|Data Sources||Authentication logs, Windows event logs, Network protocol analysis, Packet capture|
|Asset||Human-Machine Interface, Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay, Control Server, Engineering Workstation|
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.1
Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.
- Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.1
- Change default passwords to strong ones, when possible. In some instances, network traffic may be easily intercepted or sent in plaintext. In these instances, multi-factor authentication can act as both a barrier to the adversary and help alert the account owner of unauthorized access. Triple-factor authentication may also be considered.1
- Be aware of device patching and maintenance that would enable password changes or stronger passwords than currently used ones.1
- Authenticate wireless communications and access with a secure IEEE 802.1x authentication protocol.1
- Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured.1
- In general, console user actions should be traceable, whether it may manually (e.g. control room sign in) or automatic (e.g. login at the application and/or OS layer).1 Protect and restrict access to the resulting logs.
- Implementing Challenge/Response authentication eliminates the risk of discovery or replay that traditional password exchange has. Physical, token authentication can also be considered. It is also easier to notice if these have gotten lost or stolen, unlike traditional passwords. Smart cards another option to consider, and provide additional functionality over token authentication. Biometric authentication may also be good supplement to software-only password solutions.1
- Secure and check new acquisitions for tampering and signs of malicious components.1
- VPNs can be used to provide secure access from an untrusted network to the ICS control network and restrict access to and from host computers.1
- In the event the adversary is already inside the network, an intrusion detection system can help detect and record unusual patterns of activity.1