Reducing Cyber

Risks for Industrial

Control Systems (ICS)
Professional Supplementary Document
Reducing Cyber
Risks for Industrial
Control Systems (ICS)
Professional Supplementary Document

This document is intended to assist the professional and technical bodies within the organization, who are
in charge of the OT scene in general and the ICS in particular. This document is not intended to replace the
above bodies, but rather to serve as a tool for identifying the key issues related to cyber protection risks at the
ICS arena. This document offers professional protection recommendations, based on international standards,
research and professional documents, all of which are specified herein. It is understood that the implementation
of professional controls in the ICS arena, in a specific organization, requires a dedicated process of risk
management and the adjustment of those controls for the organization by suitable professionals.

All rights reserved to Israel

National Cyber Directorate
Table of Content

1. Introduction 06
1.1. Introduction to ICS Environments 06
1.2. Purpose of this document 08
1.3. Target Audience 08

2. Technology background overview of ICS environments 09

2.1. Subsystems, Protocols and Key Components in the ICS Environment 09
2.2. Classical topology in ICS Environment 12
2.3. Programming and communication between controllers and HMI 16
2.4. Trends and Challenges Common in ICS Environments 17

3. Presenting cyber risks on ICS systems 19

3.1. Introduction to Cyber Risks on ICS Environments 19
3.2. Defense Challenges in OT vs. IT Environments 23
3.3. Adapting the CIA Model as the AIC Model to the Operating Environment 25
3.4. The Star Model - Based on NISTIR 8183 26
3.5. Summary of the differences between the IT environment and the OT environment 27
3.6. Cyber risks according to layers of the PURDUE model 30

4. Risk assessment and management in ICS systems 37

and principles for addressing in a work plan
4.1. Cyber risk management process as part of risk assessment and management 37
4.2. Mapping the Risks 38
4.3. Risk management in the ICS environment versus risk management
in the IT environment 41

5. ICS system controls 44

5.1. Cyber Protection Controls in ICS Systems 44

6. Bibliography and accompanying reading material 61

- UNCLASSIFIED - 5
1. Introduction

1.1 Introduction to ICS focused on attacking systems in the

Environments ICS space network.
Unlike events against computing
Industrial Control Systems (ICS) is networks and traditional computing
a general term for several types of equipment, these events are very
command and control systems, which likely to directly affect the quality of
are used in industry and critical life and physical safety of citizens.
infrastructure. These systems include Beyond the potential for damage to
several subsystems and categories. the production line, damage to such
Some of these systems are designed systems can lead to flooding of cities,
to control a single component, such leakage of gases, poisons, toxins or
as an altitude or temperature sensor, wastewater into the environment,
designed to control the opening and explosion of containers and disabling
closing of a valve or gate. The others essential services such as electricity,
are designed to control multiple gas, water and more.
components, which are distributed in The trend of cyber attacks against ICS
the field. What they all have in common systems has been on the rise in recent
is their capability of communicating years. The main reason for this is due
with end components, which act as to the attractiveness of the attack
sensors or actuators. and the difficulty of implementing
protection and security controls in the
Common ICS types: operating environment such as those
• SCADA systems implemented in the IT network.
• Distributed Control Systems (DCS)
• Structural Control Systems (BMS)
• Industrial Automation Control
Systems (IACS)

In recent years, awareness of cyber

events has increased, which has

- UNCLASSIFIED - 6
 the Engineering Workstation and to the
SIS (Safety Instrumented System), and
from there used the aforementioned
attack platform attempt try to change
the operation and programming of the
safety system controllers. The purpose
of the attacker was to cause damage so
as to disable and neutralize the system.
Safety in the Manufacturing Process4.

Figure 1: ICS weaknesses mapping by sectors

Hacking of the Bowman Dam in the US
(from Kaspersky website)1 On March 24, 2016, it was reported
that hackers broke into a small dam
in the state of New York in the United
States. This malicious takeover could
have led to a flood in the city, damage
to critical systems and significant
financial damage to the city.

BlackEnergy - Power plants

disabled in Europe
Figure 2: Number of ICS weaknesses discovered On December 23, 2015, power outages
in 2018 versus 2017 (from Kaspersky website)2
occurred in European electricity
companies, disabling entire regions. It
Among the most prominent events
was found that an attacker implanted a
that have been published in recent
malware and sent it via Spear Phishing.
years are3:
Spoofing and Air gap jumping ability
from the IT systems to the OT systems
TRICONEX attack
led to BlackEnergy running in the
A Trojan-based attack from the TRITON
organization. In this event, the attacker
family occurred in December 2017 and
took advantage of the ability to jump
was directed against an industrial safety
from the IT systems to the OT systems5.
system. The attacker gained access to

1 https://ics-cert.kaspersky.com/media/KL_ICS_CERT_H2_2018_REPORT_EN.pdf
2 https://ics-cert.kaspersky.com/media/KL_ICS_CERT_H2_2018_REPORT_EN.pdf
3 https://ics.sans.org/media/SANSICS_DUC4_Analysis_of_Attacks_on_US_Infrastructure_V1.1.pdf - Additional incidents
4 https://www.gov.il/BlobFolder/reports/sis/he/SIS-CERT-IL-W-400.pdf *In Hebrew
5 https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01

- UNCLASSIFIED - 7
1.2 Purpose of this document • ICS engineers/technicians – those
who are in charge of ICS system
This document aims to provide installation and maintenance
the professional audience with the processes
basic knowledge required for better • ICS Operators – those who are
protection of ICS systems. The involved in the ongoing and
document shall import knowledge ongoing operations of the systems
along with methods and workflows to • Network security personnel in
increase resilience in the production ICS systems
line. At the same time, it includes • ICS Security Trustees - as part
representative examples and risks, of their responsibilities (most
ways of defense, recommendations often appointed by the CISO or a
and controls to mitigate risks in the management body)
operating environment. The document • Integration companies, consulting
constitutes a professional extension in companies and ICS service
the ICS arena to the cyber defense providers
methodology for an organization. • IT professionals

1.3 Target Audience

This document is relevant to those

engaged in the protection & defense
of industrial control systems, including
the CISO, the cyber defense personnel
in the organization and the operations
and control personnel, and in some
Figure 3: Operator in production line
parts is also intended for other
parties within the organization, such
as risk managers and procurement
personnel, who are also responsible
for computing equipment for the OT
environment. The target audience for
this document includes the following
parties:

- UNCLASSIFIED - 8
2. Technology background
overview of ICS environments
(Topology and Main Components)

2.1 Subsystems, Protocols and facilities, including Building

Key Components in the ICS Management Systems (BMS), airports,
Environment: ports, ships and space stations. SCADA
systems monitor and control HVAC
Supervisory Control and Data systems (Heating, Ventilation And & Air
Acquisition (SCADA) Conditioning) operating in the facility.
A communication-based system that
enables control, control and process Industrial Network Protocols -
control. This is through sending Industrial network protocols are
dedicated commands to controllers. real-time communication protocols
These processes are usually developed to link systems, interfaces,
production, production, refining, and devices that together constitute
energy generation and product an industrial control system. Most
assembly. The systems include a of them were initially designed for
computerized layer for monitoring and serial communication over serial
controlling the accessories. connections, but later they were
Industry processes include, among adapted to work on Ethernet networks
others, production, production, using a communication protocol such
refining, energy generation and as TCP/IP.
product assembly processes. The weaknesses of industrial networks
Processes in public or private are mostly known and are due to a lack
infrastructures include, inter alia, of awareness, knowledge, weaknesses
outdoor lighting systems (urban in the system configuration, software
and inter-urban), water supply weaknesses, a lack of protection
systems, waste water collection and against malwares, encryption problems
purification systems, oil and gas and more.
transmission pipeline monitoring, SCADA usually includes these
electricity grid, alarm systems, and components:
large communications systems.
Processes in public or private

- UNCLASSIFIED - 9
• Human-Machine Interface (HMI) - • Communication infrastructure -
A human-machine interface that connects the control system to
displays process data & information units (communications: wired,
to the operator, enabling the radio, cellular, Wi-Fi, satellite).
operator to monitor and monitor • Intelligent Electronic Device (IED)
the process. - These devices form part of the
• Master Terminal Unit (MTU) - control systems such as sensors,
A centralized control system motors, transformers, pumps, etc.
designed to monitor, monitor, and and are also equipped with a tiny
operate the end components. reporting processor. These devices
• Programmable Logic Controllers are typically communicated via
(PLC) the Fieldbus protocol, function
• Logic controllers designed to as Slaves and are controlled by
receive input, run preloaded logic remote end units.
(and logic based on the transfer of • Internet of Things (IOT) - dedicated,
commands to end equipment). communication-based components
• Remote Terminal Unit (RTU) - and the ability to exchange data &
Remote monitoring units, which are information over the Internet.
involved in the process and in the • Industrial Internet of Things
process are connected to sensors (IIOT) - Designed components
and located on the process site. for the communications-based
• Historian - A system that stores manufacturing industry.
the props from the field over time
and shows trends in changing
the parameters measured in the
process. The system is usually
used by the control engineers to
improve and fine-tune the process.
• Sensors - Devices that measure
physical conditions and are
capable of activating actuators and
transmitting to control systems.
• Actuators - Actuated by the
sensors and trigger the required
change (such as valve opening).

- UNCLASSIFIED - 10
 Enterprise Network

Control Center

Control Server HMI Engineering Data

(SCADA - MTU) Workstation Historian

Control Network

Field Site 1 Field Site N

Field Network Field Network

PLC, RTU or other devices PLC, RTU or other devices

Physical Infrastucture

Sensors and Actuators

Figure 4: Description of components in the ICS environment

- UNCLASSIFIED - 11
Distributed Control System (DCS) - These models allow for structural
This system differentiates the DCS reference by hierarchy and control
from non-distributed systems that use system layer layers. In the Triangle
a single centralized controller. model, the systemic description
The DCS system typically uses process- presented through the five levels
optimized processors (hierarchical) in a triangle (Including the Air Gap)
and linked by communication networks is more simplistic and suitable for
for monitoring and control. complex systems. The PURDUE
model has a six-level distribution and
is suitable for larger organizations/
more complex environments.
As a general rule, both models
separate the IT domain - which
manages the organization’s business
system - from the OT and the domain
in which physical components are also
Figure 5: The main subsystems in the ICS world
managed, which receive instructions
through commands of electricity
power changes.
2.2. Classical topology in ICS
environment
2.2.1. The Triangle Model (suitable
mainly for simple environments
The ICS environment is a complex
and small organizations):
environment. The environment
incorporates a management
environment, sometimes linked to ERP
IT
and such other systems, operating Info Level

environment, computer positions, Air Gap

sensors and controllers (see classic Operational

Level
environment in Figure 4). There are
two models, which can assist in the Control / Automation
Level
planning and implementation stages
of architecture in the ICS environment: Field Level
(Sensors, Actuators)

• The Triangle Model (based on ISA 95)

• PURDUE model Figure 6: The triangle model

- UNCLASSIFIED - 12
Separation of the triangle after IT
differentiation inputs6: Enterprise Zone
• Business environment and IT
Level 5: Enterprise IT
involvement in the organization.
This network is sometimes directly Level 4: Site Business Planning and Logistics

connected to the internet.

Manufacturing Zone
• Management environment in
the manufacturing network (Air Level 3: Site Manufacturing Operations & Control

GAPPED).
Cell Area Zone
• The command and control servers
Level 2: Area Supervisory Control
and controllers themselves, which
OT
make up the heart of the system - Level 1: Basic Control

an area where processes run for

Level 0: Process
all local and remote devices.
• In the lowest 2 layers of the Safety Zone

model, the PLC, RIO, IED industrial Purdue Model for Control Hierarchy logical framework

controllers are listed. This is

in accordance with the system 2.2.2. Purdue Model
structure. These components Figure 7: Distribution of the model by regions7
are connected to sensors and
actuators via relays that control
the manufacturing process. This model presents an extended
description of the triangular model
and contains six levels (0-5). This
structure model is suitable for me-
dium and large organizations, which
have an interface to the IT network.

• Levels 5 and 4 - This area is

dedicated to a business process
management environment,
and as such, it is based on the

6 The Airgap separation and primarily practiced on critical infrastructure. There are organizations where the separation
between environments is based upon VLAN, dedicated FW etc.
7 https://www.encompass-inc.com/top-10-automation-trends-in-2018

- UNCLASSIFIED - 13
 enterprise IT systems and services enable the operator’s intervention
(Enterprise). This area includes as needed and according to his/
enterprise Internet connection, ERP her permissions. Malicious to
systems, etc8. program or change controller
• Level 3 - This area includes a commands (complex systems
production network management have several operators’ positions
environment, materials, manpower, (HMI), enabling operators to focus
inventory, availability of machines on different areas of the system,
(such as the MES systems, etc.). or to intervene as needed.
The Connection between layer • Level 1 - In this environment,
3 and layer 2 will be done by processes are managed using
firewall devices, or those where control computers (Automation
communication is one-way and Server) for all devices running
separated by a device to create RTU, PLC controllers, etc.
one-way traffic (diode) • Level 0 - represents the lowest
• Level 2 - In this environment there layer in the PURDUE model. This
is the control system in the HMI layer is connected to the sensors
interface, and its role is to enable and actuators, which operate the
the monitoring and control of machine.
the SIP processes as well as to

8 https://www.gov.il/BlobFolder/policy/protection_of_erp_systems/he/Protection%20of%20EPR%20systems_576699_4_
WEB.pdf * In Hebrew

- UNCLASSIFIED - 14
Possible
course of Layers
action for 4&5
attack
Infected Cross-Site Infected Social Credential
USBs Scripting Documents Engineering Phishing

Buffer Error Remote Attack Keylogger Inserts Trojan DLL Injection

Trojan (RAT) Steals VPN
Layer 3
DLL injection Hijacks Control credentials Opens Backdoor Established
Backdoor

Escalates Privilege Find Deposits Trojans Memory Attack Corrupts

Air-Gap Corrupts Registery Engineering
Layer 2
Memory Attack Weaknesses Hijacks Servers Discovers and Workstations
Flips Relays

Attack
Methods

Changed Modifies Firmware Flipped Relays Executes Rogue Encrypts Files for
PLC Setting Causes Damage Commands Ransomware
Layer 1
Opens Breakers, and Outages on PLC
Damages Damages Systems Disables Systems
Equipment

Impacts on
Changed Sensors Change Actuators Physical Functions and Enviromental
Layer 0
Settings Activity Damage Values Changes Conditions

Figure 8: Mapping of possible attacks according to the Purdue model

- UNCLASSIFIED - 15
2.3. Programming and in a particular Vendors has a unique
communication between graphical interface that “compiles”
controllers and HMI the configuration file uniquely to the
same controller type (from the same
This paragraph describes the vendors).
background process in controller
programming with the aim of In a mixed environment, control
understanding the opportunities from engineers are required to become
the attacker’s point of view and risks familiar with some graphics software.
in the controller loading process (and In modern systems, the controller
programming ability). Over the years, programming is carried out in one
PLC controllers have been developed of the five languages defined in the
by different manufacturers, all of above standard, enabling application
whom have developed a unique transfer and integration “relatively
user interface and unique functions. easily” when working with various
Changing environments and needs - manufacturers’ controllers.
leading to increased operational and Controller Programming: In the past, it
security difficulties in communication was customary to program controllers
between programmed controllers by using a single method called Ladder
various manufacturers. Logic, and Control Computers (HMI)
- using HMI provider software. This
Mixed Controls Environment: Despite process is done by an Engineering
the need and manufacturer’s Station.
recommendations to use single
controllers (from the same Most Common Programming
manufacturer and the same family Languages:
of products), there are also mixed • Ladder Logic
environments that incorporate several A classic method, which allows a
controllers, produced by different programmer to translate the logical
vendors. Standard and Programming thinking process into a drawing and
Methods As described in IEC 61311- diagram. The programming process
3, the standard version, published is carried out through translation A
in 2013, defined five programming business process is desirable to
languages. sequence operations represented
Each family of controllers, produced by illustrations from the electricity

- UNCLASSIFIED - 16
 sector simulating switch, digital • Information Security and
input, time counter and more. Architecture - Availability of
• Function Blocks information about architecture,
The function allows one software installation and maintenance
component to be used in several practices, structure of interconnection
different places, while maintaining configuration with controllers,
the uniformity of the operations controllers on controllers, and
and optimizing the writing of the famous and known cyber-attacked
software. victims across the Internet.
Note: It is important to note that • Using IoT Devices & Capabilities
controllers developed using these
measures are more immune to App layer
making changes to the software • Obsolete apps, written in an
process in a way that would impair unsecured way.
the process.
• More languages Configuration layer
IL (Instruction List), Structure Text • The systems have been built for
(STFC), Sequential Function Chart years running, without booting,
(SFC). so updates are very difficult to
implement.
2.4. Trends and Challenges • Many times, the passwords are
Common in ICS Environments burned in the Factory Default
Passwords code and sometimes
Production environment difficult to change.
• Standardization - Use of standard • There is usually difficulty in
operating systems that include encrypting (sensitive) fields.
cyber exploitable vulnerabilities. • Antivirus systems cannot always
• Need for connectivity - Linking be installed on equipment (for
networks or linking to IT and the operational and contractual
internet increases visibility and reasons), or systems that prevent
attack surface. unknown code execution.
• Unsecured connectivity - Modems, • Difficulty in managing and
remote maintenance approaches, identifying users, as this is an
wireless communication (such as operating environment.
Wi-Fi)

- UNCLASSIFIED - 17
Network layer scanning (Asset Management) due
• The development of technology to the fear and risk of delaying
has led to a trend of linking production processes (such as
isolated operational networks to Ping Sweep that caused past
an administrative environment, failures).
creating many vulnerabilities that • Operational and legal difficulties
expose them to a wide range of in conducting classic and active
threats. intrusion tests on the network and
• Focusing on real-time performance equipment for fear of dropping the
makes it difficult to introduce system.
network information security • Difficulty in encryption and network
components (Latency). segmentation.
• Difficulty performing network

- UNCLASSIFIED - 18
3. Presenting cyber risks on ICS systems

3.1. Introduction to Cyber Risks In both cases, the threats can be

on ICS Environments categorized as those seeking to
compromise credibility/reliability,
As operating systems and production availability and confidentiality (CIA).
line, ICS systems are systems that These threats include attempts
have been designed and used to damage business continuity
for years. Sometimes these are through a DDoS attack, listening to
networks without controls or security communications, disrupting and/or
mechanisms (physical or logical) and changing a component’s function,
without inputs against cyber attacks. data theft, Ransomware attacks etc.
In recent years, the realization of Sometimes the production network
attacks on ICS systems has become attack starts with an advance attack
even easier. The trend stems, among on IT networks (such as the energy
other things, from the ability to detect infrastructure attack event in Ukraine –
volnerabilities, identify loopholes, BLACKENERGY)10. The big risk in ICS
obtain and use hacking tools, and attacks is that the process of balancing
these have led to an increase in and material damage, such as boiler,
the attack trend9. Using existing turbine, etc., can cause significant
tools and capabilities, such as using damage in providing essential service
the SHODAN website, enables or harming human life.
mapping of Internet-connected ICS
environments.

An analysis of the history of ICS

events published, shows that the
threats to these environments
are not significantly different from
the threats to IT environments.

9 https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf
10 https://www.us-cert.gov/ncas/alerts/TA18-074A#revisions

- UNCLASSIFIED - 19
Figure 9: The development of attack tools for
ICS environments in recent years11

Popular attack methods for ICS • Abuse of Access Authority

networks are based, among others (legitimate permissions) - by the
Permit, on12: user or malware programmed to
• Utilizing Weak Authentication use the permissions.
Mechanisms • Phishing Spear phishing attacks
• Network Scanning/Probing (Port (mainly popular for Internet-
Scanning) - As part of the attack connected ICS networks, such as
process to locate open ports in the the BLACKENERGY event and an
organization and gathering stage attack of critical infrastructures)13
• Removable Media - as part • SQL Injection.
of a jumping between different
environments. Sample scenarios:
• Activate Brute Force password • Utilize default passwords
tools and software as part of a • Change a controller command
hacking experience process. • GPS-based systems or satellite
communications attacks

11 https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf
12 ?https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_
S508C.pdf
13 https://www.us-cert.gov/ncas/alerts/TA18-074A#revisions

- UNCLASSIFIED - 20
• Listen to the Communication
• Inserting a hostile code through
an upgrade Hostile code insertion
using an external device connection

Figure 10: An attack that began in the IT surface for the purpose of realizing intentions in OT14

In the ranking of the top ten threats on this issue for 2019, published by the
German BSI, the following picture emerges:

Top 10 Threats Trend since 2016

Infiltration of Malware via Removable Media and External Hardware

Malware Infection via Internet and intranet

Human Error and Sabotage

Compromising of Extranet and Cloud Components

Social Engineering and Phishing

(D)Dos Attacks

Control Components Connected to the Internet

Intrusion via Remote Access

Technical Malfunctions and Force Majeure

Compromising of Smartphones in the Production Environment

Figure 11: Changes in attack trends in 2019 versus 201615

14 /https://socprime.com/en/blog/dismantling-blackenergy-part-3-all-aboard
15 BSI: Industrial Control System Security - Top 10 Threats and Countermeasures 2019

- UNCLASSIFIED - 21
In many situations, operating guessing processes, collecting
networks are isolated and separated or jamming (such as using
from the Internet. These security electromagnetic inductance).
arrangements make it difficult to
organize and penetrate the process. In recent years, the power of computing
However, attacking ICS networks as has grown and the need for diverse
a differentiated network is usually connectivity with other systems, such
possible in four main axes (and as business analysis and forecasting,
according to their requirements and operational performance analysis,
protection inputs in the design stages output measurement, forecasting
below): failures, fault resolution, etc. These
• Internal threat (an operating capabilities are designed to leverage
incident caused by the employee organizational activities and provide
inadvertently or fraudulently) – and present and future business and
in cases where the attacker had functional needs. This connectivity
physical accessibility (including also rests on the integration of IoT
exploitation of technicians)16. technologies, which also enable
• Mapping and exploiting attack channels.
opportunities on the supply chain Due to the advantages of the
axis (such as exploiting by spoofing/ development of the above
activating a party that supports the technologies, the concept of a
site or installing malware on the “differentiated operating network”
vendor’s equipment). is dissolving. Nowadays search
• Exploitation of input and output engines like SHODAN can find
channels and attacking through access to operating environments
them (such as Data Sanitization & management interfaces.
Content Disarm and Reconstruction
-CDR, updates, etc.).
• Side Channel Attack-based
attacks – exploiting physical
& technological environment
limitations that exist in the
computing environment for data

16 https://www.gov.il/BlobFolder/generalpage/coping_thret/he/Organizational_coping.pdf * In Hebrew

- UNCLASSIFIED - 22
 Figure 12: Isolated network from external network

3.2. Defense Challenges in OT and level of protection of the

vs. IT Environments operating environment (OT) is limited.
This limitation is due, in part, to the
Differences in IT Systems Protection following challenges:
versus OTs and Industrial Control
Systems (ICS) in particular: People:
While cyber defense workers are • Knowledge – data, information
familiar with and experienced in security and cyber security
the processes and technologies for professionals are most familiar
protecting the traditional computing with the protection of IT
environment (IT), the knowledge and environments (protocols, products,
ability to realize the same concept tools and more). Sometimes they

- UNCLASSIFIED - 23
 do not understand the change • Dependence on external parties17 –
needed to adapt their knowledge While the IT environment can be
when assessing risks, choosing used by enterprise employees
protection solutions, monitoring and local vendors with whom the
and preparing a recovery plan for organization has good familiarity
operating environments. (including background work/
• Collaboration - Most often, the reliability checks), in working with
trust that runs the operation and these manufacturers, support and
maintenance of the systems in maintenance are often provided
the production environment is by dependent professional parties
a factor that is not hierarchically and are under warranty, and the
subject to the Information Security client’s ability to influence them is
Manager, or to the manager of low (such as a system vendor or
the information systems and expert software from abroad).
communications networks in the
organization. The ability to make
reviews/changes and hardening
Technology
requirements requires deep
collaboration between the two
different units in the organization.

While cyber defense professionals

Processes
usually have the knowledge
needed to talk to IT professionals, People

the knowledge required for

dialogue with operations/control
professionals is different (sector- Figure 13: The synergy, collaboration and
synchronization between technology,
specific knowledge, such as a processes and people

variety of concepts relevant to a

production environment such as Processes:
PAC, which is inexistent in the • High capability and cost of
IT network, understanding of production line and business
chemical/engineering processes operations - any need for
etc.). upgrading, updating or downtime

17 http://www.sviva.gov.il/subjectsEnv/Documents/public-comments/2018/toxins-permit-terms-information-and-cyber-
protection.pdf * In Hebrew

- UNCLASSIFIED - 24
 is immediately translated into proportionately (in relation to the
large amount of money and risk organization’s financial cycle),
to the control process. As part the replacement of a controller
of risk reduction, a dedicated or component of SCADA involves
area for running of files and significant efforts, resources, and
simulations can be considered as financial cost to the organization.
a preliminary process before the This leads to a reality in the area
network online process. where equipment is 10-20 years
• “Halting/Downtime” cost - old or more, which is required to
Difficulty in balancing risk and protect it with the existing tools
locating appropriate controls that (which are limited and often never
prevent stopping the process fit into this content).
versus locating compensatory • Use of old and unchangeable
controls that allow risk reduction technologies - such as a network
without stopping & compromising that has not been given security
the production line. inputs in the characterization
and construction process, the
Technology: use of old controllers, protocols
• Limited supply of dedicated and traditional communication
protection solutions - While based on old, unsupported classic
solutions such as code analysis, technologies. Hence, there are
vulnerability detection and more difficulties running antivirus or
are available and embedded security updates, etc.
in many systems around the
world, they may not always be
compatible with dedicated ICS 3.3. Adapting the CIA Model as
environments. In addition, these the AIC Model to the Operating
tools are not always approved for Environment
use by the manufacturer or by
the equipment’s operators, due In the world of data protection, the
to concerns about operational subject of protection is information.
damage, liability coverage, etc. Damage to it may lead to loss of
• Equipment Lifecycle - While IT trade secrets and/or sensitive data,
equipment is replaced relatively impairment of data availability/data &
frequently in organizations and information as well as incidents of data

- UNCLASSIFIED - 25
breach (the disruption of information). and business continuity in the
These events are classified into the production line. Since the object
following categories: of defense in the OT world is
the operational process, the
C –Confidentiality first priority is the ability of
I –Integrity the organization to continue
A –availability producing. Confidentiality of data
& information takes on a slightly
In the operating world, most of the different level of prioritization. It
focus of the defense is not just on should be noted that sometimes
confidentiality information & sensitive the reliability of the data can be
data but more on safety aspects compromised in cases of human
and business operational implications life risk and safety incidents. In
related to the production line process, these cases, many entities will
which can be caused by a cyber- prefer parameter I over business
attack, which can result in human continuity (parameter A). Inputs
life, environmental damage, and will also be applied to maintain
major economic damage (in case Of the logic of the controller and
business continuity injury). In view to examine the field and truth
of this, the recognized CIA model is indicators.
required to be adapted to a dedicated
language, which is suitable for the
operating environment, the operating 3.4. The Star Model - Based on
personnel, the production engineers, NISTIR 8183
the process engineers, etc.
• This model focuses on the
When performing a risk assessment consequences of the injury. These
process, we can work, for example, consequences are aimed at the
with one of these two models: potential damage as a result of
the realization of a cyber event on
AIC model operational continuity, conservation
• This model changes the order of human life, environmental
of parameters of the recognized protection, quality control and trade
CIA model. The change reflects secrets. This model is represented
the importance of availability by the following diagram:

- UNCLASSIFIED - 26
 Operational continuity

Product quality Preserving

control human life

Keeping trade Protecting the

secrets environment

Figure 14: A star model

3.5. Summary of the differences between the IT environment and

the OT environment:

Category Industrial Control Network IT Network

Performance Accuracy in time synchronization Exact synchronization

requirements can be compromised
on (and updated in
different frequency)
Availability There must be continuous Maximum availability
Requirements availability, any downtime must be is desirable
planned well in advance (sometimes subject
to availability –
depending on risk
management)

- UNCLASSIFIED - 27
Category Industrial Control Network IT Network

Risk Management Human life risk is a top priority, Maintaining critical

alongside physical, operational, information and
regulatory and environmental risks privacy, and business
risk (financial, image)
The focus on Protection of endpoint equipment, Protecting your
defense manufacturing processes and IT assets and
finished product (in case the information & data
produce can be disrupted, such as stored in your
food doses, pharmaceuticals) organization
Running software Running software and updates must Software and
and updates first be tested outside the production updates are built into
environment in order not to impair the IT environments
system performance, high costs in and therefore more
setting up a lab environment. On the tailored
other hand, many systems installed
in redundancy and redundancy
configuration reduce the risk by
changing PLC'S 1 and after entering
work, the controller 2 controller
can be made. Planning inputs for
configuration and modification and
hardening of DEFALT settings must be
ascertained
Emergency Supplier/manufacturer capability for Ability to close
Interactions operator response and emergency an emergency
operations are critical. Sometimes communication
this approach is also routinely approach, the
required in support of providing ability to respond
support (for example, for an event to the incident
that occurred, or for data monitoring through various and
for operational purposes) independent parties.

- UNCLASSIFIED - 28
Category Industrial Control Network IT Network

System operation Careful change management, Systems adapted

operation of a variety of dedicated to change, most
systems commonly known
systems
Resource The systems are adapted to System planned
constraints operational work. Security systems for the addition of
cannot always be added due to resources (increase
a lack of processing and memory memory, CPU and
resources disk space)
Communication A variety of protocols Standard
communication in
familiar protocols
Change Comprehensive testing is required in Standard changes,
management test environments, careful planning regulated and
is required for any change common processes
Managed support Support of each manufacturer Allows a variety of
individually support capabilities

Access to The components can be isolated Components are

components or nationwide, usually additional usually clustered in
physical security is required the site in server
rooms and are
accessible
Equipment Decades Individual years
lifecycle

Tolerance for Very low Very little

harm to business
continuity
Software updates Low Frequent

Cyber awareness Usually low Usually existent

and knowledge

- UNCLASSIFIED - 29
3.6. Cyber risks according to layers of the PURDUE model

Cyber-attacks can exploit vulnerability in each of the model layers (ZONE) and
their transitions. This section will review the attacks that utilize the communication/
channel that connects the model layers (such as moving from layer 0 to layer 1
in the model).

Level 5
Internet
Web Servers email Servers

Level 4
IT system IT
Level
email Servers Web Servers Buisiness Enterprise
Servers Computers

Level 3.5
Systems
at DMZ
Historian Servers Remote Access AV/Patch
Servers Server Air Gap

Level 3
Industrial
Systems
Supervisor Mfg. Server Domain Engineering
HMI Cotroller Workstation

Operational Level
Level 2
HMI
Computers
Operator Redundant Operator
HMI Automation servers HMI

Level 1
PLC Control / Automation Level
Controllers
Managed switch PLC Process A PLC Process B PLC Process C
with VPN

Level 0
Sensors/ Sensors/ Sensors/
Control Field Level
Actuators & IEDs Actuators & IEDs Actuators & IEDs
Sensors - Process A - Process B - Process C (Sensors, Actuators)

Figure 15: Overlap zones between the models (PERDUE and the triangle model)

- UNCLASSIFIED - 30
3.6.1 Layer 0 cyber risks: 3.6.4 Cyber risks in transit 1-2:
• There are sensors and controllers in • This transition is based on
this layer that monitor the operation network communications (LAN)
of machines or active means of over protocols (over TCP), such as
operation, such as contacts, analog MODBUS, 3 DNP PROFINET, IEC
sensors and more. The risk at this 60870-5-104, and more. Outdated
level is manifested in the potential systems use serial communication
of physical or logical attack, which (RS-232), including protocols like
will lead to changes in some MODBUS, 1-DF, PROFIBUS, etc.
component (sensor, pressure The main risk is the ability
regulator, temp, taps, etc.), which to connect to the system,
will incorrectly measure and enter especially if the communication
incorrect data on the analysis of is wireless (unencrypted)
the processes and the implications and also the ability to bridge
thereof. networks and intervene in the
process. Poor configuration of
3.6.2 Cyber risks in transition 0-1: the protection systems (such
• The connection between the as the Firewall) between layers
Level 0 devices and the Level 1 and components will allow an
controller is conducted through attacker to exploit open ports for
electrical or serial and serial continued network expansion
communication connections. The and propagation.
risk at this level is the transmission
of fictitious & wrong data, as well 3.6.5 Layer 2 cyber risks:
as the possibility of tampering • In this layer is the center/control
with wiring or the replacement of server, which manages the process
a material component. and includes the HMI computers. It
should be taken into consideration
3.6.3 Layer 1 cyber risks: that there are HMI systems that
• Controller Mapping (PLC/RTU) that do not receive software updates
manages the controlled process. (Windows XP), mainly due to the
The main risks for this disabling fear of systems crashing after the
process are the change of logic, update. These systems are in the
configuration or alternative code control room, and there is a risk
implantation into the controller. that an unauthorized party will

- UNCLASSIFIED - 31
 take unauthorized action, such as data from the control system in
inserting a USB device into one the IP/TCP protocol is transferred
of the computers and causing to the management environment,
the damage to spread. This layer the engineer positions and
also contains an engineering workstations.
server, which has operational • Layer 5: This network contains
information about the software in the IT systems that serve the
the controller and also the control OT systems (sometimes these
center software. stations are connected to the
Internet).

Figure 16: Mapping weaknesses by components

in ICS environment (Kaspersky site)18

3.6.6 Additional layers of model:

• Layer 3: The operating layer
in which the computers and
operating servers are located.
• DMZ-3 Transition: This network
transmits data from the control
system in the IP/TCP protocol
• DMZ layer: This network has
computing systems whose role is
to be found within DMZ
• DMZ-4 Transition: In this network,

18 https://ics-cert.kaspersky.com/media/KL_ICS_CERT_H2_2018_REPORT_EN.pdf

- UNCLASSIFIED - 32
 Figure 17: Component Mapping in the Layer Model (Standard IEC-62443-3-1)

Firewall (FW) setting & realization in data movements between the

the ICS environment is a complex OT and IT environment and the
event in an operating environment, classic incidents and problems
sometimes for security reasons, etc. with the ICS environment,
including targeted attacks, APT
The distribution and settings should attacks, etc19.
be in accordance with the PURDUE - Define rules for preventing
model and in accordance with these internal and external unauthorized
guidelines: communication
- Restrict access from the enterprise
- The FW design will address the network (the administrative

19 https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf

- UNCLASSIFIED - 33
 network) to the operational environment that is connected
network in a manner that prevents to the Internet or the Internet-
queries or direct commands to connected systems, and therefore,
controllers. in this layer, the implementation
- Ensure that settings are adjusted and definition of rules for
and the ability to detect and detect the prevention of direct and
threats in OT protocols. open (outbound and inbound)
- FW settings are suitable for vendor communication to the Internet
support outside the organization. must be ensured - in order to
- Related FW settings for wireless prevent unwanted communication,
connectivity (as needed and Denial-of-Service (DoS) attacks,
after an organization approval Corrupting or preventing internal
process) - To prevent illegitimate messaging.
communication and exploiting - Layer 3 - Dedicated inputs for
attack opportunities on these differentiation versus Layer 420 will
channels. be provided.
- Process for collecting and - Layers 0-2 - The control systems
analyzing attack IDs and defining layer, the HMI and its role to enable
definitions accordingly the monitoring and control of
- Inputs for managing strong command and control processes, to
privileges for changes in the FW enable the operator’s intervention
system. as needed and the permissions
- As part of the process of given to him. The definitions
ensuring compliance with safety and rules of FW that must be
requirements, make sure that applied are against bypass of
the protective measures and FW communications, possible actions
settings do not create failure involving the risk of causing harm
points. and unauthorized actions (both
in laws and restricting unwanted
Highlights for dedicated FW settings communication from the up and
based on the PURDUE model down layers).

- Layers 4-5 – Sometimes, it is an

20 https://www.sans.org/reading-room/whitepapers/ICS/secure-architecture-industrial-control-systems-36327

- UNCLASSIFIED - 34
3.6.7 Attention to the overall system structure in the organization
Differently from the PURDUE model, as well as from other models, four areas
connected to each other are addressed:

Information systems in the organization

View
Consoles Internet

Extra-organizational connectivity for support,

service, command and control needs

Engineering Dept. Control Network

PLC
/RTU

SCADA-DCS Control System Software Testing and Practice Lab

Figure 18: Interfaces in the connection areas

Regarding IT connectivity System Test Lab

• The connectivity between the • This system includes a control
IT environment and the OT system that simulates the real
environment also exists in industrial system (Digital Twin). This
environments. This is to enable environment is securely connected
a management environment to to the control system and is used
perform the work. The connectivity for software testing, operator
to IT infrastructure (and sometimes training, and device testing.
the Internet connection) exposes Although secure security and
the network to many dangers. interconnection mechanisms exist,
there is a risk of infringement from
this environment.

- UNCLASSIFIED - 35
Extra-organizational connectivity exploiting this connection for attack
for support, service, Command purposes (including Man in the
and Control needs Middle (MITM) threats, Denial of
• This area includes the external Service attack (DoS), exploitation
parties which are required to by hostile parties, and more).
connect to systems, including The operating and control systems
suppliers, support service environment (production line) – This
providers, employees supporting includes the production process,
outside the organization, etc. the engineers’ computers, the HMI
The concern and danger are for systems and the controllers.

- UNCLASSIFIED - 36
4. Risk assessment and management in ICS systems
and principles for addressing in a work plan

4.1. Cyber risk management operating costs, maintenance,

process as part of risk upgrades and avoiding continuous
assessment and management damage to the production process
(such as the patchwork update
The purpose of the cyber risk dilemma in a production environment)
management process is to examine is challenging and unique in the risk
organizational risks and subsequently management process in the ICS
reduce the impact of exceptional environment compared to the IT
events on the organization. The environment.
process includes formulating risk This process is carried out cyclically
scenarios that may harm the according to technological,
organization, assessing the potential organizational changes, threats and
for damage during its realization, new attack capabilities, etc. The
assessing the likelihood of scenario purpose of the process is to carry
realization, prioritizing scenarios out a proper assessment of the risk
to handle scenarios according to in a manner that is acceptable by
intensity, which is a combination all parties within the organization
of risk impact and probability of (management, production line
realization, and finally characterizing personnel and computing entities)
a risk mitigation plan21. and subsequently - translate into a
Risk management process in dedicated work plan to reduce the
ICS systems is an important and impact of exceptional events and
complex process. ICS systems are prevent damage such as safety
differentiated critical systems, which incidents, injury to life or damage to
use different and sometimes mixed the production line.
protocols, hardware and software.
On the other hand, the knowledge
available to the IT professionals,

21 https://pdfs.semanticscholar.org/cb14/b23b9d0d4242edb1057b722e7a6f923d4885.pdf

- UNCLASSIFIED - 37
 Risks arising from lack of policy
Cyber risk management
plan for ICS systems
Risks arising from inherent weaknesses in software

Risks of software weaknesses

Identification of
Mapping and identifying risk scenarios
Attack Scenarios

Assessing the expected damage impact

Locating risk
mitigation controls

ACCEPT

TRANSFER Building a work plan

MITIGATE
AVOID

Figure 19: Cyber risk management process and work plan for IC environment

4.2. Mapping the Risks of policy (by mapping regions and

issues without policy).
Risk mapping is based on the following Figure 20 on the next page allows
processes (and their synergy): to formulate policies by activity
• Asset Mapping - The mapping areas on the one hand, and on
phase also links IT/OT assets (see the other hand to identify risks in
Chapter 5.2 in Defense Theory)22. areas where there is no policy.
• Risk mapping resulting from a lack

22 Organizational Cyber Defense Doctrine - https://www.gov.il/BlobFolder/policy/cyber_security_methodology_for_

organizations/he/Cyber1.0_418_A4.pdf * In Hebrew

- UNCLASSIFIED - 38
 Figure 20: Framework for SCADA Security Policy in the Organization

The mapping process will be as follows: The process of risk mapping

System architecture description and in relation to these processes
component interface description - requires:
which will allow a visual snapshot • Knowledge of the business
of the network environment and process and the components
dependence on various components used (including mapping
and of different types (for instance, several sensors, networks and subnets,
different controllers) - communication communication type, participant
and protocols, and pointing out risks components, and logical topology
arising from policies, hardware and of the environment).
software weaknesses, and so on.

- UNCLASSIFIED - 39
• Identification of risk scenarios, things, on: those with an interest
which are also based on in attacking the organization,
intelligence and event history in their capabilities and tools at their
the organization and in the sector disposal, and past attacks.
- a process that is also accompanied
by a review of critical processes of A scenario bank can be used, or
the organization and how feasibility a common risk table, such as the
can affect these processes. The one included in the review in this
risk scenarios depend, among other document, or a table such as this one.

6. Cyber risks arising from supply

1. Risk arising from the use of
chain processes (such as
older unsupported systems that
backdoors and processes with
do not have advanced security
risk potential on the supply chain
capabilities, and the lack of
axis, such as using a computer
availability of end-of-life security
technician shared by several
updates
different customers)

7. Security gaps and backdoors built

2. Risks in connecting components
into the software (inability to integrate
with wireless interfaces
third-party protection solutions)

3. Increasing attack surface due

8. Opportunities for physical
to frequent use of unsecured
penetration and lack of inputs for
interconnection (takeover channels,
prevention
support and update downloads)

4. Personnel shortage of cyber

9. Irregular policies on antivirus
experts in the production
and patch updates (security and
line (planning, support, risk
operations)
management, etc.)

5. Unregulated environments, 10. Human error (operator), which

which allow Air-Gap jumping and can cause security gaps and
spreading between networks attractive opportunities for attacker

- UNCLASSIFIED - 40
• Assess the impact of the issue within the organization’s
expected damage, if any, on the management, see Supplemental
operating process, safety events, Documents on the Israel National
operational damages such as Cyber Directorate23 website.
disabling a unique system or
controller in a way that would
damage the production line, 4.3. Risk management in
financial damages, etc. the ICS environment versus
• Define defensive response risk management in the IT
and necessary compensatory environment
controls.
Risk management process in ICS
Please note: For a sample
environment is different from
template for conducting a risk
risk management process in IT
survey in operational environments
environment:
and for raising awareness of the

Factor IT OT/ICS Notes

Connection Important Mandatory Risk assessment for

to business such an environment
processes cannot be performed
without the process
being recognized
as it arises from
conversations with the
process engineer and
the operational parties.
Detecting threats and
vulnerabilities is not
possible without a
thorough understanding
of the information
flow and process
components in depth.

23 https://www.gov.il/he/departments/topics/organization_cyber_protection * In Hebrew

- UNCLASSIFIED - 41
Factor IT OT/ICS Notes

Defense Commercial Many There are dedicated

Capabilities protection protection commercial solutions to
solutions solutions are the ICS world, but they
exist, and a not suitable, are less time-consuming
great deal of cumbersome than solutions for the
professional and/or IT environment where
knowledge is irrelevant the supply is wider and
available in the to this more experienced in
field environment. the field. In addition,
The legal and operators' resistance
operational to interference and
ability to install impact on operational
a defense processes is greater
solution and than resistance that
monitoring sometimes exists
tools to to install server and
perform network protection
scanning component in the
etc. in this IT environment. The
environment is solution usually depends
very limited on the control provider.
External solution cannot
be inserted.

- UNCLASSIFIED - 42
 Factor IT OT/ICS Notes

Considerations Unified Complex There are differences

of complex environment environment between the environments
environment and complex considerations
variability of the OT environment
that have equipment with
a lifespan of 15 years, as
well as an environment
where there are no
regular software updates
and protocols. These
characteristics are due,
in part, to the operational
needs of the production line
, which are sometimes
24

not supported by traditional

security solutions and
are not well known to IT
professionals.

Damage Most of the The damage Damages that mean a

Potential damage will can also be normal lifestyle injury
be financial, manifested in (also at a state level)
with secondary the termination
damages of of production
reputation, line and damage
privacy and more to human life

Conclusion Protecting ICS Environments: The organization is faced

with a very limited defense capability vis-a-vis resource-
owning parties which with interests that can cause immense
damage. This reinforces the need for organizations to
primarily strengthen their monitoring and response capability
in protecting such environments.

24 Anastasis Keliris Enabling Multi-Layer Cyber-Security Assessment of Industrial Control

Systems through Hardware-in-the-Loop Testbeds, New York University School of Engineering

- UNCLASSIFIED - 43
5. ICS system controls

Cyber protection for ICS systems and technologies. The success of

requires integrating protection into implementing and implemention
“security circuits” using several cyber security controls to mitigate risks
protection methods and technologies. depends on the organization, size,
Since no single technology is available nature and complexity (in this way,
for all types of systems, a variety some controls may reduce risks
of controls are required, tailored to mixed environments, while in
specifically to the level of risk, system isolated environments some may be
implementation, system operation, dispensed with).
system structure, communications Proper process for selecting and
technologies, geographic space over implementing appropriate controls
which the system is deployed (city, involves appropriate risk management
factory, building) and more. The process.
control bank presented in the following
table is dedicated and suitable for
the ICS environment. The controls 5.1. Cyber Protection Controls
presented below were selected based in ICS Systems
on the ICS environment, computing (Suitable for Industrial Controllers -
components, interfacing systems, Defense Theory)

- UNCLASSIFIED - 44
 Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.1 Industrial Organizational The organization Supportive policy 2

Controllers policies should will define its writing and
Policy be written, operating system procedures can be
managed and policy, implemented and
audited for including reference define the unique
the protection to remote access requirements for
of industrial policies, version the environment of
control upgrades, software industrial controllers
environments. updates, third- (production/
This policy party maintenance, logistics/
responds, and more. environmental
to the control/power
appointment generation and
and definition more).
of a role, Existing regulatory
which includes aspects of these
determining environments must
the division of be addressed (for
responsibilities example: FDA,
between Israel National
office holders Cyber Directorate).
and parties Make sure that the
responsible for policy document
the OT network regulates and
and tangent defines the body
networks. responsible for
the organization.
The division of
responsibilities
will cover various
areas, such as
who is responsible
for software
updates, vendor
login, file uploads
for upgrades, etc.
recommended,
Because the ICS
environment's
cyber protection
trust will have an
official nomination
letter signed and
approved by the
organization's
management.

* Control level complexity from 1- (low) to 4 (complex)

- UNCLASSIFIED - 45
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.2 Industrial Defined rules The organization The signage 1

Controllers for proper use will define, signage may include the
Policy of equipment in explaining the data use of shared
the production security practices workstations, the
environment at the work use of removable
and place stations governing media devices,
signage and monitoring users log off and
explaining the production more.
these rules. environment.

12.3 Industrial Define the The organization Document mapping 2

Controllers sensitive will map the processes and
Policy processes processes environments
where industrial where control according to
control environments severity.
environments exist and define
exist according the main business
to their level of processes
sensitivity. involving these
controls in order
to understand the
level of business
and regulatory
damage that could
result from such
environments.

12.4 Industrial Separate The organization The separation 2

Controller control will set apart can be carried
Communication networks from control networks, out using firewalls
other systems users’ networks and separate
and external or servers into VLANs for every
networks. separate networks monitoring network.
so as to restrict Given the option,
direct access it is preferable
between networks to separate by
one-way diode
and allow only the
release of data &
information out of
the organization.

- UNCLASSIFIED - 46
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.5 Industrial Separate the Implement In any cases 2

Controller management adequate that the system
Communication system of separation connects the
industrial between the production floor
equipment operational to other high
controllers and controls environments
the operative network and the (in accordance
components of management with the PURDUE
the system. system of the model), for the
controls. production of
management
reports or other
needs, and
especially in
cases where
the operating
environment
is connected
to the cloud,
controls must be
established in
accordance with
the "Cloud" section
of this document
or equivalent
standard.

12.6 Industrial Do not connect The organization If necessary, to 1

Controller devices will not install connect different
Communication that are not equipment that equipment for
production is not part of the interfaces with
environment Industrial Control production
controls, to System in the systems, it must
the production controls network. be connected by
controls Equipment which separate network
network. is required to be segment behind
connected, will the firewall.
be connected
to separate
network, and
communication
will be enabled
individually.

- UNCLASSIFIED - 47
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.7 Industrial Support The organization Can be applied 2

Controller providers will implement using VPN server
Communication access to the secure management
production communications system for
network will network for dedicated users
be possible suppliers’ access for each provider
with prior and will review the (user priority for
authorization supplier's access every employee
as well as by to the organization of the provider),
using secure by providing which will be
and identified preauthorization usually locked and
communication, for any provider open only when
which allows connection to the necessary.
recording of control network.
the provider’s
actions.

12.8 Industrial Direct or Control networks 2

Controller indirect Internet on the firewall can
Communication access will not be restricted and
be allowed Internet access is
from industrial not allowed from
controllers as these networks, as
well as from well as integrate
humanmachine file whitening
interfaces systems for a
environment secure process
interfaces. in environmental
transfer.

12.9 Industrial Unnecessary The organization It is possible to 2

Controller services will will cancel and. or be based on the
Communication be limited in limit unnecessary manufacturers
the production services for hardning
environment all systems documents of the
and support in the control operating system
systems, environment, and applications,
such as whether at and shut down
humanmachine the level of services, block
interfaces and operating system, ports, limit
smart sensors. communications applicative access
level and to certain functions
application level. and more

- UNCLASSIFIED - 48
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.10 Industrial Use reliable Use protocols that In an event that it 2

Controller communication allow the source is possible to use
Communication between and destination secure versions of
industrial authentication and these protocols,
controls and encryption of the use these versions
terminal medium supporting (SFTP, HTTPS,
equipment if the equipment. SNMPv3 and
possible. others).

12.11 Industrial A one-way Tools for one-way 4

Controller communication communication
Communication system will between sensors
be setting and systems
to the OT must be defined
environment. in sensitive
environments.

12.12 Wireless Wireless The organization It is preferable 1

Communication networks in will implement. to avoid using
the production dedicated wireless wireless network
environment network separate in the control
will be from the enterprise networks, but
separated from wireless network, if necessary for
Enterprise to be used solely business, this
wireless for control network network will be set
networks. communications. up separately, and
This network will its management
not redirect to the will be also
enterprise network separate and it will
and vice versa. not be linked to
any VLAN's internal
network.

12.13 Wireless communication WPA-2 PSK should 1

Communication in the be used, where
Wireless production possible, we
environment recommend using
will be limited a digital certificate-
by using secure based version for
protocols. these wireless
networks.

- UNCLASSIFIED - 49
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.14 Wireless A separate It's recommended 2

Communication user will be to connect the
defined for wireless network to
each end client a dedicated Radius
using. wireless Server, which will
network in authenticate users
the production to and manage
environment. them.

12.15 Man-machine Access to The organization If and for safety 2

controllers Man-machine will define a reasons the
management interfaces will personal user position cannot
be enabled for each person be locked,
by personal working in front of compensatory
users, for each a human-machine controls (such as
operator. interface. If the camera placement/
station is a shared room access
station, smart card documentation,
identification can etc.) should be
be used. considered.

12.16 Man-machine Access to The organization A variety of 4

controllers human-machine will establish measures can
management interfaces will strong be used, such as
be enabled by authentication with biometrics, smart
using strong access to human- cards, OTP and
authentication. machine interface. more.
Also, make sure
that sensitive
equipment
interfaces, such as
the management/
engineering
position, man-
machine interfaces,
etc., make use
of unique and
managed user
names.
It is desirable
that use of these
accounts will be
based, as much as
possible, on strong
identification.

- UNCLASSIFIED - 50
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.17 Man-machine Monitoring The organization A variety of 2

controllers systems will will set up activity measures and tools
management be installed recording systems/ can be used, such
and activity logging with as screen recording
recording will emphasis on the user activity tools,
be carried management application logs,
out on the environment of etc.
management the production
servers. environment.

12.18 Malicious code Install utilities Can be applied 3

control such as using tools such
intrusion as IPS, honeypot
detection traps and more. It
tools in the should be noted
management that for safety and
networks’ functional reasons,
environment of these tools cannot
the production always be installed
environment. in operating
environments.
In such cases,
sometimes using
tools such as IDS
may be a partial/
alternative answer.

12.19 Malicious code Install tools for Can be 3

control file signature implemented using
verification a variety of File
(Integrity Integrity Checking
Checking) to tools.
scan files being
transferred
to the
management
environment or
installed in the
management
environment.

12.20 Malicious code Install Can be 1

control dedicated implemented using
anti-malware dedicated anti-
tools in human- malware tools,
machine appropriate to the
interfaces type of system.

- UNCLASSIFIED - 51
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.21 Software Manufacturer The organization Can be realized 2

Updates software will ensure the by establishing
updates will installation of lower environment
be installed updates in test (at least partially),
on lower environment and diverting
environments will run them over communication to
(test before time, in order to this environment
installing in test the stability during maintenance
the production of the system and Window in
environment. the process. the production
environment, and
testing the process.

12.22 Software Install operating The organization As part of this 2

Updates system updates will implement process, reference
that are within reasonable should be made to
supported by time operating the safe method
the provider in system and of income of new
the production application updates equipment (such
environment. as received from as devices and
the system vendor machines for
and will demand the OT network
from the vendor and operating
security updates environment).
for serious flaws Given the
as they are sensitivity of the
published. issue, the ability
to restore the
operating system
and software
to initial state
(state 0) must be
ascertained by
using firmware/
OS from a
reliable source
and rewriting of
historical data that
came with the
equipment.

- UNCLASSIFIED - 52
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.23 Software 'Lock The organization 3

Updates Configuration' will implement
tools will be tools that lock
installed on the system
End of Life configuration
systems, into a "clean"
including configuration, if
obsolete there is no other
operating options to update
systems. the equipment.

12.24 Detachable The ability Designated data Can be 2

media in the to connect warehousing implemented
production removable bedding should be by disabling
environment media to allocated for use USB devices
production of the OT network physically (port
equipment, to minimize the lock) or logically
including exposure area and by operating
controllers, reduce the risk of system policy -
human-machine network and Air GPO. Generally,
interfaces and Gap jumping. detachable media
sensors will be Attention should connection that
limited. be paid to cases does not belong
where private to the organization
equipment of should be avoided,
employees reviewed and
connects approved by the
For positions, cyber teams within
such as in the the organization.
case of workers
in the production
line, connect
for charging,
telephony, etc. for
charging or for
version upgrades,
etc. Management
will be done
through device
management
mechanisms. Any
component that
connects will be
identified and pre-
approved (White-
list).

- UNCLASSIFIED - 53
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.25 Detachable Removable The organization Can be realized 2

media in media file will implement a through the
production transfer to the set of "whitening" acquisition of
environment production files and examine specialized data
systems will them in depth sanitization station,
be carried using several or, alternatively,
out after data tools before by establishing
sanitization transferring them dedicated station,
the transmitted to the controller which includes
files. environment. several different
For example, scan engines.
can be based on
built-in technology
or work process
for checking and
pre-registering:
of the file source
(user or site),
date and time,
documentation and
reason for bringing
the file, unique
identification for
each whitening,
ability to
investigate file
transfer events.

12.26 Redundancy in There will be The organization In order to build 2

the production a redundancy will implement redundancy it is
environment system array a redundancy recommended to
for critical system of server consult with the
components in and sensor control system
the production redundancy critical vendor.
environment. to the control
environments for
the continuity of
the process.

The organization
will implement
system of servers
and critical sensors
in the control
environment for
the purpose of
process continuity.

- UNCLASSIFIED - 54
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.27 Physical Physical The organization Can be realized 2

access to the access will will restrict physical by converting
production be restricted access to media dedicated rooms
environment according cabinets, hubs to concentrated
to business and management communications
need only to positions of and servers, and
the industrial the controller perform access
controller environment. It control using
environment as should be noted access tags and
well as to the that even when Biometrics for this
communication legitimately environment.
equipment connected (such
in this as for the benefit
environment of POC execution),
the external
component
connection process
is performed
safely.

12.28 Separation Logical access The organization 2

of logical will be limited will limit the
approach for business access of
and networks needs only to corporate users
the industrial who have no
controls business relevance
environment to the control
as well as to system and will
communications prevent their
equipment access to these
in this networks and
environment.. equipment.

12.29 Separation Logical access Access to the It is possible to 3

of logical will be limited, management verify the system's
approach to the extent systems will be manufacturer
possible, limited according whether the system
(functional) to to user profiles. can use different
the production system controller user profiles.
systems, will not change
including settings and
control parameters of.
interfaces, system. Changing
sample the parameters will
interfaces and be carried out by
human-machine an administrative
interfaces. user.

- UNCLASSIFIED - 55
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.30 Robustness Carry out The organization Can be realized 2

tests information will define by checking the
security comprehensive configuration of
testing in the tests, outline for the environment,
production and tests including running simulations
management the variety of during downtime
environments control network windows and
and interface, components, with performing
including an emphasis on penetration tests
penetration comprehensive in these networks
tests. information if possible and. or
security tests for during maintenance
all components, in operations.
order to maintain
the continuity
of the business
process.

12.31 Information Set up unique The organization Network monitoring 2

Security monitoring will define in control networks
Monitoring scenarios in a variety of is different from
the production dedicated ordinary systems
environment monitoring monitoring since
and monitor scenarios for the sensitivity
them the control threshold is lower.
through an environment Any deviation
organizational according to the from the amount
monitoring arr. threat outline and of normal
the importance communication
of the system between the
to the business controls and the
process. It should management
be ensured that interfaces and
monitoring and sensors may
active registration indicate. potential
systems are cyber-incident,
installed on critical since the activity in
assets, such as these environments
management is continuous
servers/engineering and monotonous.
positions. monotonous.

- UNCLASSIFIED - 56
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.32 Information The This monitoring This can be 4

Security organization examines a realized, for
Monitoring will have change in the example, with
independent physical space, the ability to read
monitoring which is an values (analog
capability in indication that is and digital) to
the operating independent of measure changes
network and/or the organization's from sensors and
IT network. architecture and actuators (level 0)
constitutes an in a completely
anomaly, which disconnected
requires an configuration that is
examination of independent of the
the operating operating network
personnel for the (out of band)
exception. and unaffected.
These changes
can be detected
by measuring
electricity, pressure,
temperature, etc.

12.33 Equipment When removing When removing 2

decommissioning equipment, equipment, or
or removing removing it from
it from an an external source,
external source, file and data
file deletion deletion processes
processes (such as logic files,
and sensitive passwords, etc.)
data (such from computing
as logic files, systems and
passwords, computing
etc.) from and transfer
computing equipment must
systems and be ascertained,
computing including
equipment interchange
must be processes at
verified. intersections,
changing
environments, and
so on.

- UNCLASSIFIED - 57
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.34 Cyber A regular Suitable inputs 3

Intelligence gathering for dedicated
of cyber monitoring of
intelligence professional
and attacks publications for
in the OT the protection of
world (visible computer systems
information, and operating
publications, systems - ensuring
etc.). a regular process
for the collection
and analysis of
relevant information
from internal and
external sources, to
serve as a platform
for attacks; Actions
taken (publications
by the CERT,
manufacturers,
suppliers, etc.) This
monitoring will help
the organization to
strengthen security
and harden systems
in order to minimize
the attack surface.

- UNCLASSIFIED - 58
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.35 Emergency Write, A dedicated IR A fast recovery 3

Preparedness implement, team should be position, including
review, and set up to handle an engineering
update. cyber incidents position, including
business in operational licenses and
continuity and industrial applications
policy, environments. This installed on a
regarding team will include laptop/stationary
Cyber-Defense representatives network that is not
from a variety of connected to the
disciplines and network (must be
will be trained updated once every
accordingly in the six months and
exercises. As part ensure operational
of the training, and readiness for
significant cyber service).
events should
be reviewed. If
such staff cannot
be trained, these
capabilities
should be hired
from specialized
companies that
specialize in this.

- UNCLASSIFIED - 59
Control Title The Control Complementary Control Control
ID explanation Implementation Depth*
Example

12.36 Preparedness Appropriate A process will 4

for disaster inputs should be performed
recovery be devoted to analyze the
to creating level of accuracy
business effects between
continuity and the components
preventing within the network
cyber risks and between the
in the time components of
synchronization other networks
process. and the outside
networks. Ensuring
the existence
of a time clock
synchronization
process on the
OT network and
securing the
process with the
degree of reliability
and accuracy,
redundancy
compensates on
the network.

- UNCLASSIFIED - 60
6. Bibliography and accompanying reading material

1. 1.0 ‫( תורת ההגנה הארגונית גרסה‬In Hebrew – Organizational Defense Methodology for Organizations

Version 1.0)

2. Clint E. Bodungen, Bryan Singer, (+3) Hacking Exposed, ICS Secrets and Solutions

3. Andrew Ginter, 13 ways through a firewall: What you do not know can hurt you 2013

4. Mariano Nunez, Cyber-attacks on ERP systems, An analysis of the current threat landscape, 2012
Security, May 2015

5. SP 800-82 R2 Guide to Industrial Control Systems

6. ANSI/ISA 62443 – Partially completed Document

7. NERC-CIP requirements for power utilities – Bulk Power Systems - BPS

8. ISO/IEC 27001-2013 and 27002, Cyber security for Information security management systems -ISMS

9. Andrew Ginter, Secure Operations Technology, Abterra 2018

10. Threat landscape for industrial automation systems, Kaspersky Labs, H2-2018

11. Blake Sobzak, Hackers force water utilities to sink or swim 03-2018

12. https://ics-cert.us-cert.gov/Standards-and-References#conduct

- UNCLASSIFIED - 61
119
[email protected]
www.cyber.gov.il

Find us at: