SANS Industrial Control Systems Security Blog

7 Tips For Planning ICS Plant Visits

As you plan the next visit to your ICS plant(s) with your security team, consider these seven tips. They will maximize time on-site for accurate asset identification, effective cybersecurity awareness that will foster IT and OT relationships for smooth ICS incident response, and highlight new ways to ethically hack your digital and physical security perimeter.

1. OSINT For ICS Defenders
OSINT (Open Source Intelligence) is publicly available information that could be of high value for the adversary, yet is often overlooked when understanding an organization's threat landscape from a defense perspective. As ICS defenders you should at least know what information is publicly available about your organization, devices, facilities, IP range(s) etc. This is usually where the adversary starts gathering information to build an attack profile against a target. They can use OSINT on your organization to find vulnerabilities, select an initial attack vector, and craft an effective attack specific to you.

Before heading to site, have your team run through an OSINT exercise on your organization. It's a great way to reveal information and potential attack surfaces without being intrusive to ICS operations. Assume the adversary already knows what your team will find. While on-site track down devices, networks and systems you've found through the exercise and fully verify and inventory them. Further ensure those assets are removed where feasible (verify with the business and on-site personnel before unplugging anything!) and properly secure what needs to remain online. Then, where it makes sense, work with the Business to reduce OSINT on them. ICS515 will teach you how to conduct OSINT on your organization and show you how to automate alerting.

2. Coordinate with Safety Department
Prior to getting to the site, coordinate with stakeholders, including the site Safety Department. They'll need to be aware of your arrival and will conduct safety training when you arrive. This team knows the sites well and will be your guide, connecting you with plant operators. On-site operators and engineers live and breathe safety every day.

Stay alert and don't forget your proper personal protective equipment (PPE). Wear the right gear as per your site's policy. Learn to leverage the physical safety culture by drawing parallels between physical safety and cyber-safety.

3. Ethically Hack Your Physical Security Perimeter
Approach each site with the objective to evaluate defenses against physical intrusions. See how far you can get into the facility by challenging authentication at each level, starting with the front gate. Wait to show a badge until it is requested, look for areas you could tailgate, look for unlocked doors, fences with holes or gaps, etc., all while keeping safety as the highest priority.

4. Cybersecurity Discussions on the Plant Floor
The ultimate place for a cybersecurity discussion is right on the plant floor with your operators. Cybersecurity teams need to understand how the physical ICS process and plant works, which systems are likely to be targeted by the adversary, and which are critical to the process that, if unavailable, would cause disruption to the process or a safety concern to people in the plant.
Cybersecurity teams need to communicate that security fully supports the safety and reliability of operations as their prime concern (always preferring IDS over IPS, for example). This goes a long way for the efforts of IT and OT convergence.

5. Spreadsheet App, Laptop Stand, and Network Diagrams
Whether your industrial control system (ICS) is an electric power utility, an oil & gas installation, or a cookie factory — asset identification is a crucial prerequisite for efficient network security monitoring, and the crux of active ICS defense. We all know there is a difference in what's on paper and what's in production — but let's start with what's on paper. Network diagrams will kick-start your asset identification efforts. If/when gaps are found on diagrams document them and keep moving.

Laptop tripod stands speed up inventory and data gathering efforts when a desk is not accessible.

Your spreadsheet to capture asset inventory should contain at least:
Asset Name
Description of Function
IP Address
MAC Address
Model/Manufacturer
Serial Number
Means of connectivity to the network
Protocol(s) used.

6. Follow Up with Traffic Analysis
Some items from plant inspections can be missed when doing asset identification. For example, when there is scheduled maintenance or upgrades, there may be inaccessible areas.

To close these gaps and get information on other assets when the process is fully up and running, traffic analysis can be used. This method is safer and less time consuming since no site visit is required, but will require a SPAN port and a hard drive to store the PCAPs.

You may want to capture traffic for 24-72 hours depending on the ICS process and how the process functions. Using free tools such as Wireshark, and its built-in features, can help you further identify assets. Of course, you will not get the discussions on the plant floor, which is why physical inspection is my recommended first method for asset ID efforts.

7. Storing Asset Inventory Back at the Office
Your inventory is incredibly valuable to your and the team. It is also of value and sought after by the adversary. Dump data gathered from your spreadsheet into a database that's scalable, searchable, secure via authentication, and segmented off from user land.

Whether your ICS is an oil & gas facility, an electric generating site or a cookie factory, asset identification is a crucial prerequisite for effective network security monitoring, and a key part of ACDC (Active Cyber Defense Cycle) applied to industrial control system cyber defense. Each step of the cycle is thoroughly explored through in-class discussions and labs in ICS515.

To learn more about Dean and where you can take his next course - visit his SANS bio page: https://www.sans.org/instructors/dean-parsons