Cyber Security Policy

Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cyber security. Ensuring cyber security requires coordinated efforts throughout an information system. Elements of cyber security include application security, information security, network security, disaster recovery / business continuity planning, and end user education (Whatis.techtarget.com). 

One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment. To deal with the current environment, advisory organizations are promoting a more proactive and adaptive approach. The National Institute of Standards and Technology (NIST), for example, recently issued updated guidelines in its risk assessment framework that recommended a shift toward continuous monitoring and real-time assessments

The word “policy” is applied to a variety of situations that concern cyber security. It has been used to refer to laws and regulations concerning information distribution, private enterprise objectives for information protection, computer operations methods for controlling technology, and configuration variables in electronic devices (Gallaher, Link et al. 2008). But there is a myriad of other ways in which literature uses the phrase cyber security policy. The tension between demand for cyber functionality and requirements for security is addressed through cyber security policy.

Common ICS vulnerabilities and associated recommendations are discussed in this report. Insight is gained into the current state of ICS security through high-level analysis of the problem areas by information gathered from CSSP ICS security assessments and ICS-CERT alerts, advisories, and incident response. This report is organized in three sections. First, the different sources of ICS vulnerability information are summarized. Then the common ICS vulnerabilities are presented according to categories that describe a general problem observed in multiple ICS security assessments.

These three general categories are grouped by:

1.  Vulnerabilities inherent in the ICS product
2. Vulnerabilities caused during the installation, configuration, and maintenance of the ICS
3. The lack of adequate protection because of poor network design or configuration.

Compilation of ICS Vulnerability Information DHS ICS risk reduction activities have gathered vulnerability information from many different types of ICS components, used by the multiple types of ICS. Information from different assessment approaches and ICS types provides a more complete picture of the security risks to ICS. Common types of vulnerabilities identified through CSSP assessments, ICS-CERT activities, and CSET self-assessments have been named and classified using consistent criteria, such as the Common Weakness Enumeration (CWE)d where possible, to enable correlation of vulnerability data. However, one should be careful about drawing conclusions from the data presented in this report. 

Based on assessment activities and the industry culture change towards more secured ICS, the vendor and asset owners community has increased in the patch management process and has reduced known vulnerabilities by patching ICS. These categories summarize the main causes of vulnerabilities that put ICS software at risk to cyber-attack. ICSs are made up of process equipment, process control hardware, network devices, and computers. Vulnerabilities in network devices and protocols, or the operating systems, ICS software, and other software running on the ICS computers could allow an attacker to gather information about, disrupt, or manipulate ICS operations.

A major difference in securing ICS and a typical computer system is in the ICS components that do not use standard information technology (IT) hardware or software. Custom ICS hardware and software have not been scrutinized like common computer products, and refresh rates are typically much lower. Another difference is the prioritization of security objectives. While adding security measures to ICS components, it is important to keep in mind functional requirements. Unlike typical IT systems,

ICS security objectives are typically prioritized as:

1. Availability
2. Integrity
3.  Confidentiality.

Violating operational requirements while implementing security features in ICS could cause more damage than a cyber-attack.

Buffer overflows are the most common type of vulnerability identified in ICS products. The following are example buffer overflow vulnerabilities discovered in ICS products:

• Stack-based buffer overflows allowed remote code execution on ICS hosts
•  Heap-based buffer overflows allowed remote code execution on ICS hosts
•  A buffer overflow was found in a historian application
•  Username and password buffer overflows in Web Human-Machine Interface (HMI) Web server • Stack-based buffer overflow in ICS Web service
•  Stack-based buffer overflow in ICS Web HMI
•  Buffer overflow in ICS Web client
•  Exploitable stack overflow in OLE for Process Control (OPC) server
•  Heap-based buffer overflow in OPC server. Stack-based buffer overflow in OPC client
•  Stack-based buffer overflow caused by the use of the “strcpy” function
•  Buffer overflow vulnerability identified in a PLC application

Common ICS Configuration Weaknesses Vulnerabilities in the previous section are inherent in the ICS products. Other vulnerabilities can be introduced by the way the ICS is installed and maintained. Each ICS installation is a unique combination of components and functionality offered by an ICS product vendor. ICS are generally such major purchases in time and money that very few systems from each ICS product line are delivered before features are added and a new version is released. Few installations are of the same ICS product version and features, which contribute to a lack of, or insufficient, standard procedures for securely configuring each ICS product.

Weak Passwords Some assessments discovered applications that had been configured without passwords, which means that anyone able to access these applications are guaranteed to be able to authenticate and interact with them. The following are specific assessment findings where the ICS was designed not to use passwords or delivered with unconfigured third-party applications.

• Database service was configured without a password on multiple assessments.
•  NULL connection allows remote hosts to query each system for information without requiring authentication.
•  Password length can have zero characters. Any user on the system can have a blank password.

Weak Firewall Rules Firewall rules are the implementation of the network design. Enforcement of network access permissions and allowed message types and content is executed by firewall rules. on address groups that include a wider range than should be allowed. The following are specific assessment findings associated with this vulnerability:

•  Personal firewalls need to be configured to restrict all unnecessary traffic.
•  Router inside and outside interfaces had 24-bit netmask rather than 16-bit.
•  Access lists are defined but not applied. No inbound filtering.
•  Access lists are incorrect for required ports.
•  Access to network printer services on corporate LAN was not restricted by password protection or access control list.
•  E-mail client on DMZ had access to corporate LAN and Internet.
•  Inadequate outgoing access restrictions 

Cite this page