Cyber-Fighting in the Factory: CISA Issues New Warnings About ICS VulnerabilitiesWhile not groundbreaking news, CISA's newest security advisories about ICS vulnerabilities are good reminders to be alert to the importance of network segregation and the need to isolate sensitive controls from the hoi polloi of the common business computer network. After all, we don't want cyber-fighting in the factory. It doesn't require much imagination to figure out that the ramifications of compromised industrial control systems could be severe. The ICS vulnerabilities publicized by CISA should not be taken lightly, even if ones particular ICS equipment are not on the list. According to the security advisory, the vulnerabilities identified are remotely exploitable and present a low attack complexity. The capabilities available to hackers by means of these vulnerabilities include:
The answer to protecting critical ICS systems is found in what we have been promoting for years: access control in the form of network segregation. Network segregation is the most effective technique for minimizing the network exposure of any sensitive equipment, whether ICS, databases, file servers or other types of networked devices. Many of these devices do not need or require access to the Internet to perform their roles, so there is no reason to leave them wide open to the Internet or to any computer network in general, for that matter. Give them just enough access to specific locations for their operations and no more. Industrial control systems should also be isolated from the common business network, with remote access locked to the specific devices needed for its operations. Network segregation is one of LAD's native functions, integrated into its core workings. With LAD every separate device on your network may be isolated from every other device, making lateral attacks within the network operated by LAD practically impossible (we say practically, because as the user, you are in control and can direct LAD to allow lateral access between specific devices or all devices, if you wish). In its default mode of operation, LAD does not allow devices on the same network to even discover each others' existence. Talk about minimizing network exposure.... Download LAD | Learn More About LAD | LAD for Home | LAD for Business | DIY VoIP PBX
|