Guidance

B4. System security

Created:  28 Jan 2018
Updated:  30 Apr 2018

Principle

Network and information systems and technology critical for the delivery of essential services are protected from cyber attack. An organisational understanding of risk to essential services informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.

Description

There is a range of protective security measures that an organisation can use to minimise the opportunities for an attacker to compromise the security of networks and information systems supporting the delivery of essential services. Not all such measures will necessarily be applicable in all circumstances – each organisation should determine and implement the protective security measures that are most effective in limiting those opportunities for attackers associated with the greatest risks to essential services.

Opportunities for attackers to compromise networks and information systems, also known as vulnerabilities, arise through flaws, features and user error. Organisations should ensure that all three types of vulnerability are considered when selecting and implementing protective security measures.

Organisations should protect networks and information systems from attacks that seek to exploit software vulnerabilities (flaws in software). For example, software should be supported and up-to-date with security patches applied. Where this is not possible, other security measures should be in place to fully mitigate the software vulnerability risk.

Limiting functionality (e.g. disabling services that are not required) and careful configuration will contribute to managing potential vulnerabilities arising from features in hardware and software.

Some common user errors, such as leaving an organisation-issued laptop unattended in a public place, inadvertently revealing security-related information to an attacker (possibly as a result of social engineering) etc. can provide opportunities for attackers. Staff training and awareness on cyber security should be designed to minimise such occurrences (see B.6 Staff Training & Awareness).

Guidance

The majority of cyber security incidents can be traced to common cyber attack vectors. The opportunity for successful attack can be minimised by managing the known vulnerabilities which these attacks exploit. Many opportunities for user error can be reduced by technical means.

Attempts to circumvent the measures described below should be detected by security monitoring. Together with data security and resilience measures, the impact of any attempts to circumvent security on the operation of the essential serviceshould be limited. 

System design

You should design the systems and networks operating or supporting the delivery of essential services to make compromise difficult, avoid disruption and reduce the impact of compromise. Where the design also makes compromise easy to detect, this will help achieve effective monitoring.

Stronger security architectures usually include:

  • the most critical services and systems segregated into a higher security zone. This corresponds with the concept of zones and conduits described in the IEC 62443 reference model.
  • at boundaries with higher security zones where it's necessary to import and trust data from a lower security zone, where possible:
    • in a DMZ convert the data into the simplest appropriate alternate protocol, to create a "break" that makes protocol based attacks more difficult;
    • perform validation of both message format and content.
  • where messaging received from outside the organisation is used to control the essential service (e.g. customer or supplier system messages or critical telemetry), prefer a simple messaging format that can be validated and authenticated, or consider additional monitoring.
  • reduced attack surface by limiting software, network data flows, system access, etc. to only those essential and necessary
  • secured platform by default, with a system design that enables application of system updates without interrupting business, wherever possible
  • a separate management layer, preferably using dedicated equipment and a separate network
  • resilience and recovery features

Configuration

Well-configured networks and information systems reduce unauthorised access to technologies and simplify security management across hardware, firmware, software and configuration data. This should include:

  • A baseline build (also known as a “gold build”) is recommended to apply a well-understood, consistent and secured platform across the organisation, and can also apply system hardening techniques to minimise the attack surface. Gold build images should be appropriately protected from interference and be available for use in the event of system recovery.
  • Configuration management policies or software should be used to ensure that only permitted software is installed and authorised devices, e.g. mobile devices and removable media, are permitted to connect. An asset management inventory could be used to manage authorised devices. 
  • In addition to the gold build and permitted software installed, maintain a record of the current "known good" configuration (including, for example, patch levels, OT ladder logic) and the resources, such as patch and configuration files, required to create this environment. It should be possible to revert or rebuild to this known good baseline.
  • Systems, software or devices that are not actively supported by the developers should be identified, with appropriate additional security measures in place until they can be retired and removed.
  • Users should not be able to change settings affecting the security of the service.
  • Network devices should be configured to limit access to the minimum required for business operation. It may also be possible to apply standardised network device builds.

Some operators of essential services may use automated decision making technologies, for example safety systems or machine learning in smart transport technologies. Where such automated decision making has the ability to affect an essential service, it must be possible to understand the data, process and thresholds used to make automated decisions so that it can be reproduced, audited and malicious changes detected.

  • For decisions based on pre-determined, unchanging behaviour this would entail knowing the exact hardware, firmware, software, and configuration of individual systems (this may be achieved with detailed configuration and asset management) and monitoring for any unplanned changes.
  • Where systems use some element of machine learning and the decision making process changes over time. The model used should be auditable, so that malicious changes can be detected. This should identify cases where changes have been made directly, or where malicious or misleading data has been used for learning.

System management

Routine system management should support and maintain security. Technical documentation of the networks and information systems should be up to date.

Access to the essential service's facilities and systems should be managed and monitored to restrict to authorised personnel, in line with guidance in B2 Identity and Access Control

As described in B2 Identity and Access Control Privileged User Management, technical means for access should separate essential services from other activities, for example using dedicated separate systems or sandboxed email and Internet access.

Further protection from physical interference can be afforded through tamper protection, such as port locks and tamper evident tape. Such physical tamper protections should be regularly checked.

Vulnerability management

Flaws, features and user errors that impact the security of the essential service may be known to the organisation, or not yet discovered. System design, configuration and system management can reduce the likelihood of a vulnerability being accessed or exploited. New vulnerabilities need to be managed to maintain network and system security.

Effective risk management should ensure that appropriate measures are taken to maintain awareness of and address known vulnerabilities. The organisation endeavours to detect when changes to internally managed settings and configurations introduce vulnerabilities.

The latest mitigated vulnerabilities are often published by vendors, some providing automatic update functionality. Other vulnerabilities can be discovered through threat intelligence sources.

You should prevent the exploitation of known vulnerabilities in networks and information systems supporting essential services. Many of the most effective methods are well-known, including:

  • removing vulnerabilities by maintaining systems to the latest patch level and only applying authentic, vendor-sourced and validated updates.
  • removing access to vulnerabilities by segregation, or ensuring the vulnerable system only receives trusted data.
  • preventing, detecting and removing malware or unauthorised software.
  • verification of imported data and software. Where possible this should be automatic.
  • regular vulnerability and security assessments, e.g. penetration tests and vulnerability scans. NCSC guidance on penetration testing provides further detail. Operators should carefully consider their approach to the testing of live Operational Technology, as system operation or availability could be affected. Assurance could be gained without this additional risk by testing against non-operational environments or by testing individual components in a laboratory environment.
  • software that the essential service relies upon should be in active support, so vulnerabilities will be patched. You should provide additional protection where obsolete platforms cannot be easily replaced.

References

NCSC Common Cyber Attacks: Reducing the Impact

NCSC Mitigating malware

NCSC Obsolete platforms security guidance

NCSC Penetration testing 

NCSC Secure by default platforms

IEC TS 62443-1-1

ISO/IEC 27002

 

 

< Back to Principle B3            Forward to Principle B5 >

Topics

Was this guidance helpful?

We need your feedback to improve this content.

Yes No