When Compensating Controls are Your Only Security Option

In my previous life conducting cyber risk assessments, I would find control system devices that had either reached their end of life, had some design limitation, or had an insecure design vulnerability either introduced during the development cycle or because security was never considered when the control system device was manufactured. 

Inherently risky field devices are part of working in operational technology (OT) environments and are often your only option because of budget limitations. To secure them, often compensating security controls must be considered to offset potential risks. Let’s briefly consider some factors when implementing compensating controls for ICS devices in OT environments.

Questions to Consider when Implementing Compensating Controls

We should weigh a few factors with affected devices before designing and applying compensating security controls. For example, it is not uncommon to have programmable logic controllers (PLCs) that have reached end-of-life (EoL) yet still support various business operations in chemical and manufacturing plants, or transportation systems, for example. An asset owner may have to ask the following questions before moving forward with compensating controls:

1. What critical operation or safety function does this end-of-life PLC provide or support?

2. Would there be a significant impact on business operations if the end-of-life PLC was disrupted, damaged, or destroyed?

3. Are there backup PLCs in inventory for the end-of-life PLC if and when it fails?

4. How many end-of-life PLCs will need to be replaced?

5. Does the company have funding in its annual budget to replace end-of-life PLCs?

6. Do we have the expertise within the company or organization to transition to a current or new vendor’s PLC version—and is it compatible with our control system’s existing engineering and management software?

7. How long would programming and replacing these end-of-life PLCs take?

Answering no to a few of these questions indicates that compensating security controls may be an excellent alternative to replacing the end-of-life PLC and other ICS devices in the OT environment.

One approach to deciding which compensating security control to implement is first to assess existing physical and technical controls on the control system and evaluate their implementation. From here, you can decide if there is a need for additional security controls to address insufficient protective measures for ICS devices or software that have reached end-of-life or are insecure by design.

Evaluate Existing Physical and Technical Controls

First, let’s assess current physical security controls; physical access controls in place may address the perimeter security of the building and the rooms where the end-of-life PLCs are located. For example, the enclosure cabinets where PLCs are mounted may be left unlocked or have no locking mechanism to prevent someone from accessing and connecting to these devices for malicious purposes. Adding locks and possibly tamper switches on the enclosure cabinets for these PLCs may alert security staff and prevent unauthorized access to these devices through the existing physical access control system or security system.

Next, consider the technical security controls to protect an end-of-life PLC, starting by assessing the current network segmentation, firewall, and intrusion detection solution. The following questions should be asked to help determine the current state of network security:

1. Is the network segment physical and logical (e.g., air-gapped physical, separate virtual local area networks (VLANs) as necessary for control system processes, operations, etc.)?

2. Are the end-of-life PLCs located on a VLAN that would make them publicly accessible (e.g., internet-facing) or wholly isolated from public access?

3. Is firewall protection in place between the OT environment VLANs and the business IT enterprise VLANs?

4. Are network intrusion detection sensors deployed at extern demilitarized zones connected to the OT environment?

5. Are network intrusion sensors designed to monitor ICS protocols (e.g., BACnet/IP, Modbus TCP, DNP3 over TCP/IP, OPC DA, PROFINET, etc.)?

6. Are there any network devices or servers (e.g., wireless access points, cellular networks, dial-up modems, jumphosts) installed on the VLAN or within the enclosure cabinets of the end-of-life PLC that allows remote access from outside the company or organization network?

7. Does the company or organization currently have a security operations center (SOC) or managed security service provider (MSSP) monitoring the OT environment, or is networking monitoring ad hoc?

Companies or organizations with end-of-life PLCs receiving maintenance and support services from third-party contractors must also determine whether they have remote access to these controllers and if it is monitored during these sessions (e.g., virtual private network (VPN), jumphost). 

A company-authorized software solution for monitoring third-party contractors’ maintenance sessions should be implemented immediately if they are not monitored already. Department of Homeland Security’s (DHS) Critical and Infrastructure Security Agency (CISA) recommends configuring and managing remote access for control systems to assist companies or organizations in securing remote permits to their OT environment.

Ignore Network Security Controls at Your Own Risk

Often, small- and medium-sized ICS asset owners do not have dedicated cybersecurity staff or have engineers with limited cybersecurity experience or time to continuously monitor the OT network environment. However, network security should not be ignored, and other monitoring methods should be implemented to ensure the integrity of the end-of-life PLCs is not compromised. One way would be to consider implementing ICS network monitoring solutions to collect and monitor data traversing the network segments hosting the end-of-life PLCs. 

Companies and organizations that do not have the funding to buy a commercial ICS network monitoring solution should consider free alternative solutions suggested by the U.S. Department of Energy (DoE), National Laboratories, and CISA's list of Free Cybersecurity Services and Tools. The size of the company network and the engineering staff will be a factor in determining which network monitoring solution can be implemented and maintained.

Companies or organizations currently implementing these network security measures may focus on other technical compensating security controls for protecting end-of-life PLCs to ensure its resilience. The company must ensure backup configurations (if possible) are available for an end-of-life PLC. Also, they will need to determine whether spares of the same vendor and model of this PLC are on hand as part of a disaster recovery plan.

Other access control concerns with end-of-life PLCs, such as weak or hard-coded password protection, may also be associated with insecure design issues. In this case, a combination of physical and compensating technical controls could be considered to limit access to these PLCs. Physical security controls have been previously discussed, but technical controls to address weaker access control could include increased network boundary security that could enforce multi-factor authentication before allowing local access to the PLC or implementing a VPN gateway along with multi-factor authentication for remote access.

In this article, I scratched the surface of compensating security controls for end-of-life and insecure ICS devices.      

Several factors remain to consider when implementing compensating controls for ICS devices in OT environments. Factors may include the criticality of the device, the availability of replacement devices, and the budget. In some cases, implementing compensating controls may be more cost-effective than replacing the device. 

The specific compensating controls implemented will vary depending on the organization's unique business operations and security needs. However, by carefully considering all the circumstances involved, organizations can implement compensating controls that help to protect their ICS devices from attack.