Key cyber security controls in industrial automation | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Key cyber security controls in industrial automation

A common problem in industrial cyber security management is deciding on which controls to focus on in production environments in particular. Luckily the issue has been analysed by several parties, who have also published instructions regarding good practices. In this set of guidelines we recombine recommendations from the publications of several national authorities and information security firms and supplement them with our own experiences.

There are never enough resources available to perfectly manage cyber security. How, then, can you make sure that the cyber security controls that you decide to employ actually provide sufficient security? This is a particularly tricky question in industrial environments, where digital technology is a critical part of production. The most serious risks in production environments are unexpected stoppages and losing control of the production process. Because of this, the priorities for industrial environments are markedly different compared to the cyber security of conventional information technology.

The publication ‘The Five ICS Cybersecurity Critical Controls’ by the information security research and training community SANS defines the five most important controls for production network monitoring. Dragos, a company specialising in cyber security management in industrial automation, refers to these five controls in its 2022 Year in Review and evaluates how well they have been implemented in the cases it covers.

We have adapted the five SANS controls with the aid of instructions from the National Cyber Security Centre Ireland, the United States Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DoE), and the National Cyber Security Centre Finland.

Preparedness should be guided by a defined, maintained, documented and practised incident response process. In practice, this process covers how cyber incidents in production environments are detected, analysed, responded to and recovered from. In terms of detection, the key thing is to be able to analyse data traffic. Furthermore, you should always be able to discover the root cause for the incidents. This is often impossible without collecting sufficiently comprehensive log data. The log data should be collected in a centralised location in order to correlate and aggregate the detections.

The Kybermittari tool developed by the National Cyber Security Centre Finland helps companies assess their capacity to prevent cyber threats. The Kybermittari section evaluating the management of cyber events and incidents studies a company’s capacity to control, react to and recover from cyber events and incidents. Kybermittari can be utilised in assessing the cyber security maturity of production networks, and it can help you find sections in your environments that have deficiencies and require further development.

A system architecture designed with resilience in mind aims to reduce the probability of the realisation of risks and the impact of realised risks, as well as facilitate defence. The implementation and management of protective information security controls should be supported already at the network architecture planning stage. Important information security controls to be supported include e.g. logging, visibility and physical or logical subnetworks.

A well-performed network environment separation and isolation, for example, facilitates protecting the environment, prevents criminals from moving freely in the environment after a data breach and offers a better opportunity for monitoring incoming and outgoing traffic as well as internal traffic of the production environments. The first Tonttu project of the National Cyber Security Centre Finland that studied the agile implementation of cyber security controls observed that deficiencies in network isolation are not uncommon even in important environments. System design should make use of existing good practices and standards.

Deficient visibility into the network traffic and devices of production environments makes it challenging to detect and study incidents, let alone maintain an accurate inventory of protected assets. Similarly, the lack of an asset inventory makes risk management difficult, if not impossible. Ensuring visibility without breaking the isolation of networks requires particular care.

In 2021, the Lauttatonttu project of the National Cyber Security Centre Finland charted network assets to be protected and alerted of any detected and unexpected unprotected assets. We recommend following the upcoming Tonttu projects around the theme.

Secure remote operation allows only identified and authorised users to establish the permitted connections with the production environments. According to Dragos, the most common way of penetrating production environments is to abuse their remote access connections. This problem especially applies to environments where the information technology (IT) and operation technology (OT) networks use the same user ID.

Multi-factor authentication (MFA) can be safely applied in most production environments, and it has been shown to significantly reduce successful attacks. MFA should be adopted especially in networks shared between organisations and services visible to the public internet. If MFA cannot be used, protections must be implemented in some other way, e.g. by isolating the systems behind carefully controlled jump hosts. Remote connections should also be protected by session-based logins where possible. In practice, this means determining time limits for the duration of the remote connection and the use of the systems.

According to the observations of the National Cyber Security Centre Finland, unsecure remote access is sometimes related to problems in network isolation. For example, errors in the design and editing of firewall rules may render remote access services intended to be protected or different login windows of devices and services publicly visible on the internet. One statutory task of the National Cyber Security Centre Finland is to map unprotected automation systems visible to the internet. Login interfaces come up repeatedly in the mapping.

Risk-based vulnerability management requires an up-to-date asset inventory and the ability to prioritise vulnerabilities and systems. If a device or system manufacturer offers information about their products with a Software Bill of Materials (SBOM), you should definitely make use of it. You can also use the Kybermittari section on threat and vulnerability management that evaluates an organisation’s capacity to determine and maintain plans, processes and technologies in order to detect, identify, analyse, control and respond to cyber threats and vulnerabilities in relation to the risks facing the organisation and the organisation’s objectives.

Unfortunately, the manufacturers of automation systems still rarely include in their vulnerability notifications any other controls than updating the vulnerable software. Software updates are usually only possible during a production stoppage, but you should be able to reduce the probability and impacts of the misuse of vulnerable systems already in the period between the publication of the vulnerability notification and the production stoppage.

Another essential issue in the installation of corrective software updates is that in many production environments, the plant owners cannot update the vulnerable systems themselves, as the updates can only be made by the staff of the system provider. The manufacturer’s staff travelling into different production plants would be expensive and slow, so a remote connection to the production plant is usually arranged. In addition to a safe remote access solution, it is important to secure the supply chain, as the threat actors causing the most severe threats exploit organisations’ trust in their suppliers.

The Ketjutonttu project of the National Cyber Security Centre Finland aims to help Finnish companies and their suppliers manage cyber risks in their supply chains. Organisations may also make use of the Kybermittari section on supply chain and external dependency management that evaluates an organisation’s ability to identify and manage risks related to supply chains and third parties.

Page was last updated