Control Subject Issue Discovery Risk Recommendation

Establish a centralized account management for the control system devices (e.g., include AD or
Lightweight Directory Access Protocol). Join all appropriate and capable systems to the domain.
Managing local and system level accounts can become too cumbersome to appropriately Remove all local accounts except for those necessary for administrative purposes. Implement a
A centralized and automated account management system (e.g., Active audit, secure, and monitor. This adds unnecessary exposure and risk for account TACACS+ or RADIUS Server for authentication, authorization, and accounting for network
AC-2(1) Accounts - Account Management No Central Account Management System Directory) is not managing accounts on all capable networked devices. compromise. infrastructure.

Utilize jump servers to restrict movement and access to SCADA systems at a granular level. In
Remote access can grant malicious individuals persistence and ease of access Remote access can grant malicious individuals persistence and ease of access to company addition, this will also allow for complete control of the cyber-hygiene levels of those systems
AC-17.a Network - Remote Access No secure remote access architecture. to company resources. resources. entering the SCADA network; heavily monitor jump servers.

Limit remote access to the control system networks through one highly controlled and monitored
network path, such as VPN connection to a corporate jump server and remote desktop sessions to a
control system jump server. Do not allow direct communication between the control system
network and any external source, especially the Internet. Follow the recommended architecture
AC-17(3) Network - Remote Access System has multiple remote access options Multiple ways to remotely access the system. Multiple channels increases work to secure pathways and monitor traffic. referenced in the NCCIC/ICS-CERT defense-in-depth document.

Implement a centralized log collection and analysis service (and/or a Security Information and Event
Without analysis of logs, anomalous events and intrusions will go undetected. These Management tool). By collecting all logs and events in a centralized service, analysis can save
conditions allow for undetected misconfigurations and advanced intrusions. Review and time/resources, improve efficiency, and discover anomalous activity at a system-wide level.
analysis of logs stored locally is an ineffective, time-consuming process in understanding
events affecting multiple components. In addition, cyber-attacks can delete locally stored Where control systems are deterministic in nature, the OA assessment team recommends being
logs, creating a vacuum of forensic evidence. Malicious actions go unnoticed without log aware of all privileged activity on the control system network including all account changes,
AU-6(4) Detection - Logs Logs are not retained in a centralized location and analyzed. The organization does not centrally collect and analyze logs. collection and analysis. software installations, failed account logins, and changes to changes to bandwidth.
Lack of uniform time source can create inefficiencies when performing forensic analysis of Establish an authoritative time source within the system and periodically synchronize all system
AU-8(1) Configuration - Baseline No Authoritative Time Source within system. No authoritative time source within system. logs, and may cause other time-related issues. devices to that time source.

Logs provide administrators the support necessary to diagnose issues and discover root Establish a baseline of how fast normal activities fill log space and determine the disk space and
causes. Logs with insufficient retention (e.g., overwritten/cleared) will not provide the time period needed on the logs necessary to perform analysis and incident response (typical
Logs are not kept long enough or data within them is overwritten necessary information to support administrators in diagnosing issues and implementing periods are 30 days or longer, unless backup solutions provide a daily capture of the days logs).
AU-11 Detection - Logs too fast to be of value Logs are overwritten before they are saved to an off device storage or SIEM. mitigations. Implement storage solution and configure the logs to retain the required information.

Configuration changes can go unnoticed when implemented by a malicious actor; system Implement a change management process to track changes made to the system. This process
availability issues can occur; and a number of other concerns arise when change should include obtaining required approvals as well as communication and coordination of all
CM-3* Configuration - Change Management No Change management / configuration control process. No formal established change management process. management is not strictly enforced. impacted parties in order to minimize downtime and impact.

Events arising from changes to configuration of a product or network could lead to system Test changes to the SCADA system and conduct a change impact analysis prior to implementation in
CM-3(2) Configuration - Impact Analysis Changes to the system are not tested before put in production. Changes to the system are not tested prior to running in production. outages and recovery impacts if implemented on a production network. production environment.

Put the control system network in an enclave that is isolated from the business and administrative
networks by a firewall enforcing strict control of communications between systems. Firewall rules
should be refined to specific hosts and services required for the functioning of the system. Drop all
other services and requests. All traffic between ICS networks and others should pass through
hardened proxy devices residing in a demilitarized zone (DMZ). Remote users should never connect
directly to an ICS node without passing through a secured jump server or remote access server in
the DMZ. All security appliances for OT should be moved to the DMZ, not directly connected via the
Internet. Treat all external network connections as untrusted and isolate them into a DMZ zone. Do
not allow direct communication between the OT network and any outside source. Establish a
There is no network protections offering control and/or visibiity of secured virtual private network tunnel or an isolated and protected VLAN between the remote
communications between networks. No boundary controls, access control lists, An attacker can use a compromised node on the business network to exploit the control gateway and the jump server in the DMZ to prevent an attacker who has established a presence on
or monitoring of communications) between the control system and the rest of system. Flat internal networks with no internal flow controls could allow malware / the IT network from accessing data communications between a remote user and the jump server.
SC-7.a Network - Partitioning Poor / Non-existant boundary controls. the organization. attackers to traverse the network unimpeded. NIST SP 800-82, Chapter 5, is a great reference for how to do this.

Private network components should be reassigned to use private IP address ranges (i.e., 10.0.0.0 to
Public IP address can be routed over the Internet. If internal firewalls and ACLs are not 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0.0 to 192.168.255.255). This will insure
Publicly “routable” network IP addresses are used within the private (internal) properly configured, traffic could be routed through the Internet, which can be exploited by that OT traffic does not leave the internal network if perimeter defenses are not properly
SC-7* Network - Protection from Internet Routable IP Addresses used in Private Network. network. an attacker to obtain access to the network. configured or fail.

Evaluate the risks and benefits of remote connections. Establish acceptable limits and usage
The organization does not have established processes governing the Untrusted systems may connect to the system and create a pathway for malicious traffic guidelines in accordance to risk tolerance. Implement mechanisms to enforce policies and
AC-17.a Network - Remote Access No process governing the implementation of remote access implementation of remote access, including usage restrictions and guidance. and malware. acceptable use.

Mobile devices cross physical boundaries within the system and in some cases security
zones. These devices could transport malicious media from a less secure zone to a higher Determine and enforce policies for mobile devices, including laptops, PDAs, tablets, and company-
AC-19.a Configuration - Mobile Devices No mobile device policy. There is no established guidance or policies for mobile devices. security zone. issued phones. Policies should include usage guidelines and restrictions.

Establish and approve connection requirements that define the data being exchanged and the
No guidance or policy on interconnections with other systems not Security requirements for dedicated connections to other systems (under There is no assurance that data within the connection is secure or that the other connected security measures each party will take to protect the data and the connection from exposure.
CA-3* Network - Connections to systems owned/managed/operated by same staff. different management) are not defined, established, or documented. party will notify the organization in the event of an issue on their part. Include a clause that defines when they will notify the other party of a breach.

Without adding cyber security language in procurement contracts, the organization will not
have a contractual basis to compel vendors to address cyber security vulnerabilities in their
products, services, or design leaving the organization at risk. (Example: If a vendor were
No or insufficient Cyber Security Requirements in Cyber security language is not being added to procurement contracts when the made aware of a cyber security vulnerability in their product they deem too expensive or Develop language for cyber security requirements that can be added to all IT and OT product and
SA-4* Contractors and Vendors - Agreements contracts/agreements organization acquires products or services. cumbersome to fix.) service contracts.

1
Control Subject Issue Discovery Risk Recommendation

Issue company owned/managed laptops/computers dedicated to the ICS environment for remote
access. Staff should not use these machines for general business applications (web browsing, email,
etc.) Vendors should use dedicated asset owner equipment in their work. Asset owners should also
Remote computers not managed and audited according to company security policies are validate the integrity all third party systems connecting remotely. These connections should
Use of non-company owned devices (e.g. personal) accessing There are no policies or guidance on using non-company owned (non-company less likely to have and maintain security controls for preventing malware; malware from an establish and enforce minimum-security requirements and controls equal to or better than asset
AC-20.a Configuration - Personal Devices information system. managed) computers for remote access by staff and vendors. infected remote computer could migrate to the control system. owners security policies.

Organization does not have a policy and/or procedure to define levels of

sensitivity or security (e.g., FOUO (For Official Use Only), PII (Personally Documentation or information can be inadvertently released that would aid the discovery Develop levels of sensitivity and security and apply the labeling of those levels to information within
AC-16.a Media - Marking and Categorization No sensitivity levels. Identifiable Infromation), internal, public) and apply them. process of cyber adversaries. the system to ensure appropriate and responsible handling and care of information.

Open source research is one of the first steps a malicious actor performs when targeting a Review and update media policies to ensure that information released to the public (e.g., websites,
Content published by organization is not reviewed for security risks OT personnel do not consistently review content published by the organization system for a cyber-attack. The actor will search the Internet, Shodan, and other resources conferences, and media) has been approved to prevent release of sensitive information. OT
AC-22* Detection - Open Source and sensitive information. for security risks and potentially sensitive information. to learn as much as they can about the targeted system or organization. personnel should also monitor public information to identify and remove any sensitive material.

Establish required cybersecurity awareness training for all employees on at least an annual
The employees of your company will not have the ability to recognize common basis. NCCIC offers several free web-based lecture and hands-on training courses. Both IT and OT
AT-2* Staff - Training No general cybersecurity awareness training. Staff are not receiving cybersecurity awareness training. cybersecurity threats or learn the skills to handle them. personnel should receive periodic ICS cybersecurity focused awareness training.

Staff members will not understand current threats specific to their role and job duties, nor Provide role-based training for staff to understand current threats and issues related to their
AT-3* Staff - Training No role-based security training. Staff members do not receive role-based training. will they have knowledge of the mitigation methods regarding existing issues. individual roles within the system.

Audit records are essential for flagging anomalous events and performing forensic Review auditable event policy, processes, and procedures to determine if they are sufficient to
Audited information does not support after the fact investigations. Audited events are not adequate to support after-the-fact investigations of investigations. Without a formalized review and validation of audit records, it is unlikely identify and document malicious activities. The policy should also identify the types of events that
AU-2.c Detection - Logs Not enough information retained. security incidents and root cause analysis of downtime. that attacks, suspicious activities, and undesired activities will be noticed or discovered. should be audited by the system.
Define and implement audit records for important system events ensuring that significant items of
AU-2.d Detection - Logs Events not recorded by system / logs not generated. System events are not recorded (logs not generated). Without logs, audit analysis cannot be done. interest that allow for a holistic view of the event are captured.

Detailed diagrams defining the interfaces of the system and its

interconnections to others is not current. Documentation of the baseline Responding to events or planning and executing troubleshooting activities will be Develop detailed documentation to support the organization in support of the SCADA systems,
CM-2 Configuration - Baseline System Diagrams & documentation is missing/incomplete. configuration of the system or network is inaccurate and/or missing. hampered if ICS system configuration documentation is incorrect. networking, IT, and other groups as need to know.

Evaluate the impact and potential security risks of any proposed change to the system. Determine if
Not taking the time to evaluate the potential risk and outcomes of any implemented the benefits outweigh the impact or risks. If significant risks are uncovered during the analysis,
CM-4 Configuration - Impact Analysis No change impact analysis. Impact analysis of risks to the system is not done prior to implementation. change, including a test process, could lead to system downtime or failure. investigate what mitigations can be implemented.

It is a best practice for all patches, modifications, and updates to an ICS system to be tested first on
a non-production test system. It should be tested for installation process anomalies, operating
stability and integrity issues, and allowed to run for a period of time to ensure operational
No separate test environment to test changes outside of the Patches, updates, and changes that have not been tested in an off-line environment may instability is not introduced into the ICS system operation, prior to installation on the production
CM-4(1) Configuration - Impact Analysis operational environment. Organization does not have a development/test system. cause system instability and downtime when applied. environment.

Determine the necessary requirements, services, ports, protocols, and applications to complete the
needed function/operation of a system component. Restrict the component to allow only the use of
the necessary requirements. Disable unused ports to prevent unauthorized connections. Hardening
guides are available online from sources such as NIST, the Defense Information Systems Agency,
and the Center for Internet Security. Apply hardening measures carefully in a test environment and
document each component. When patches or updates are applied, hardened settings may revert to
defaults. Documentation will help re-apply settings and let system administrators know if system
System components (OS, applications, firmware, etc) are not Unnecessary services, ports, protocols, applications, and functions create vectors for components are vulnerable to specific issues described in security notices and advisories. Tools to
CM-7* Configuration - Least Functionality hardened. System components are not hardened/restricted to the least functionality. malicious parties to gain access to the system. automate this process are available.

An unauthorized user could implement program modification while a PLC key is in remote It is a best practice to only leave the PLC controller in run mode with key removed and protected
CM-7* Configuration - Least Functionality PLC mode keys left in remote/program mode. PLC mode keys left in remote/programming mode. mode. while not in a programming evolution to prevent unauthorized configuration access.

Establish an inventory system to track all components of the system. System should be readily
accessible to those with a need to know. Inventory should contain enough detail as to identify the
Without an inventory, system administrators do not have a clear understanding of what component, its value, location, and current use. A comprehensive ICS asset list is highly
assets they have to maintain or protect. Identification of unauthorized devices is also more recommended to support continuing evaluation for known vulnerabilities, patching status, network
difficult. Owners without an inventory may experience loss of assets and, without communication addressing, and critical asset analysis. As a result, the ICS asset list is a very sensitive
CM-8* Configuration - Inventory No hardware/software inventory. No documented asset/inventory list. documentation, would be unable to claim a loss. document and should be protected as a critical asset itself.

A backup control site should be outfitted with technology resources to recover operations with little
to no loss in continuity of operations in the event of a disaster that would render the primary
Loss of the primary control room would result in loss of essential mission/business operations control center inaccessible or unusable. The operability of the backup control site should
CP-2(5) Recovery - Alternate Control No backup control center. Organization does not have an backup control center. functions. be tested on a periodic basis and kept up to date.

Coordination with a other related parties/groups is essential for planning, preparation, and testing
of asset operation recovery in the event of some type of disaster. The DRP needs to be developed in
collaboration of a multi-disciplined group, documented in a living format, tested through exercises,
In the event of a disaster, the organization may not be able to sustain or recover and improved through lessons-learned and systems change processes. Coordination with related
Organization does not coordinate contingency planning with other groups operational capability in a reasonable timeframe. In a disaster the groups may have groups will prepare related plans to understand each groups needs and better help prioritize limited
CP-2(1) Recovery - Contingency Planning No coordination of Contingency Plan with related groups. involved in plan or having related plans. different priorities or less resources than expected. resources.

2
Control Subject Issue Discovery Risk Recommendation

Test recovery processes and procedures and verify the integrity of data from backups. This
No formalized process for testing the integrity of backups and backup media. Ensures that critical software, data, and systems are available for recovery, which reduces methodology (and any discoveries during testing backup/restoration capabilities) should feed into
CP-9(1) Recovery - Backups System backups are not tested for reliability/integrity. Test failover capabilities of systems (primary and secondary). or eliminates downtime due to a cyber-event or system failure. the overall Disaster Recovery and Continuity of Operations procedures.

The lack of nonrepudiation increases the risk of insider threats. Additionally, the sharing of NCCIC recommends minimizing the use of group accounts. When group accounts are necessary,
IA-2 Accounts - Account Management Group accounts used. Uses group accounts. credentials increases the risk of exposing credentials. ensure that credentials are changed periodically and upon group membership changes.

Remote access creates another vector for malicious parties to gain access to the system. An NCCIC recommends implementing a multifactor authentication scheme for all remote access and
unauthorized user can access critical ICS components by masquerading authentication with limiting access to only those personnel with an operational need to access network resources
IA-2(11) Network - Remote Access Remote Access does not use multifactor authentication. No multifactor authentication for remote access. authorized accounts. remotely.

Establish a password policy that includes changing passwords initially and periodically. Policy should
address password complexity and reuse. If passwords cannot be changed due to some technical
reason, then consider compensating controls, such as multifactor authentication (card readers,
Passwords are the keys protecting cyber assets. Not protecting them allows attackers verification by other personnel, or access logs) to ensure that an acceptable risk level concerning
IA-5* Accounts - Passwords No password policy. Organization does not have a password policy. access to your systems and networks. attribution is maintained.

Develop and implement an asset disposal policy that addresses the secure disposal of all system
No plan/policy to properly excess property with media storing sensitive Decommissioned devices with sensitive information could provide malicious parties with assets (e.g., software, hardware, firmware, storage) to prevent the inadvertent release of sensitive
MP-6 Media - Disposal No media sanitization plan. information. information to aid an attack. company information or data.

Unauthorized users have physical access to system components (servers, The OA assessment team recommends keeping network infrastructure in locked network closets,
PE-3.a Physical Access - Enforcement Unauthorized parties have access to sensitive/critical devices. network infrastructure, field devices, etc.). Insiders/malicious parties can interact directly with sensitive/critical components or data. cables and fiber runs within conduits, and components in shared spaces housed in locked cabinets.

The security policy should reflect the organization’s objectives for security (including cybersecurity)
and an agreed upon and enforceable management strategy for securing cyber assets. Establish a
high-level vision and policy for security. Establish a process to keep high-level policies current, fresh,
and implemented within the organization. Document which controls will be/or are implemented to
protect the security of the system. NCCIC recommends developing the following topics with plans,
polices, and procedures:
• Account Management;
• Configuration Management, including a formal Change Management Process;
• Contingency Planning / Disaster Recovery;
• Incident Response;
• Media Policy;
Without such a policy, there is nothing to drive security processes and culture, nor is there • Password Policy; and
PL-2* Policies and Plans - Overarching Cybersecurity Plan No overarching security policy/plan for the system. No overarching documented security policy/plan for the system. a complete plan for how to protect the system. • Patching Policy.

A general background check may not be sufficient for ICS system administrators or process
General background checks lack the rigor for identifying staff or potential employees that engineers that use privileged accounts on ICS systems. Implement background checks that reflect
PS-2.b Staff - Screening Critical roles do not have sufficient screening criteria. Sensitive/critical roles do not have sufficient screening. may have a nefarious cyber background. the roles individuals perform and the physical access they have.

Employees do not sign access agreements prior to accessing the Employees are not required to sign acceptable use agreements regarding Create operator acceptable use agreements (e.g., don’t share passwords or tape it to the computer,
PS-6* Staff - People system. access to the system that specifies appropriate use and restrictions. Employees may use company resources inappropriately and lead to system compromise. don’t use USBs. etc.) and document employee agreement to it.

Understaffing leads to employee burn out and limits staff from efficiently maintaining the Asset Owner should review existing resources and identify incomplete tasks and responsibilities.
system (active management of cybersecurity policies, programs, systems, and services.) Staff should prioritize these tasks and duties. If justified, based on the review, increase staff.
Asset Owner has insufficient staffing to initiate new security efforts; cover Currently, the staff focuses on emergencies and, as time permits, works on projects that Potential benefits include completing high priority projects and improving resiliency on loss of key
SA-2.b Staff - Resources Insufficient staff to secure the system. vacations, illness, or travel; or secure the system properly. have long-term value. personnel. It will also give staff time to develop specialized skills for enhancing security.

Consider options to replace legacy devices with supported products. While legacy devices are in
(Specific hardware/software) is no longer supported by the vendor, and no use, establish compensating controls or protections to limit the risks and impacts of vulnerabilities
SA-22.a Configuration - Obsolete Software Software/hardware is no longer supported by the vendor. patches are developed for newly discovered vulnerabilities. Vulnerabilities existing in legacy devices/software may not be mitigated or addressed. being exploited on the legacy devices.

Implement a policy for users to lock control workstations when leaving the
area. Configure control workstations to automatically initiate a session lock
after a configured time period. Specific devices may need exemption from this
policy, but exemptions from the policy should include appropriate risk
mitigation. An example mitigation could be exempting workstations located in Lack of access control lists (ACL) and other controls allow data/information to be accessible Establish controls to limit data/information through ACLs on devices and network infrastructure.
AC-4 Network - Connections to systems Data traffic is not restricted within the network a continuously staffed control room. through out the network. Utilize security tags/metadata to further restrict information paths.

Coordinate with the software vendors to implement a patching plan to keep software patches up to
Unpatched software contains vulnerabilities that vendors have often already identified and date within a defined period of time after release based upon patch criticality. Include patch
mitigated. Running unpatched software provides a vector for malicious parties to utilize management within existing configuration management processes. Test patches on a backup or test
SI-2 Configuration - Patching System/software are not patched or consistently patched. System/applications are not patched. known issues to gain access. system prior to deploying on a production system when possible.

Isolate the control system from other systems. Physical isolation is best, but logical isolate offers
some protections as well. Control systems should be able to run isolated from other networks and
thus include necessary services within the system (for example their own account management
Control System resides on same system/network as Enterprise/IT Control system is not isolated/partitioned from other connected systems used Malicious activities occurring within any of the systems could easily migrate to infect the server like Active Directory.) Connections to other systems should be strictly controlled, see
SC-32 Network - Partitioning network. by the organization. control system. recommendations in SC-7.

Establish a password policy that includes changing passwords initially and periodically. Policy should
address password complexity and reuse. If passwords cannot be changed due to some technical
reason, then consider compensating controls, such as multifactor authentication (card readers,
Not changing passwords on a frequent basis allows attackers time to successfully deduce verification by other personnel, or access logs) to ensure that an acceptable risk level concerning
IA-5* Accounts - Passwords Passwords are not changed. Passwords are not changed frequently. them, allowing them access to your systems and networks. attribution is maintained.

3
Control Subject Issue Discovery Risk Recommendation

Monitoring network traffic, logs, and the information system as a whole is essential to Establish a process to monitor the information system. Install sensors within the system to evaluate
No monitoring for unauthorized connections or indicators of determine if a potential compromise is occurring or to determine when there is a problem current events occurring within the system. System administrators should be able to use monitoring
SI-4.a Detection - Monitoring attack. No ICS system monitoring is implemented. with the system. to identify abnormal events including unauthorized connections and indicators of attack.

Investigate and utilize a management-approved method of full disk encryption to protect

information stored on portable devices (example Bitlocker.) In the case of cellular devices,
implement a Mobile Data Management solution to create encrypted containers for business
Laptops are not protected from loss outside of the facility. No full Laptops, tablets, and cell phones containing sensitive material are not Portable devices that are lost or stolen could leak sensitive data or be used by malicious applications such as company email. These solutions typically include functionality to remotely
AC-19(5) Configuration - Mobile Devices disk encryption. protected with full disk encryption. actors. delete data in these containers in the event that the mobile devices are lost or stolen.

Conduct open source research to understand what information about the organization is publicly
The OA assessment team found sensitive information about the organization in The organization may be inadvertently making sensitive information about itself publically available. Attempt to discern how the intelligence was gathered, and mitigate the information
AU-13 Detection - Open Source Sensitive Open Source Information found about company open source research. available. leakage.

Enable VPN solution to check for patch levels and anti-virus signatures for compliance prior to
allowing connection to the system.
Remote devices are not checked to ensure patches, anti-virus and other
CA-9(1) Network - Remote Access NAC/NAP security mechanisms are in place prior to allowing a connection to the system. Compromised systems could be allowed to connect to the system. *Reviewed 3/13/17 Should be used for remote connections to control.

All impacted teams/parties should be included in the change management plan/process. Valuable
Change management plans are not coordinated with all impacted Coordination of change management plans are not coordinated with all Network and configurations that are not properly scheduled could adversely affect ICS insight and coordination will provide less downtime and more opportunities for improvement of
CM-3.g Configuration - Change Management parties. impacted members/parties. operations and the overall availability of the system. processes.

Non-encrypted communications can be intercepted, modified, or entirely falsified by a Encrypt communications to protect the systems critical components. Replace older model
SC-8 Network - Wireless and Radio No communication encryption. Encryption is not used to protect information passed within to system. malicious party allowing a compromise of the communications integrity and confidentiality. equipment that cannot support encryption.
Passwords are not managed. Authenticators are changed outside of Failure to validate authenticators through proper processes may cause errors in proper
IA-5* Accounts - Passwords Passwords are not managed. management control bypassing proper process. authentication. Ensure authentication processes are implemented and managed as intended.

Coordination with other related parties/groups is essential for planning, preparation, and testing of
asset operation recovery in the event of some type of disaster. A Disaster Recovery Plan (DRP)
needs to be developed through multidiscipline collaboration and documented in a living format,
In the event of a disaster, the organization may not be able to sustain or recover tested through exercises, and improved through lessons-learned and systems change processes.
Disaster recovery plan is not formalized, and some processes need to be operational capability in a reasonable timeframe. In a disaster, groups may have different Coordination with related groups will prepare related plans to understand each groups needs and
CP-2_ Recovery - Contingency Planning Contingency Plan needs work. refined. priorities or fewer resources than expected. better help prioritize limited resources.

Work with vendor to identify and install AV software compatible with components. Where
appropriate establish a centralized mechanism to distribute AV updates and manage the endpoints.
SI-3* Detection - Antivirus No Antivirus installed. Antivirus (AV) software is not installed on applicable control system devices. Lack of AV software increases the potential for malware infections. AV can also serve as a practical alerting mechanism.

Without a centralized mechanism to control patch distribution, sensitive devices may not Install a centralized mechanism to control the distribution of patches where applicable. Develop a
SI-2(1) Configuration - Patching No Centralized patch management. There is no centralized mechanism to control the distribution of ICS patches. receive necessary patches, leaving them vulnerable to compromise. procedure to test patches to identify potential incompatibilities with ICS before deployment.
Media is a common vector for introducing malware into both an enterprise and ICS Develop and implement a media use policy that defines acceptable use of USB drives and other
MP-7 Media - Policy No portable media policy/plan. Asset has no portable media policy. environment. mobile media.

Users that need administrative access should have two accounts and use their non-privileged
accounts for all activities that do not require special privileges (or administrative access). When
privilege use is needed on an occasional basis, the user can escalate privileges using an
When an active session is compromised, the malicious party inherits the access privileges of administrative account as needed. For jobs that require administrative function on a more continual
Administrative (privileged) accounts are used to complete work that does not the authenticated user. If this user has administrative privileges, the malicious party can basis, the account should be restricted from access to the Internet and email to limit malicious
AC-6(2) Accounts - Permissions Privileged accounts used for non-privileged jobs. require administrative privileges. take immediate steps to secure their foothold within the system. attacks.

Monitor changes to account management system, and establish notifications for the account
management actions including the addition of new accounts, modification of existing accounts, or
removal of accounts. Changes should be compared and validated with authorized change requests.

No automated notification of account management activities including account Account changes, including the addition of privileged access, are a common step in a long *Reviewed 3/13/17 This is a specific example of AU-2 Audit Events. If there is multiple audit events
AC-2(4) Accounts - Account Management No notification of account additions, modifications, or deletions. additions, modifications, or deletions. term compromise of a system. that are not addresses, then AU-2 should be used instead.

Backup media is not encrypted prior to transport outside of area protected by Media could be lost or stolen when outside of physically controlled space of the asset Encrypt all media leaving the physical protections of the asset owner. Best practice is to encrypt all
MP-5(4) Media - Control Media is not encrypted prior to transport. asset owner. owner. Information on media could be compromised/leaked. media that leaves a secure media storage area, and lock media within a physically secure container.

Access of controlled resources could lead to compromise of the system. Intruders and
insiders may with time defeat locks and physical barriers allowing direct access to system
PE-6.a Physical Access - Monitoring Physical Access is not monitored. Physical access to controlled resources is not monitored. components. Establish monitoring of access controlled resources through alarms and/or surveillance.

Security and support mechanisms reside on a multipurpose Compromise of a network would provide a malicious party access to support applications Isolate support applications, mechanisms, and information from other networks as an additional
SC-7(13) Network - Partitioning network. Security & support mechanisms reside on a multipurpose network. and information that could be used to further compromise the system. layer of defense.

Laptops being used for typical office work, such as email, internet and remote access, are at
a higher risk of compromise. Connecting these devices directly to nodes of the control
network bypasses the boundary protections in place (firewalls, intrusion protection, logging Identify specialized devices for use in performing remote node configuration that are not permitted
Field technicians have one laptop that is being used for both office work and and monitoring) creating an increased risk of compromise to the protected control system to be used for other purposes. Configure and control these specialized devices as part of the control
AC-19_ Network - Connections to systems Laptops can be used across domains control system field device configuration. network. system network and verify that they cannot be used in other environments.

Implement a policy for users to lock control workstations when leaving the area. Configure control
workstations to automatically initiate a session lock after a configured time period. Specific devices
No session locks are configured on control workstations. There is no Without session locks, an unattended control workstation can be accessed by unauthorized may need exemption from this policy, but exemptions from the policy should include appropriate
administrative policy requiring users to lock or logout of control workstations personnel. A malicious actor could take actions as an authorized user to compromise the risk mitigation. An example mitigation could be exempting workstations located in a continuously
AC-11_ Accounts - Authentication No session locks when leaving the area. control system. staffed control room.

4
Control Subject Issue Discovery Risk Recommendation

Although there is a process to notify physical security when employment or

business need changes, physical access is not regularly reviewed for continued Any problem in the notification process to physical security could allow indefinite physical Review physical access badge list against current employment and business need on a regular
PE-2_ Physical Access - Enforcement Physical access reviews business need and current employment. access to individuals that should not have access. frequency.

Without any technical controls to limit connections, staff could connect personal devices to
There is no mechanism to verify or limit connections to company-owned the business network. Malware on personal or rogue devices could spread to other devices Use business class wireless access points with the ability to limit incoming connections based upon
AC-18 Network - Wireless and Radio Wireless access control devices. within the business network. Data could be copied to rogue devices. certificates installed or, at a minimum, MAC addresses of pre-approved devices.

​ alicious parties can use privileged account hashes to masquerade as authorized

M
​ ashes of privileged accounts are cached on workstations when accessed by
H administrators on the network. If the domain administrative credentials are cached on a
IA-2(8) Accounts - Account Management Privileged account hashes subject to golden ticket administrators. workstation, the entire domain could be compromised. ​Use the Protected Access Group security features of Windows Server 2012 and 2016.

S​ plit tunneling allows a remote device to route its network traffic with multiple sources.
Remotely connected devices with split tunneling enabled could act as a bridge for malicious
traffic into the system owners network, bypassing firewall restrictions and other access
SC-7(7) Network - Remote Access Split Tunneling ​Remote access VPN connections allow split tunneling. controls. ​Disable split tunneling within the VPN connection settings.

E​ stablish a segmented high security zone for high value assets and/or control systems components.
Protect access to devices within this zone through the use of specific firewall access controls.
Establish a demilitarized zone (DMZ) for work that needs to be within the high security zone. Allow
only specific devices within the DMZ to connect to high value assets, and then only through
specified connections. As necessary, allow specific users/devices to remotely connect to devices in
this DMZ to access high value servers. Remote access control should limit what information is
High value or control system elements reside on the same network as common ​Malicious parties could pivot from a compromised workstation to a high value asset or allowed to egress to the business network. Reference the network architecture within ICS-CERT’s
SC-32 Network - Partitioning Flat Network - no segmentation network devices.​ server on the same network. Defense-in-Depth  document.

​ ithout such a list or policy, there is nothing to prevent or limit the installation of
W ​Establish a policy defining what software can be installed on the system. Include within the policy
unnecessary and potentially vulnerable software on the network. Without an approved how additional software can be approved with a valid business case and impact analysis from IT and
CM-10 Configuration - Software No approved software list ​No formally defined approved software list or policy. software list, it becomes difficult to identify unauthorized software within the environment. security staff.

​ ssign a management resource to have stewardship of network vulnerabilities and threats. This
A
individual should receive threat intelligence information and vulnerability information regarding the
​ o one assigned to follow up on software vulnerabilities and the impacts of
N IT assets within the network. This resource should be empowered to enact additional security
PM-16 Detection - Threat Management No one assigned to be responsible for threat management new threats. ​This leaves the system at risk of exploitation through known vulnerabilities. controls and remediations to mitigate threats as vulnerabilities are identified.

​ ithout an understood level of risk inherent to a position, anyone, including personnel not
W
suitable, could be hired to fill a position. For example, an individual with a high debt level
could be hired to fill an accounting position, or a cyber-criminal could be hired to a position ​Assign a risk designation to all positions. Establish screening criteria for individuals filling those
PS-2 Staff - Screening Position requirements - screening ​No established screening criteria for sensitive positions. with access to sensitive data and equipment. positions and consider a more stringent screening requirement for personnel in sensitive positions.

Establish clear ownership responsibly for all systems on the network. Outside vendors should not
have privileged access to internally managed systems. If an outside vendor manages a system, the
Systems on the control network had software installed by outside vendors Without knowing what changes are happening to internal systems, the local IT staff cannot system should be on a separate network with appropriate segmentation to protect the internal
CM-11 Configuration - Software Software installed without SysAdm knowledge without the knowledge of internal IT staff. properly secure the environment. system.

A disaster recovery plan needs to be developed through multi-discipline collaboration and

documented in a living format, tested through exercises, and improved through lessons-learned and
systems change processes. Coordinate with related groups to better understand each group’s needs
In the event of a disaster, the organization may not be able to sustain or recover and help prioritize limited available resources. Coordination with other related parties/groups is
operational capability in a reasonable timeframe. In a disaster, groups may have different essential for planning, preparation, and testing of asset operation recovery in the event of some
CP-2 Recovery - Contingency Planning No disaster recovery plan There is no formal disaster recovery plan. priorities or fewer resources than expected. type of disaster.
Lack of document management can lead to duplication of work, extended approval times,
SA-5 Media - Policy No Document Management [Asset Owner] does not currently have a document management system.  and distribution problems. Develop and implement a document management system.

Laptops used for typical office work, such as email, Internet, and remote access, are at a
higher risk of compromise. Connecting these devices directly to nodes of the control Identify specialized devices for use in performing control system configurations. Do not permit the
network bypasses the boundary protections in place between business and control system use of these devices for other purposes. Configure and control these specialized devices as part of
Multipurpose laptops used for work in control system and administrative networks (examples include firewalls, intrusion protection, logging, and monitoring). This the control system network and verify that these devices only connect to the supervisory control
SC-7 Network - Connections to systems Multi-use devices networks. creates an increased risk of compromise to the protected control system network. and data acquisition (SCADA) environment.

E​ stablish process to notify account managers of changes to users status and needs. If HR is integral
F​ ailure to disable or remove user accounts in a timely manner could allow an attacker to in the process then they should like initiate processes that notify managers, security, and account
AC-2 Accounts - Account Management No notification of user change ​ ccount managers are not informed when users employment status changes. use them to access the system without authorization.
A managers of changes regarding specific users.

I​mplement a policy to secure network ports within the ICS environment. Possible solutions include
​ nauthorized network devices may connect to the system. Unauthorized network devices
U physical port blockers, administratively disabling unused ports, implementing MAC authentication
SC-7(14) Network - Connections to systems Unauthorized Connections ​Network port security is not being leveraged in the ICS environments. could maliciously or accidently compromise the system. or for stronger security authenticating devices with a certificate using 802.1x.

Sensitive information, including development, configuration, and backups is

stored on a file share in the business network and access control levels are Compromise of the business network could provide a malicious party access to sensitive Isolate sensitive information from the business network. Where possible, move the information
AC-3 Network - Connections to systems Control system information is stored on business network unknown. information that could be valuable in planning a later attack. from the business network to the control system network.

Implement a policy for users to lock control workstations when leaving

the area. Configure control workstations to automatically initiate a session
lock after a configured time period. Specific devices may need exemption from
Without session locks, an unattended control workstation can be accessed this policy, but exemptions from the policy should include appropriate risk
Authenticated devices/workstations/servers do not timeout after a period of by unauthorized personnel. A malicious actor could take actions as an mitigation. An example mitigation could be exempting workstations located in a
AC-11 Accounts - Authentication Authenticated sessions do not timeout after a period of inactivity inactivity. authorized user to compromise the control system. continuously staffed control room.

5
Control Subject Issue Discovery Risk Recommendation

Failure to disable or remove user accounts in a timely manner could allow an attacker to On at least an annual basis, account managers should have process managers verify that employee
AC-2 Accounts - Account Management No Account Review [Asset Owner] has no annual account review. use them to access the system without authorization. accounts are legitimate and what privileges the employees need to perform their duties.

While the WiFi has some encryption and authentication, once connected, the devices using Incorporate an additional layer of network protection for WiFi devices to limit access to the
WiFi-connected devices have the ability to control and make changes to the this communications method have the ability to control the control system. The resource. Consider 802.1x and device based certificates to limit what devices can attempt to
AC-18 Network - Wireless and Radio Direct access to control system via WiFi ICS. transmission medium for WiFi is not secure and could be intercepted and exploited. authenticate to this transmission medium.
Critical software, data, and systems will be difficult to recover after an incident, system Develop a plan and process to back up system data on a regular basis. The plan should have a 3–6
CP-9 Recovery - Backups No Backups [Asset Owner] has no backups for [specify items]. failure, or catastrophe. month history and should be tested regularly.

Passwords are the keys to protecting cyber assets. Unprotected passwords allow attackers
Admins do not verify the identity of user when a password change Administrators do not always verify the identity of a party requesting a access to your systems and networks. A malicious party could use social engineering to Implement a challenge in password change requests to verify the identity of the user. Alternatively,
IA-5 Accounts - Passwords is requested. password change. induce account managers to change passwords and allow access into the system. all password change requests could be done in person with an account manager.

Determine what constitutes sensitive information and what protections to impose. Develop a policy
MP-3 Media - Marking and Categorization Sensitive information is not categorized/marked. [Asset Owner] does not categorize and mark sensitive information. Staff members could unknowingly mishandle or release sensitive information to the public. to categorize and protect sensitive data and procedures to mark and handle it appropriately.

Loss of key control could allow unknown parties to gain physical access to control system
PE-3 Physical Access - Enforcement Key Control [Asset Owner] has not accounted for all facility keys. components, giving a malicious party the ability to modify the system and disrupt services. Rekey locks for all lost or unaccounted for keys or move to a physical cyber lock system.
[Asset Owner] is not a member of the Water Information Sharing and Analysis [Asset Owner] may miss opportunities to receive current information on emerging cyber
PM-15 Detection - Threat Management Not a member of a threat intelligence/information sharing group Center (ISAC). threats and issues, including recommended mitigations. Consider joining the Water ISAC and other cybersecurity threat sharing groups.

Use the external system integrator for the subject matter expertise needed to help design and
administer the SCADA system. Move responsibilities to manage access to the SCADA system
through user account management in Active Directory and firewall configuration to other groups.
[Asset Owner] uses an external system integrator to administrate the SCADA The potential for abuse of authorized privileges and the risk of malicious activity without Consider either using the internal operations group or leveraging expertise already held within the
AC-5 Staff - Separation of Duty External System Integrator system, manage user accounts, and manage SCADA network firewalls. collusion is significantly higher with poor separation of duties. internal IT group to help manage Active Directory and firewall configurations.

Determine the necessary requirements, services, ports, protocols, and applications to complete the
needed function/operation of a system component. Disable unused ports to prevent unauthorized
connections. Hardening guides are available online from sources such as NIST, the Defense
Network analysis observed unnecessary services communicating on the SCADA Unnecessary services, ports, protocols, applications, and functions create potential attack Information Systems Agency, and the Center for Internet Security. Apply hardening measures
CM-7 Configuration - Least Functionality Unnecessary Services network, including (list services). vectors for malicious parties to gain access to the system. carefully in a test environment and document the approved configuration of each component.

There are no technical controls in place to limit the use of removable media on Removable media is a common vector for introducing malware into an ICS environment. Implement technical controls over the use of removable media within the control system. Possible
MP-7 Media - Control No technical control to limit removable media the control system. Administrative policies may be insufficient to protect the control system. technical methods include software to disable USB media or physical port blockers.

Keep network infrastructure in locked network closets, cables and fiber runs within conduits, and
components in shared spaces housed in locked cabinets. If the HMI remains in a public space to
facilitate tours and demonstrations, limit the risk by taking steps to restrict the methods that an
PE-3 Physical Access - Enforcement Unauthorized Access Unauthorized users have physical access to (specify what). Insiders/malicious parties could interact directly with sensitive/critical components or data. unauthorized user could use to interact with the system.

Public IP address can be routed over the Internet. If internal firewalls and access control Reassign private network components to use private IP address ranges (i.e., 10.0.0.0/8,
lists are not properly configured, traffic could be routed through the Internet, which could 172.16.0.0/12, or 192.168.0.0/16). This will ensure that control system traffic does not leave the
SC-7 Network - Protection from Internet Use of Routable IP addresses The private (internal) network uses publicly “routable” network IP addresses. be exploited by an attacker to obtain access to the network. internal network if perimeter defenses fail or are improperly configured.

Allowing laptops associated with the business network to VPN into the SCADA network
logically makes them part of the SCADA network. Business network activities, such as using
email and browsing the Internet, incur a higher risk of compromise. Connecting these
devices into the SCADA network increases the risk of a compromise entering the SCADA
SC-7 Network - Connections to systems Direct VPN Access to SCADA The SCADA VPN allows laptops to connect directly into the SCADA network. network.
Utilize jump servers to restrict access to SCADA systems at a granular level. Carefully restrict the
movement of files in and out of the SCADA network with stringent access controls on allowed traffic
with the DMZ firewalls and jump server. Heavily monitor the use of jump servers to quickly detect
any attempted compromise.

All traffic between the business and ICS networks should pass through hardened proxy devices
residing in an ICS DMZ. Remote users should never connect directly to an ICS node without passing
An attacker can use a compromised node on the business network to exploit the control through a secured jump server or remote access server in the DMZ.  Do not allow direct
system. Flat internal networks with no internal flow controls could allow malware/attackers communication between the SCADA network and any outside source. NIST SP 800-82, Chapter 5,
SC-7 Network - Protection from Internet SCADA devices communicates directly to the internet (List of Devices) connect directly to the internet. (May elaborate on how) to traverse the network unimpeded. and the NCCIC ICS Defense-in-Depth document are great references for how to do this.
Unauthorized users could use accounts of terminated employees to access Establish a process to disable or remove accounts for employees that no longer need access to the
AC-2 Accounts - Account Management Accounts not removed in a timely manner The [Asset Owner] does not removed accounts in a timely manner. the system, which could lead to system compromise. system.

A sprinkler system could cause severe damage to electrical equipment,

including network equipment and servers. A sprinkler system incident could
There are fire suppression sprinkler heads over the server racks in the damage a large amount of the IT infrastructure, greatly increasing time Change to a different form of fire suppression technology in the server and
PE-13 Physical Access - Environmental Concerns Water based fire suppression main server room and in other network equipment areas. to recovery. network equipment rooms to prevent damage to computer equipment.

Events that impact the ability to manage the temperature of the

equipment room (like the loss of air conditioning) must be responded to quickly
to avoid damaged equipment and significant downtime. Water can also cause
The [Asset Owner] does not monitor the critical network equipment area for significant damage. Without monitoring environmental conditions, significant Implement environmental monitoring to alert responsible parties when conditions
PE-14 Physical Access - Monitoring Not monitoring server room environmental conditions. environmental conditions. damage is more likely to occur. deteriorate and need immediate response.
Without a person responsible for security, efforts to secure the system may be put aside in
PM-2 Policies and Plans - Management Support No one in charge of System security [Asset Owner] does not have an individual in charge of security for the system. favor of other priorities. [Asset Owner] should appoint a person to be in chargeof security for the system.

Deleted accounts could be recreated the same name and aligned with a new user, which
[Asset Owner] currently disables accounts upon individual employee departure could lead to system or file access based on legacy documents from the previous user. This Move deactivated accounts to a "disabled account group" and retain them in a disabled status for a
AC-2 Accounts - Account Management Deletes accounts, instead of disabling and and deletes shortly thereafter. could lead to system or data compromise. period of time to prevent reuse and segment from future users with similar account names.

6
Control Subject Issue Discovery Risk Recommendation

Identify systems on SCADA/PLC/HMI networks that are attempting external addresses. Determine if
systems are misconfigured or have a legitimate need to connect to another device outside their
If the firewall access control lists (ACL) were not working, control system elements would network. Configure devices not to rely on the firewall ACLs to prevent access and establish pass
have reached out to the Internet. Additionally, this type of unnecessary traffic makes it rules to devices in the demilitarized zone (DMZ) for legitimate access needs. This will make it
Misconfigured devices attempting to connect to internet or other The OA assessment team detected SCADA devices within the HMI network more difficult to determine if anomalous events are the result of misconfigured devices or possible to monitor firewall deny actions as a method of determining misconfigured devices and
CM-6 Configuration - Change Management networks attempting to access external addresses. malicious software/threat activity attempting to egress the control system network. identifying intrusion activities.

Develop and implement a media use policy that defines acceptable use of USB drives and other
The portable media policy does not adequately address the use of USB devices. mobile media, and provide training on media handling. Implement technical controls over the use
Additionally, there are no technical controls in place to limit the use of Removable media is a common vector for introducing malware into an ICS environment. of removable media within the control system. Possible technical methods include software to
MP-7 Media - Control Lack of portable media policy or plan. removable media on the control system. Administrative policies may be insufficient to protect the control system. disable USB media or physical port blockers.

Establish DMZ segmentation by creating an enclave zone between enterprise and control system
elements. ACLs on both sides of the connection should restrict the flow and direction of traffic.
Traffic should not be able to flow from enterprise to DMZ to control system without the intent of
SSGCP. Data could be pushed to the DMZ by a control system element, and then an enterprise
device must request it be moved from the DMZ. In this example, the data moving from DMZ to
enterprise could not be initiated from the DMZ in either case, limiting the flow of data. Jump
Without DMZ segmentation, network traffic is either passed or blocked. With time, a servers fit the model by requiring separate authentication prior to changing networks. In any case
There is no DMZ established between control system subnets and the malicious party could determine what devices are allowed to communicate to devices on devices within the DMZ should be limited on what other devices they can connect with and with
SC-7 Network - Connections to systems No DMZ enterprise network. another network and learn to bypass the security afforded by single layer ACLs. what ports and services.
Giving access to the control system to users that don't have an operational need creates an
AC-6 Accounts - Permissions Least Privilege - Too much access rights Some users have too much access to critical systems. unnecessary avenue for unauthorized access. Consider other methods of providing needed data without allowing access to the control system.

Without display warnings there is ambiguity in what constitutes acceptable use of the System use notifications should be implemented using messages or warning banners displayed prior
AC-8 Accounts - Authentication System Use Notification Acceptable system use banner is not presented to users upon login. system. This leaves opportunity for unintended and unauthorized actions to take place. to system log in.
A localized event could corrupt both production systems and configuration backups, which
CP-9 Recovery - Backups Backups stored in poor location Backups are stored in a poor location. [Explain where and why this is bad]. would greatly increase system downtime. [Asset Owner] should develop a plan to move backups to an offsite location.

Test recovery processes and procedures and verify the integrity of data from backups. This
There is no formalized process for testing the integrity of backups and backup Backups could be corrupted or invalid. This condition would be unknown until the backups methodology (and any discoveries during testing backup/restoration capabilities) should feed into
CP-9(1) Recovery - Backups Backups not tested. media. are needed, at which time restoration time would be significantly impacted. the overall Disaster Recovery and Continuity of Operations procedures.

The OA assessment team recommends minimizing the use of group accounts. When group accounts
Members of the group that have left no longer need access to the the resource protected are necessary, ensure that credentials are changed periodically and upon group membership
IA-5 Accounts - Passwords Group Account Passwords Group account passwords are not changed when members of the group leave. by the password. If the password is not changed, they will still have access. changes.

The combined use of sensitive processes, with general user functions such as email and Establish a dedicated system to conduct sensitive or secure processes. For this system, determine
[Particular Host] is used to perform multiple tasks that increase risk because of web browsing, exposes the sensitive processes to potential compromise. Unnecessary the necessary requirements, services, ports, protocols, and applications to complete the needed
the multiple resources they access, [specify services (e.g., historian & mail services, ports, protocols, applications, and functions create vectors for malicious parties to functions and operations. Restrict the system to allow only the use of the necessary requirements.
AC-4(2) Network - Connections to systems Multi-Use systems server on same machine)]. gain access to the system. Disable unused ports to prevent unauthorized connections.

The potential for abuse of authorized privileges and the risk of malicious activity without
collusion is significantly higher with poor separation of duties. The current processes allow
AC-5 Staff - Separation of Duty Separation of Duty Staff have responsibilities which should be separated among multiple roles. staff significantly impact the system with a check and balance to prevent malicious activity. Separate some of the duties to other staff to limit the potential for insider attack and compromise.

Staff that move from position to position could maintain higher privileges than what is
necessary to accomplish their new responsibilities. This opens the possibility of being able
to compromise controls established by separating duties. In these circumstances, staff Define permissions by role. When staff members move into a new position, evaluation the
AC-6 Accounts - Permissions Least Priviledges Users have more privileges than are necessary for their role. members have an increased ability to bypass security controls. permissions needed and adjust, as appropriate.

Malicious actors can easily guess default account names which could allow them to Do not use standard or easily guessed account names. Best practice is to have individual accounts,
IA-4 Accounts - Identifiers Default Account Names [Asset Owner] uses default account names. compromise the authentication in less time. especially for privileged roles, all managed by a centralized account management system.