Dealing with large amounts of risk, found in several systems, is simplified by prioritizing the mitigation activities around the discovered risk. Although oversimplified, the initial risk found for the Slumbertown Paper Mill can be prioritized as shown here:
|
Technical area |
Discovered risk |
Mitigation control |
Priority |
|
ICS network architecture |
All the production-related equipment and devices are placed on the same network and VLAN. There is no logical or physical separation |
Divide the Industrial network into VLANs and functional areas; subdivide functional areas into enclaves |
1 |
|
ICS network architecture |
Industrial and Enterprise systems communicate through jump-servers. This creates a potential risk for pivoting attacks |
Implement an IDMZ to allow secure communications between Industrial and Enterprise systems |
2 |
|
Security Monitoring |
Security monitoring and event logging are not installed on the Industrial network |
Install a centralized logging and event collection solution |
3 |
Prioritizing mitigation efforts allows addressing found risk in a strategic and effective way. When deciding on the priority of addressing the discovered risk for systems and assets, factor in considerations such as system criticality, security budget, risk severity, and exploitation likelihood.
While prioritizing mitigation efforts, it often helps to think of the security bubble analogy, discussed earlier in the book. To reiterate, the method explains how to approach securing ICS devices, which oftentimes cannot be secured directly because of a lack of device capabilities, the age of the device, or other limiting factors. The thought behind the security bubble analogy is to get all those sensitive, hard-to-secure devices and systems out of harm's way by placing them onto their own network (Priority 1 efforts). Next, all access to these systems and devices should be restricted (Priority 2 efforts). This includes locking devices in cabinets, blocking out and shutting down communication ports and restricting access to sensitive areas of the facility.
Where interaction is necessary, a secured, restricted and monitored conduit should be provided. These activities can be Priority 1 or Priority 2, depending on when and where the conduits are implemented.
Priority 3 activities mostly involve administrative controls and logging and monitoring activities such as enforcing policies and providing central event collection capabilities.