Session 1: ICS Basics Q&A

Q: With legacy devices and controllers on the ICS network, how do you suggest to protect them
without costly modifications and testing of new equipment?
A: Network segmentation would be my first suggestion. This could entail additional network devices
(switches, routers) or VLAN segmentation if current network devices support that function. Once
segmentation is implemented, monitoring and alerting (via IDS, IPS, host FW) should be implemented.
Q: Can firewalls become vulnable to attacks?
A: All devices can be vulnerable to attack. Poor implementation and lack of security patching can leave
any device susceptable to attack and compromise.
Q: Are ICS starting to evolving to become more secure?
A: New ICS systems are being improved for cybersecurity, but not in all sectors. We see new
innovations every day, but the designers are not always concerned with cybersecurity. Vendors are in
the business to make money, so get the product to market is the number one priority unfortunately.
Q: You referred to the Purdue Model earlier in the presentation as a standard for ICS
architecture. I'm reading articles that say this model is out-dated. Is there anything more
current that contains best practices or recommendations for securing ICS systems?
can not relay on security through the purdue model layering. The idea behind the purdue model is still
valid, we need to protect our process or execution level, but how to accomplish that now that we are
connecting the process level to the internet/cloud, is the challenge. I have not seen a security ICS
architecture model based on inclusion of IIoT. S4 records their presentations and there is one Titled "Is
The Purdue Model Dead?" that I found very interesting. You will need to search this web page.
https://s4xevents.com/past-events-2/s4x19/
Q: What would be the most secure industrial communication protocol Why?
A: A protocol that included encryption, authentication and authorization with minimum overhead. Many
processes can not afford response latency.
Q: System Susceptible to denial of service- Can u please explain with example? it is not clear.
A: Some systems have firewalls that can detect network traffic flooding based on Aggregate (SYN flood
threshold), Classified (IP specification) or Quota (max from source IP) and can then send these
messages into a bit bucket or drop them.
Q: Which certifications are recommended?
GISF, GSEC, GCED, GISP, CISSP, GICSP. All of these are good training courses but not all are
required for a job in IT or OT security.
Q: Which certifications are recommended for ICS expert?
security fundamentals.
Q: Are there any good estimates on how many ICS systems exist in America?
A: Here is a sample of the ICS parent companies in the US. Each has one or more ICS systems. 3,300
electric utility in the United States
50,000 water utilities in the US
9,000 independent oil and natural gas
6,800 organizations provide public transportation
19,700 airports in the United States
700 rail transport carriers in the United States
Q: We have a traditional setup. Is there a particular type of firewall that will mitigate risk if we
need to go to the internet?
A: All firewalls have simular functionality. The type is generally defined by the IT department based on
what is currently installed. Unless, there is a specific functionality or requirement required.
Q: What is the most common ICS for transportation infrastructure?
transportation sector, from bus/mass transit, rail freight, rail carrier, traffic control, highway transit,
trucking, etc. So, the possibilities are endless. I would suspect that, given the distances, processes,
scheduling, monitoring and control required, the control systems would be a version of SCADA, DCS
and AS along with proprietory control systems designed by the vendor.
specifically)
from the European Commission and the second site looks at the global view.
https://cordis.europa.eu/project/id/730843 https://cyberstartupobservatory.com/rail-cybersecurity-where-
is-the-industry-now/
Q: Would you call an undocumented proprietary plain text protocol as a vulnerability?
A: Yes. First of all the protocol has to be documented somewhere. Second, even if it is not, the traffic, if
TCP/IP based can be captured into a pcap file and wireshark can be used to view the conversation
between source and destination. Researchers reverse-engineer code all the time and protocols are just
another form of code. Any type of clear text in the ICS network is considered a vulnerability.
Q: Are there any resources you can recommend to study the ICS basics?
A: Google is your friend. Also, CISA training webpage has links to our Virual Learning Portal (VLP) with
free ICS training modules.
collection perspective?
between source and destination. Some application at the source should be able to log events that can
be monitored for needed action.
potential risk factors?
authentication or authorization have potential risk factors.
https://www.incibe.es/extfrontinteco/img/File/intecocert/ManualesGuias/incibe_protocol_net_security_ics
.pdf
Q: What secure industrial communications protocol would you recommend? They didn't really
cover this in the presentation last week.
controller/field device. Now you have to investigate if the protocol that is used in your system has a
secure version. If not, then you need to investigate if you can replace the protocol used with a secure
protocol, such as DNP3 secure, Modbus TCP secure, OPC UA secure, etc. I found an interesting
youtube video from S4x18 that debates securing ICS protocols:
https://www.youtube.com/watch?v=wQJicex0o0A
Q: I've used DHS CSET for an assessment of a system that already exists. Is there a different
assessment for projects in the early requirements and design phase?
A: DHS CISA does not have anything that I know of. If you are designing a new system and have
network diagram with components, you can built that diagram in CSET and a set of questions based on
the network components will be generated. Also, DHS CISA has a Procurement Language for Control
Systems document to help your ask for cybersecurity in your system design.
connections?
that can be introduced on to a device through USBs, removable disks, etc. or other devices within the
protected network.
Q: What is your recommendations on securing legacy OS versions still used in control
systems? (WinXP, Win2k3, Win2k8, Win7)
A: Patch and upgrade where possible. Then remove all unnecessary software/applications and
services. Implement host FW if possible. Implement white list and access control list (ACL). Implement
an IDS within the network to understand unwanted access or attempted access.
Q: Any thoughts/tips on developing a governance structure for an ICS security program?
Multiple business units can be hard to bring together.
A: I would suggest looking at DHS CISA CSET tool. Follow the recommended list of participants which
should get the correct individuals into the discussion.
Q: So is discrete manufacturing DCS
A: That would depend on the ICS purchased by the asset owner. I could see a PCS system used for
that purpose also. Or a combination of systems.
Q: How many ICS systems are usually in a factory?
single system, or hybrid system, or multiple systems doing different functions to produce a final result.
Plus, you could have systems for HVAC, lighting, phones, water, alarms besides the system(s) that
produce your product/business function.
Q: Can we inforce usage of secure operating systems only for OT systems?
A: Not at this time. I don't think that will happen unless some major catastrophe occurs.
Q: What are the Pros and Cons in combining IT with OT
A: I don't know of any Pros. Flat networks do not work. There are too many restrictions in the OT
environment for availability that can would not work for the IT environment.
Q: Is there an option to get a certificate of attendance as well for CPEs?
A: Yes, we will email certificates using the info you registered with.
Q: Do you have any whitepapers that would addresses a layered security approach and
monitoring methods for key points on a connected ICS network?
A: We talked about the purdue model for ICS network segmentation. Network and ICS professionals
have stated that the model is outdated. The debate continues. I believe the desired affect of the model
is valid while the diagram may need to be updated to current communication capabilities
Q: How would you differentiate between IoT or iiot and OT
used for Industrial device communication. OT is the industrial environment that would use IIoT while IT
would use IoT in most cases.
Q: Are there dedicated ICS focused SOCs?
ICS Security Operations Center for website and papers. Here is one that I found very informative.
https://www.dragos.com/wp-content/uploads/Dragos-Insights-into-Building-an-ICS-Security-Operations-
Center.pdf
Q: If so, what industry is ahead of the game?
in existing SOCs.
Q: Is there a standard security framework (NIST or other) that should/must be applied to ICS
and related infrastructure?
A: There is NIST SP 800-82 Rev.2 a guide for ICS security. NISTIR 7628 Guidelines for Smart Grid
Cybersecurity are two from NIST.
Q: I come from the telecommunicatons space. In the department of defense space there is the
CMMC (Cyber-Security Maturity Model Certification) that the government is appling to any
vendors/contractors that do business with the DoD. Do you see anything like this comming for
systems deemed critical infrastucture in the ICS space?
A: C2MC a public-private partnership to evaluate industry-accepted cybersecurity practices.
Q: What are the main components of DMZ?
an untrusted or less security environment. Any transfer point from untrust that is used to access a
trusted environment (jumpbox, etc.).
Q: Is it safe to connect remotely into safety network from internet? The current travel restriction
requires remote access to Safety systems as well for Supporting the customers.
16-056-01 and published a paper that includes a recommended secure network architecture (page 17)
of this pdf: https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-
CERT_Defense_in_Depth_2016_S508C.pdf
are usually put into place in an AS/ICS that help prevent social-based attacks? Would DMZs or
protocols cover these attacks?
engineered attacks. Failing that, basic IT safeguards that alert anomolous behavior in the DMZ and ICS
environments are excellent next steps.
Q: How many ICS system implements or at least try to implement ISA/IEC 62443?
A: IEC standards are not a US requirement for the most part, where IEC standards are more adhered
to in Europe, Asia and the Middle East.
Q: Which open communication protocols are secured by design in ICS?
A: None the I know of. All ICS protocols were designed for reliability.
Q: https://www.provatek.com/online‐store/Top‐Twelve‐Security‐Controls‐for‐Operational‐Technology‐
A: This is the correct weblink.  https://www.provatek.com/online‐store/Top‐Twelve‐Security‐Controls‐for‐
Operational‐Technology‐Networks‐p155698383
Q: What is the job market like for those interested in this space?
A: Just checked ICS cybersecurity jobs in the US and there where over 200 from one location. I also
understand that DHS CISA and many other USG agencies can not fill the positions they have open.
Q: Could you also provide link to training resources as you indicated? Thanks.
A:  https://www.us‐cert.gov/ics/Training‐Available‐Through‐ICS‐CERT
Q: Would be searching for our own devices on a site like Shodan be a beneficial exercise to
search for vulnerabilities? OR would this be more likely to open us up to a breach?
A: Yes, any search done to help an entity understand their exposure to compromise is beneficial and
should be part of their cybersecurity policy and procedures.
Q: How cyber safe are the cloud services like AWS and Microsoft? Is there protection for ICS?
What can be done to enhance security on these platforms?
A: Here is an article on cyber threats to cloud computing.  https://cloudacademy.com/blog/key‐
cybersecurity‐threats‐to‐cloud‐computing/
Q: What is the difference between denial of service attack and buffer overflow attack?
sending a message to the application with a parameter that is larger than the predefined memory space
for that parameter.
Q: Where should we start? Risk assessment or Maturity assessment
A: Both have value, but are geared toward IT/Business environments. They can be used to access the
OT environment but require either a standard (Maturity Assessment) or security controls (Risk
Assessment) that may not exist at this time. Either of these will require an understanding of what is
connected to the OT networks (asset inventory) and then an evaluation of cyber deficiencies.
Q: What is the recommended ICS Cybersecurity frameworks? (IEC 62443, C2M2, etc)
A: Depending on your sector, you may already be required to meet a cybersecurity framework. If not, it
is up to the individual entity to determine what framework will work best for them.
Q: Can you comment on adoption of ISASecure? Where is the regulaion role?
build a defendable system. There is no regulation role that I know of. At this time, it would be a
consumer specification.
Q: If were hired today, and were asked to secure a facility? what are the first 5 steps?
A: Asset inventory, asset cybersecurity evaluation, prioritization of mitigation, network segmentation
evaluation and update/upgrade/replace where possible.
comments on how to do automated asset discovery for OT environment? Which way is better,
passive monitoring or active probing?
can be done, but must be tested on a testing environment (sandbox network) to determine rate and
amount of discovery possible.
Q: Any examples of safety systems used in ICS?
A: Emerson ‐ DeltaV, Schneider Electric ‐ Triconics, Siemens SIS Compact,  Yokogawa Prosafe is name a few. If 
you need to know the SIS suppliers you can purchase the list from ARC.   https://www.arcweb.com/technology‐
evaluation‐and‐selection/safety‐instrumented‐system‐selection
Q: Are there SCADA certifications?
A: There are ICS certifications which could include SCADA. There certifications for SCADA architect or
engineer. Not sure what you mean by SCADA.
Q: Why do you still mention firewall to communicate between IT and OT network instead of
unidirectional gateway?
A: Unidirectional gateways are available and in use, but they are costly and not all communication
requirements in ICS are unidirectional.
Q: Is there any best practice organization chart that combine IT/OT Security capabilities?
A: Here is a chart from the DoD that you can use as a starting point. Cut or keep what works best for
your organization.  https://dodiac.dtic.mil/wp‐content/uploads/2020/04/ia‐policychart‐1‐Apr‐20‐DoDIN.pdf
Q: Do you consider nessus to be a good scanner?
A: Here is a list of best network scanners for Windows from ITPRC. DHS does not make
recommendations.  https://www.itprc.com/best‐network‐scanners/
systems
cybersecurity culture for ICS.  https://www.oilandgasmiddleeast.com/article‐17776‐comment‐cyber‐security‐
culture‐in‐an‐icsscada‐environment