Ten steps to secure control systems

WPA2 (Cisco’s term for 802.11i) is the best option for companies just putting in WIFI technology. Device authentication is available, the AES encryption algorithm is used, and (reportedly) these devices are not susceptible to a Denial Of Service attack.

For additional information, you can visit www.wi-fiplanet.com/tutorials

Adding Devices To The Environment
One of the most common methods by which malicious code, such as viruses and worms, is introduced into a telecom network is when an infected device, such as a laptop, is plugged into an unused and active Ethernet port. There are a couple of ways this risk can be minimized.

First, deactivate unused ports, especially in unoccupied offices and conference rooms. The hassle of activating ports is not nearly as great as the hassle of dealing with a rampant worm.

Second, make it a policy that only authorized devices are allowed to connect to the control system telecom environment – and communicate that policy to visitors, vendors and consultants upon arrival. In fact, a summary of all information security policies that apply to visitors should be conveniently available to hand out on every visit. 

By taking these simple steps it is often possible to keep rogue or improperly configured devices from becoming part of the telecom environment. 

Remote Access
Remote access to the control system telecom environment should be severely restricted and only allowed under very controlled circumstances. The reason for this is that much care and diligence has been expended defining the physical and electronic security perimeter and securing it against unauthorized access and introduction of malicious code. Remote access of devices allows the remote device to become part of the secured environment. Since the device is remote and by definition not completely controlled, this dramatically increases the probability of security incidents in the control system environment.

However, the business need for remote access is a reality that must be dealt with. Let’s examine three common ways to accomplish this while maintaining as secure an environment as we can – DMZ application servers, Virtual Private Networks (VPNs), and modem access.

DMZ Application Servers
DMZ application servers reside in the DMZ that was created between the corporate and control system telecom environments by the firewall. Remote users (whether resident on corporate network or outside the corporate network via a dial-up or VPN connection) would authenticate to this application server and do all their work from that environment. The important point here is that the remote user’s computing device never becomes part of the control system telecom environment.  

Virtual Private Networks
If true remote access where the device becomes part of the control system telecom environment is unavoidable, then a VPN connection is the next best solution – but with extensions. Standard IPSec VPN solutions do not allow any control over the remote device that is connecting. However, solutions offered by companies such as Nortel and Cisco offer extensions to the VPN standard that do allow this control. Control can extend from requiring up to date anti-virus and personal firewalls on the remote device to requiring specific patch levels for specific operating systems to not allowing split tunneling. Split tunneling occurs when a remote device connects to the control system telecom environment while simultaneously connected to another telecom network (the vendors or partners corporate network, for example). It is highly recommended that split tunneling not be allowed.  

Modems are much maligned as being insecure connections, and in fact, a dial-in modem connection that is always listening isn’t very secure even if a User ID and password is required. Better alternatives include unplugging the telephone connections when not in use, dial-back modems and encrypting modems. But, all of these do allow the remote device to become part of the control system telecom network.

It must be acknowledged that modem connections that allow vendors to perform maintenance without becoming part of the control system telecom network pose less of a security risk than those that do become part of the network. But, without implementing any of the control measures mentioned in the previous paragraph the security risk is still high.

Vulnerability Assessments, Risk Assessments and Penetration Tests
The terms vulnerability assessment and risk assessment are often used to mean the same thing. While complementary, vulnerability assessments and risk assessments are very different. The purpose of vulnerability assessments is to identify weaknesses that can be accidentally or maliciously exploited to do harm. Usually, alternative actions that can be taken to reduce the chance of the vulnerability being exploited are also proposed. These actions are sometimes called potential mitigating controls. The purpose of a risk assessment is to identify the probability that a vulnerability will be exploited allowing a cost-benefit trade-off. 

Vulnerability assessments can be further sub-categorized into technical reviews, device scans and penetration tests. Technical reviews attempt through interviews with key staff, review of technical documents and drawings and visual inspection of devices to identify weaknesses in the security architecture, policies and procedures of the overall system or telecom environment. Device scans either load scripts onto devices or use remote vulnerability scanners to identify technical vulnerabilities – such as improper configurations or missing patches – on specific devices. Penetration tests go one step further and attempt to exploit a vulnerability to gain unauthorized access to systems or data.