Looking at all these restrictions and requirements, one starts to appreciate the complexity of defending ICS networks. Implementing straight up IT security practices will not cut it as we just discovered. They are often too intrusive or just not feasible. So how do we go about securing the ICS?
One defensive strategy that has been used extensively for ICS networks is security by obscurity. The idea is that by hiding or obscuring the ICS network, an attacker will not be able to find the network, and one cannot attack what one cannot find. To a degree, this strategy actually worked when the ICS protocols and communication media were proprietary and restrive or limited in what they could achieve. As ICS networks converge and start using commonplace technologies and protocols like Ethernet and Internet Protocol (IP), they are becoming more open in nature and easier to discover. Earlier, a controller would sit on a production floor and the only way to communicate with it was by attaching a serial cable and using a proprietary programming software package, using a proprietary communication protocol, running on a dedicated engineering laptop.
Nowadays, these controllers can be accessed via Ethernet, using the IP protocols. With the capability to route IP traffic, a controller can be accessed from anywhere on the planet. If you recall our Shodan exercise from a previous chapter, you may remember that we saw controllers out in Belgium, connected on the internet, accessible to anyone with an internet connection. Needless to say, the security by obscurity philosophy as a defensive strategy is obsolete and highly inefficient in defending an ICS due to in part by the convergence of networks:
Another defensive strategy that is often used to secure and protect ICS networks is perimeter defense. With perimeter defense, a security appliance such as a firewall is placed at the edge or perimeter of a network to inspect and filter all ingress and sometimes egress traffic. The idea behind the perimeter defense strategy is that by controlling and verifying all traffic coming into a network, the network is kept secure. No restrictions or traffic inspection is performed on the inner network. What this model doesn’t take into consideration is the state of the systems inside the network that is being protected. If systems that are already compromised are introduced in that network (think infected laptops), a perimeter defense strategy is useless. Also, when a service is allowed through the firewall, for example by adding a firewall exception for port 80 to allow access to a web server on the internal network, the perimeter firewall is effectively rendered useless and the perimeter defense strategy shattered. The reason is that if something were to compromise the web server on the inner network via the HTTP protocol, the compromised asset on the inner network could then be used as a pivot point to further attack the inner network.