• Since vendors in some cases have virtual access to your organization, consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise.

• Know the risks associated with your third-party partners and suppliers. Questions from you would be: How do they protect your software? Are physical security measures deployed in their facility? You will also find them asking you about the risks you have and contingency plans.

• Include the supply chain in your response and remediation plan. This step follows the previous- just because you have done the assessment and monitoring does not mean you are risk free, in other words this is managing your overconfidence into the visibility of their supply chain. You should be able to discuss questions like How effectively will they react when a zero-day vulnerability is published affecting your system?

• Common RANSOMWARE

  An engineer investigating technical information or browsing internet about ICS equipment unknowingly downloads ransomware in the system. The malware uses vulnerabilities in the downloaded system to propagate and encrypt the workstation. It then spreads to most of the systems on the industrial control system. As a result, most of the systems in the industrial network are encrypted, disabling the control system. The impaired control system cannot bring about a shutdown. In a short time, the plant operator triggers an emergency safety shutdown.
  As a result, production will be offline, even after the malware has been eliminated from the control system and the plant has been restarted.

• TARGETED RANSOMWARE

  With phishing attacks and malicious attachments, an attacker with good computer skills targets IT insiders and uses Remote Access Tool (RAT) malware to obtain access to the IT network. The attacker uses the RAT to acquire more credentials, eventually getting remote access to a control system for ICS. The attacker infects the ICS with ransomware and demands payment. The site disables all electrical connections between the afflicted plant and outside networks as quickly as possible and attempts to pay the ransom.

• ZERO DAY RANSOMWARE

  A list of zero-day vulnerabilities in operating systems, apps, and firewall sandboxes is accidentally left on an Internet-based command and control center by an intelligence organization which could be used by the threat actors. This gang then generates self-contained malware that spreads by exploiting zero-day vulnerabilities in Windows operating system file sharing software. The malware is simultaneously released on dozens of compromised websites throughout the world, and it quickly spreads encrypting the systems on the network. The malware hops across firewalls to infect and encrypt industrial facilities that can transfer files directly or indirectly with IT networks, causing an emergency shutdown and physical equipment damage.

• 72% of disclosed ICS vulnerabilities are remotely exploitable.

• 47% of disclosed ICS vulnerabilities affect Levels 1 and 2 of the Purdue Model.

• 46.32% of vulnerabilities found affect the Basic Control (level 1) and Supervisory Control (Level 2) Level of the Purdue Model.

• 14.7% of vulnerabilities found affect multiple types of products (operating at various OT purdue model levels, IoT, and network device). This category vulnerabilities in third-party components.

• 89.98% of vulnerabilities dont require special conditions to exploit, and an attacker can expect repeatable success every time.

• In 76.39% of the vulnerablities, the attacker is unauthenticated prioe to attack and doesn't require any access or privileges to the target's settings or files.

• For 78.17% of the vulnerablities, there is no requirement for user interaction.

• 78.92% of the vulnerablities, that don't require user interaction are remotely exploitable.

• For 80.95% of the Supervisory Control vulnerabilities, user interaction is needed if exploiting via a local attack vector. This indicates a playground for social engineering attack vectors.

• 76% of disclosed ICS vulnerabilities do not require authentication for exploitation.

IN Summary, The Claroty Research Team's approach was inclusive of the assessment of events and trends that likely helped shape the ICS risk and vulnerability landscape to a degree during the 2H 2020.

When it comes to operating systems, embedded devices, systems-on-a-chip, networking equipment, OT devices and etc, and as often that happens with third-party vulnerabilities; the scope of affected devices and vendors is unclear and is being updated on an ongoing basis.

ICS defenders need to evaluate the severity of a vulnerability further than just its Common Vulnerability Scoring System (CVSS) score- latest being CVSSv3. This is often left out by security admins in ICS and other IT environments, or the knowledge is “on the surface”. The lack of understanding and knowledge behind this leaves an unfinished threat landscape analysis, vendor dependent operations and huge risk.

Security weaknesses—or Common Weakness Enumerations (CWEs)—manifested in the ICS vulnerabilities disclosed during Second Half of the year 2020, help explain why most of the vulnerabilities have CVSS scores categorized as either high or critical. The top five most prevalent CWEs are all ranked highly on The MITRE Corporation's 2020 CWE Top 25 Most Dangerous Software Errors list due to their relative ease of exploitation and ability to enable adversaries to inflict serious damage.

If we dissect it further in the world Cyber security, the attacker has a specific range of vulnerabilities to explore on a targeted ICS environment which usually do not carry a weight in complexity. The attackers, taking for example an APT GROUP, collectively examines one or more attack vectors in the orchestration, -ways were in direct user interaction is not needed or has been previously established.
71.49% of the vulnerabilities are exploited through a Network Attack Vector and are remotely exploitable. This emphasizes the importance of protecting remote access connections and internet-facing ICS devices. Behind remote code execution RCE is a clear second tier of potential impacts: allowing an adversary to read application data, cause DoS, bypass protection mechanisms, or gain privileges and assume identity.
Another key consideration is that attackers' dependence on user interaction shows the importance of awareness and protection against social engineering tactics among workers with access to critical assets, such as HMIs, SCADA, and engineering stations. That was exemplified via the percentage in vulnerabilities happening at the supervisory control level wherein the local attack vector is dominant.

• Increase OT Network visibility

• identify and Prioritize Crown Jewels

• Boost Incident Response capabilities

• Validate Network Segmentation

• Separate and OT Credential management

• Determine the organization's threats.

• Keep an inventory of all ICS assets, including hardware, software, and supporting infrastructure technologies.

• Develop Cyber security policies, procedures, training, and educational materials applicable to the organization's industrial control system (ICS).

• Develop and practice incident response procedures that integrate information technology and operational technology processes.

• Issue policies outlining ICS security standards, including expected behavior, and required controls.

• Issue procedures outlining how personnel should securely manage ICS.

• Train IT and OT operators, as well as security personnel, to identify indicators of potential compromise and the steps they should take to ensure the success of a cyber investigation.

• Promote a culture of dialogue and information exchange among security, information technology, and operations technology personnel.

• When possible, use network segmentation.

• Develop an ICS network topology with multiple layers, with the most critical communications taking place in the most secure and reliable layer.

• Whenever possible, use one-way communication diodes to prevent external access.

• Construct demilitarized zones (DMZ) to create a physical and logical subnetwork that functions as an intermediate for connected security devices to avoid exposure.

• Use dependable and secure network protocols and services whenever possible.

• Set up alerting systems for device manipulation, such as power removal, device resets, and cabling alterations, and lock down field electronics.

• Make sure that only authorized people have access to controlled spaces containing ICS equipment.

• Control logical and physical access to ICS equipment and facilities by utilizing multi-factor authentication, guards, and obstacles.

• Set up firewalls to manage traffic between the ICS network and the corporate IT network.

• Utilize IP geo-blocking as needed.

• Make the remote access process more difficult to reduce risk to an acceptable level.

• Use jump servers to act as a central authorization point between ICS network security zones.

• Avoid allowing remote persistent vendor or employee access to the control network.

• Catalog and monitor any remote network connections.

• Estimate the baseline of ICS normal operations and network traffic.

• Configure Intrusion Detection Systems (IDS) to generate alarms for any ICS network traffic that is not typical.

• Track and monitor audit trails in ICS critical areas.

• Configure Security Incident and Event Monitoring (SIEM) to monitor, analyze, and correlate event logs from all over the ICS network to detect intrusion attempts.

• Encourage a patching and vulnerability management culture.

• Test all updates/patches in off-line scenarios before deploying them.

• Application whitelisting should be implemented on human-machine interfaces.

• Tablets and smartphones as field devices should be security hardened.

• Follow a systematic approach to replace outdated/end of life software and hardware.

• After testing, disable unneeded ports and services on ICS devices to ensure that they do not interfere with ICS function.

• Configure and test system backup and recovery procedures.

• Configure ICS protocol encryption and security.

• Adjust the ICS procurement process to include Cyber security as a major factor in scoring and assessment.

• Invest in secure ICS products up front, assessing security against current and potential risks across the product's expected lifecycle.

• For all outsourced services, establish contractual agreements that assure adequate incident handling and reporting, interconnection security, and remote access standards and protocols.

• When dealing with a cloud service provider, keep ICS information integrity, security, and confidentiality in mind.

• Use test laboratories to check vendor-supplied software for harmful code and problems before production deployment.

• Myth 1

  My industrial network is secure since it is physically isolated and not connected to the Internet.
  Ten years ago, this statement might have been true. Many IIoT gadgets, on the other hand, are now directly connected to the Internet, circumventing traditional IT security levels. Why do so many IIoT devices need to connect to the Internet in the first place, is a topic that is frequently questioned. The fundamental reason for this is that IIoT or Industry 4.0 systems require vast amounts of data to be analysed. Because the data sources may not be in the same area, you will need to connect your systems to the Internet to send the data to a distant server.
  
  Your industrial control systems (ICS) or industrial networks may be vulnerable to unauthorized connections even if they are not connected to the Internet. For example, a third-party vendor or an automation expert may update systems by connecting unapproved laptops or USB drives to do routine maintenance or troubleshooting, exposing the ICS to unsecured access, and increasing the vulnerability of ICS devices.

• Myth 2

  Because hackers are unfamiliar with ICS, PLCs, and SCADA systems, my network is safe or less interest is taken in industrial sectors.
  
  Since 2010, many sophisticated cyberattacks have attacked ICS networks, including Stuxnet (which targeted PLCs) and Industroyer (targeting circuit breakers). Malware aimed at industrial control equipment has also been discovered. This pattern demonstrates that hackers are shifting their emphasis to industrial sectors like oil and gas, energy, and manufacturing, implying that assaults on these industries will likely rise in the future.

• Myth 3

  Because my network is too tiny to be targeted, it is safe.
  Internal breaches are frequently caused by trusted users, employees, and external contractors with network access. Human mistake or a malfunctioning gadget are frequently the causes of unintended breaches, regardless of the size of your firm.
  
  Even though these attacks are unintended, they can cause significant harm and financial losses to your company.

• Myth 4

  My industrial network is already protected by a firewall; thus, it is safe.
  Although firewalls constitute the initial line of defence, they are not 100 percent effective. Furthermore, because most firewalls are not built for industrial protocols (such as Modbus TCP, EtherNet/IP, and PROFINET), they may block important industrial protocols and shut down industrial control systems if not configured properly. Simply said, firewalls alone will not provide total safety for ICS networks. Instead, to secure crucial control devices, manufacturing lines, and the whole plant, industrial firewalls should be used in conjunction with layered defences (the defence-in-depth method). In addition, to guard against cyberattacks, industrial equipment should be updated with security updates on a regular basis.

• DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7 NIST SP800-82

• NIST SP800-53, revision 3

• NRC Regulatory Guide 5.71 CFATS Risk Based Performance Standard (RBPS) 8

• NERC CIP-002-009 revisions 2 and 3

• ISO/IEC 15408 revision 3.1

• DoDI 8500.2

• Consensus Audit Guidelines 2.3.

• After the user selects the applicable standard(s), CSET generates questions that are specific for those requirements.

CSET was developed under the direction of the Department of Homeland Security (DHS) Control Systems Security Program (CSSP). Open-source CODE (for the software) is available in GIT HUB, you can develop the tool or customize it according to your environment.

https://github.com/cisagov/cset >> Github software installation ( both standalone & enterprise, Steps for installing the software package )