Dragos OT-CERT would like to thank Sarah Formwalt for authoring this blog while working at Dragos.
This is our monthly blog detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. This month’s best practice recommendations cover system hardening best practices for an OT environment. Hopefully, you filled out the OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey and identified your gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today.
Larger Organizations Take Note
If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!
What Are System Hardening Requirements for an OT Environment?
The following recommendations are provided to help SMBs developing initial/basic system hardening requirements for their ICS/OT environment. Use the ICS/OT Security Hardening Checklist for tracking your hardening status.
NOTE: Dragos OT-CERT recommends testing and validating functionality of operations before any of these procedures are implemented in a production environment.
| HARDENING REQUIREMENTS | PROCEDURE | |
| 1. Remove Non-Essential Components | 1.1 Audit system(s) to identify and remove any services, applications, protocols, drivers, and other non-essential components. 1.2 Disable non-essential components that cannot be removed. 1.3 Disable insecure communication protocols not required for business purposes. 1.4 Remove the following as applicable, where technically feasible. – 1.4.1 Email services – 1.4.2 File sharing services – 1.4.3 Network management tools – 1.4.4 Printer sharing services 1.5 Disable debug mode. 1.6 Ensure all configuration settings are documented. | |
| 2. Restrict Remote Access | 2.1 Engineering and OT teams must evaluate what systems are necessary to leverage remote access. Remote access, including process control, should be limited as much as possible. 2.2 Remote access requirements should be determined, including IP address, communication types, and what processes can be monitored. All others should be disabled by default. 2.3 User-initiated access should require multi-factor authentication. 2.4 All remote access communication should be logged and monitored. 2.5 Document the remote access mechanism, required configuration, and use case. 2.6 Ensure remote access needs are periodically reviewed. | |
| 3. Change Default Passwords | 3.1 Change all default passwords for devices and applications. 3.2 Passwords must meet organizational password requirements, where technically feasible. 3.3 Change local default root/administrator username and password per application. 3.4 Change local default root/administrator username and password on console/maintenance ports. 3.5 Devices that can’t meet organizational password requirements must be configured to the maximum password strength. | |
| 4. Access Controls/Principle of Least Privilege | 4.1 Devices must be configured with individual user accounts, where technically feasible. 4.2 Ensure that administration-level (privileged access) accounts are required to perform any configuration changes on the system. 4.3 Separate administration-level accounts must be created for each administrator on the system. 4.4 Operator accounts/user accounts are required for normal operation of the device. 4.5 If the device does not support unique user accounts, document the shared account information. 4.6 Utilize features such as “kiosk mode,” where feasible. | |
| 5. Device Firmware Upgrade | 5.1 Identify the device firmware version. 5.2 Check the vendor website for firmware updates. 5.3 If an update is available, validate the firmware update authenticity and integrity by verifying the file hash or cryptographic key. 5.4 Test the update in a lab or development environment before implementing into production. 5.5 Backup the current firmware before applying the update. 5.6 Retain an offline copy of the firmware and corresponding hash or cryptographic key. 5.7 Annotate on the OT cyber asset inventory the current firmware version. | |
| 6. Vulnerability Identification and Patching | 6.1 Review OT asset inventory for identified and known vulnerabilities. 6.2 Develop a method to determine if a patch is critical, high, medium, or low. 6.3 Patch critically and assessment of risk will determine whether you implement a patch now, next, or never. 6.4 Check vendor website for vulnerability updates. 6.5 Validate each vulnerability update authenticity and integrity by validating the file hash or cryptographic key. 6.6 Test functionality in a lab or development environment before implementing into production. 6.7 Annotate on the OT cyber asset inventory the current patched version. | |
| 7. Additional Security Considerations | 7.1 Configure built-in security features such as host-based firewalls, port-security, logging, anti-virus, etc. 7.2 Replace self-signed certificates with Certificate Authority (CA) signed certificates. 7.3 Physically secure cyber assets. 7.4 Implement network segmentation where feasible. 7.5 Password protect configuration and project files. 7.6 Update OT cyber asset inventory by identifying new cyber assets and documenting any configuration changes. |
Stay Up to Date with SMB Cybersecurity Resources: Join Dragos OT-CERT!
Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / ICS / OT cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.
Currently available resources include:
- OT Cybersecurity Fundamentals Self-Assessment Survey
- OT Asset Management Toolkit
- Self-Service OT Ransomware Tabletop Exercise Toolkit
- Collection Management Framework for Incident Response
- OT Cybersecurity Incident Response Toolkit
- OT Data Backups Guidance
- Host-Based Logging and Centralized Logging Toolkits
- Access to an introductory ICS/OT cybersecurity module in Dragos Academy
If you haven’t joined Dragos OT-CERT don’t delay! Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.
We look forward to working with you to safeguard civilization!
Join OT-CERT today!
Ready to put your insights into action?
Take the next steps and contact our team today.