Critical infrastructure

Data Loss Protection (DLP) for ICS/SCADA

Dimitar Kostadinov
July 31, 2020 by
Dimitar Kostadinov

Introduction

Data loss prevention (DLP) is a strategy that seeks to avoid the deletion, corruption or leakage of confidential or proprietary data stored on company devices, networks and servers. DLP’s primary goal is to control who has access to data that a given company holds. 

In addition, DLP is also concerned with what others do to such data once they have access to it: for example, copying of data onto portable devices or USB drives, printout or circulating data via email or chat app. In fact, 34% of experts at SecurityWeek’s 2019 ICS Cyber Security Conference identified malware-ridden removable media drives as an attack vector (like Stuxnet and its zero-day USB-based exploitation), followed closely by email/phishing.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Nevertheless, causes of data loss may vary from negligence (e.g., a misconfigured firewall) to infiltration or insider threats. Verizon’s 2018 Data Breach Investigations Report estimated that insiders were involved in 28% of all cyberattacks.

An industrial control system (ICS) / supervisory control and data acquisition (SCADA) infrastructure is the simplified tool for management, monitoring and control of industrial processes. Disruptions of operations are often avoided at the expense of security. If ICS systems were known for something in the past, that was the fact that they operated in silos, i.e., the operational technology (OT) part was separated from the IT part, and the rest of the world. For better or worse, more such companies utilize smart technology — to manage operations or perform instantaneous measurement of some indicators, for example.

In the beginning of 2020, the Cybersecurity and Infrastructure Agency (CISA) registered a major cyberattack that caused an outage in a gas compression facility. The adversary managed to reach it by moving from the IT network of the facility onto the OT network as a result of an employee involuntarily opening a malicious link in an email. “The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents,” the CISA alert stated.

That attitude towards cybersecurity is obviously wrong, and measures such as DLP should not be ignored.

1. DLP as a form of compliance

Utility companies process sensitive customer data (names, addresses, phone numbers, paying methods and so on). This fact alone means that they must comply with numerous privacy and data protection laws, regulations and standards. To illustrate: if those utility companies accept credit card payments, they will likely have to abide by the Payment Card Industry Data Security Standard (PCI DSS). 

Constant logging of data events (e.g., access, transfer, modification) is needed also to prove compliance with data security standards, as well as for performing audits. Energy and water companies should conform to ISO standards, among other things.

These are the most important legal documents that may regulate data gathered in some industrial sectors: GDPR, HIPAA, ISO 27001, PCI DSS, NIST’s SP 800-82, ANSI/ISA99 standard and NY Cybersecurity Requirements.

2. DLP policies

One important aspect of a successful DLP policy is to identify and categorize all types of sensitive data. Here are some common categories: “customer data,” “employee information,” “financial information” and “intellectual property.”

It is necessary, especially in the context of ICS/SCADA, to centralize the data storage and keep track of every instance of data access or usage. Particular types of unstructured data like proprietary technology and exploration plans are at risk of data loss. This is especially the case with utility firms in the energy sector. The good news is that even if unstructured, sensitive data can be monitored via DLP tools (see the next part). To summarize, there are three fundamental components to DLP:

  1. Identify valuable data
  2. Keep track of data transmissions
  3. Prevent unauthorized access to database(s) 

A company policy on data access control is an essential part of your DLP strategy. One of the measures that should be included there is the principle of the least privilege where every department, every employee should have access to databases on a need-to-know basis. Provided that an ICS organization has strict role-based access controls in place, unauthorized users would be cut off from vital databases. In addition, it is not enough if only you follow the best DLP practices — your third-party vendors must follow them too.

The Identity and Access Management (IAM) component segment includes technologies such as password management, user provisioning and advanced authentication. In April 2020, Israel’s National Cyber Directorate reported cyberattacks on the local SCADA systems at wastewater treatment plants, pumping stations and sewage facilities. The first thing they did to limit the exposure was changing the passwords of all internet-connected control systems.

Work trends such as BYOD contribute to the enormous increase of threats to ICS systems. One of the ways attackers can get a foothold in an ICS network is to target mobile devices of employees, either through spearphishing or social engineering. In 2019, a malware named RedDrop infected the smartphones of upper-level corporate managers of a utility company. Then sensitive data was exfiltrated from these phones to be harvested for future attacks.

3. DLP tools

Tools are important because they give real implementation to some of the points that your DLP policy should include.

Tools, not one tool — since the right mix of tools is needed for a DLP policy to work properly. They can function well along with traditional barrier technologies such as firewalls and intrusion detection systems. Endpoint management solutions, for instance, are appropriate measures to protect from attacks that originate from mobile devices. USB-Lock-RP can effectively prevent systems malware infection and data loss at the same time.

Here are two examples of other tools:

CoSoSys:

  1. Endpoint protection in the form of standalone software (e.g., a virtual appliance on a company’s server), cloud-based service and an onsite application (which can run on devices that use Windows, Mac or Linux)
  2. The full Endpoint Protector system provides enforced encryption, content protection, network discovery, device control and mobile device management
  3. HIPAA, PCI DSS and GDPR compliance
  4. Monitors and synchronize file transfers in accordance to the organization’s policies

Teramind DLP:

  1. GDPR, HIPAA, ISO 27001 and PCI DSS
  2. Scans and prioritizes the entire system for sensitive data
  3. Focuses on insider threats and data security (monitoring of websites, applications, emails and other network sections, sometimes via a keystroke logger)
  4. Risk Dashboard for notifications of threats and vulnerabilities 

Advanced endpoint protection is to be based on technologies such as machine learning and virtual sandboxing.

A DLP policy should take into account one extremely important fact that is embedded in the very core of the ICS environment — its indispensable nonstop functioning. Consequently, whatever measures each policy maker should take, they must be SCADA-friendly.

Conclusion

According to a 2020 report by Global Market Insights, the ICS security market is expected to reach nearly $3bn by 2024. While cybersecurity is certainly becoming more important for the protection of critical infrastructure, following best practices is the key to the proper implementation of security measures.

NIST’s Guide to Industrial Control Systems Security identifies the following major security objects for ICS/SCADA:

  1. Restricting logical access to the ICS network and network activity
  2. Restricting physical access to the ICS network and devices
  3. Protecting individual ICS components from exploitation
  4. Restricting unauthorized modification of data

These objectives coincide with what every DLP policy should pursue.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

 

Sources

  1. 5 Common Vulnerabilities in Industrial Control Systems, Lanner
  2. 6 Best Data Loss Prevention Solutions that could save You Millions, Geekflare
  3. 10 Reasons Why Your Organization Needs Data Loss Prevention, Sirius Computer Solutions, Inc.
  4. 11 Best Data Loss Prevention (DLP) Tools & Software, Comparitech
  5. A Better Way To Back Up SCADA, Water Online
  6. Data Loss Prevention Best Practices: CISO's Ultimate Guide to DLP, phoenixNAP
  7. Industrial Control Systems Security Market to reach $7bn by 2024, Global Market Insights, Inc.
  8. ICS / SCADA Devices Security - USB Control: USB-Lock-RP©, Advanced Systems International
  9. Israel Says Hackers Targeted SCADA Systems at Water Facilities, Security Week
  10. Protecting Your Industrial Control Systems With Traps Advanced Endpoint Protection, Lionel Jacobs
  11. Security News This Week: An Unprecedented Cyberattack Hit US Power Utilities, Wired
  12. Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey, Security Week
  13. What is DLP and how to implement it in your organization?, Exabeam
  14. What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention, Digital Guardian
  15. What is ICS Security?, Digital Guardian
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.