VPN services can create an automatic, machine-to-machine (M2M) connection with EWON’s Talk2M cloud service and then the operator can use a client application or a web UI to access PLCs or other ICS/OT devices.
As this solution is independent from the organization’s own IT infrastructure, the connected operators can’t reach anything within the boundaries of said networks – just the devices connected to the EWON firewall. As this is a proper firewall, therefore its rules can control which devices are available and to whom. Web-based interfaces (HMI, SCADA) can be also rendered natively in the cloud, without any need for an application.
By logging in into the Talk2M, operators can also reach other web and remote access services of the devices connected to the EWON gateway, and there is also a mobile application to reach these devices, therefore operators can reach the devices from anywhere, at any time.
The device is also capable of port forwarding and NATing between the production and industrial network.
Waterfall ICS/OT Data Diode
The Waterfall data diode works the same was as an ordinary diode, therefore it lets the data flow one way, but not the other.
It’s capable of network segregation written in the NIST SP-800-53 framework and compliant with the highest security standards – this is done by isolating the ICS/OT networks from the less secure IT/production networks and still providing unidirectional, secure and monitored data flow.
As traditional networks and TCP/IP communication is bi-directional, the data diode is not just a hardware element, but also contains software to enable 2-way protocols on a one-way channel.
It creates a hardware based, optical, one-way (just RX or just TX) connection between segments, and due to this, it cannot be altered or avoided by any means.
Unlike traditional firewalls, which direct traffic based on software, hardware based unidirectional channels can’t be tampered by miscreants, as the laws of physic are applicable to all of us.
As this is a special segregation on the OSI layers 1-2, therefore this system works different than the usual security gateways. This can be a drawback, as some services will not work on it as intended, therefore thorough testing is required (in case the organisation wants to use traditional security measures), although, this device is usually used in unorthodox situations, so this drawback is often more like a perk.
The service support is limited, but the data diode can enable the most frequently used applications:
- File Transfer (SMB, FTP, SFTP, NFS, CIFS, etc.)
• HTTPS/HTTPS mirroring
• Database mirroring or streaming
• Virus Protection
• Patches and updates
• Remote monitoring
• Other, special protocols (pl. ICS/OT, modbus, historian, SIMATIC/S7Comm, Omron FINS, WinCC, etc.)
Why Choose Us?
Black Cell was founded in 2010 in Hungary. The team is proven to have the capabilities, competencies and knowledge base to successfully build or operate a Cyber Defense Operational Center, supported by our national and international references. We are governed by a strict Service Level Agreement (SLA) and we have $ 1 million in liability insurance. We operate a 24/7 live monitoring and alert system for our domestic and international clients.
Our CERT (Computer Emergency Response Team) team is certified by Carnegie Mellon University. Our incident management team is made up of engineers from four different IT security disciplines who work in SOC at the same time. These areas include offensive security (ethical hacking), defensive security (log analysis), threat hunting and cyber intelligence (CTI). In addition, our network security and product-specific support staff are available.