▲
Welcome to visit, please click the business card above to follow me.
The industrial control system platform consists of industrial control system hardware, operating systems, and application software. Platform vulnerabilities arise from defects in the hardware and software of industrial control systems, improper configurations, and lack of necessary maintenance. Platform vulnerabilities include vulnerabilities in platform hardware, platform software, platform configuration, and platform management.
1. Platform Hardware Vulnerability Identification Content and Operations
Platform hardware vulnerabilities refer to vulnerabilities present in the hardware devices of the industrial control system platform.
The identification operations for platform hardware vulnerabilities are as follows:
(1) Check whether the assessed party is platform hardware, especially whether devices with remote services have operational maintenance personnel.
(2) Check for unsafe physical ports, whether unused USB, PS/2, remote interfaces, and network interfaces are blocked or monitored with other technical measures.
(3) Check for test records or other evidence of testing during device changes.
(4) On-site verification of whether modems or specialized remote connection devices exist in the industrial control system, whether security measures are deployed for these devices, and verify the effectiveness of the security measures.
(5) On-site verification that only necessary personnel can physically access industrial control system devices.
(6) On-site verification that the asset list of the assessed party includes all devices of the industrial control system.
(7) On-site check whether the assessed party has redundancy designs for important devices and deployed according to design.
(8) On-site check for the presence of dual network cards in hardware devices.
(9) Detect whether there are backdoors in critical devices.
2. Platform Software Vulnerability Identification Content and Operations
Platform software vulnerabilities refer to vulnerabilities present in the software of the industrial control system platform. Platform software includes operating systems, application software, antivirus software, etc., used in industrial control systems. SCADA hosts, operation stations, engineer stations, HMIs, historical databases, and real-time databases typically use the same computers, servers, and operating systems (mainly Windows and UNIX) as the IT industry.
The identification operations for platform software vulnerabilities are as follows:
(1) The assessor checks the installed operating system version and application software types in the platform, such as Windows operating systems, embedded systems, Linux systems, program download software, database software, remote control software, etc.
(2) If necessary, conduct component testing of important components in a simulation environment to identify vulnerabilities.
(3) Check the open ports of devices in the simulation environment to see if unnecessary port services are enabled.
(4) Search for system vulnerabilities present in the devices within the simulation environment.
(5) The assessor checks whether antivirus software is installed on the platform, whether the antivirus software has been tested for installation, whether the virus database is updated regularly, and reviews testing records and virus database update records.
(6) On-site verification whether DCOM devices in the system have port restrictions and whether OPC is patched and upgraded in a timely manner.
(7) In the simulation environment, malicious code can be used to test OPC to identify its vulnerabilities.
(8) Check the source code of critical application software; if the critical application software is provided by a third-party vendor, contact them to obtain the software source code for analysis and vulnerability identification.
(9) On-site verification and analysis of the historical data generated by the system to verify whether there were any anomalies and the time and reasons for the anomalies.
(10) The assessor checks the usage permissions of the program download software firmware, whether the download program is encrypted and authenticated, and verifies the effectiveness of the authentication.
(11) The assessor checks which industrial control protocols are used in the industrial control system and whether they are only used in the industrial control system control network.
(12) In the simulation environment, analyze the industrial control system protocols used to see if they are transmitted in plaintext.
(13) Conduct replay attacks in the simulation environment to verify whether there is data verification and tamper-proofing.
(14) Conduct fuzz testing in the simulation environment to verify whether the platform has denial-of-service and other security vulnerabilities.
(15) The assessor checks whether important data storage in the industrial control system is encrypted or has other security measures in place.
3. Platform Configuration Vulnerability Identification Content and Operations
Platform configuration vulnerabilities refer to vulnerabilities present in the configurations of the hardware and software of the industrial control system platform.
The identification operations for platform configuration vulnerabilities are as follows:
(1) The assessor verifies on-site whether important configurations are backed up and whether sensitive data is stored on portable devices.
(2) The assessor verifies on-site whether passwords are stored in plaintext on local systems or portable devices, whether there have been past incidents of password leakage, and whether the reliability of passwords can be verified using methods such as brute force in the simulation environment.
(3) Check the password update cycle and character length configuration for platform hardware devices.
(4) On-site verification whether user authentication is required when remote access control devices connect to the control network.
(5) On-site verification whether remote access is audited, whether audit records are generated, or whether other alternative security measures are used.
(6) On-site verification whether there are remote access records, whether remote access has been approved or authenticated by the organization, whether remote access data is encrypted, or whether other tamper-proofing and leakage prevention measures are in place.
(7) On-site verification whether default passwords and empty passwords cannot log into the system, and whether account passwords are weak passwords.
(8) The assessor checks the permission allocation for industrial control, whether there is separation of duties, whether it is the least privilege required, whether administrator permissions are managed by the assessor, and whether default access controls are used. Verify the effectiveness of configuration access control.
(9) On-site verification whether the platform hardware and software have the ability to limit the number of invalid access attempts, and whether for any user (person, software process, and device) the number of consecutive invalid access attempts within a configurable time period is limited to a configurable number; if the number of unsuccessful attempts exceeds the limit within the configurable time period, access is denied until unlocked by a privileged user.
(10) Check whether the control system provides session lock capabilities, and whether the session lock is enabled after inactivity for a configurable time period to prevent further access; whether the session lock remains effective until re-established by a privileged user using appropriate identification and authentication procedures.
(11) On-site verification whether intrusion detection and prevention software is installed, or whether other alternative measures are adopted.
(12) On-site verification whether the software and hardware that can enable audit functions have enabled relevant functions, or whether alternative measures are taken.
4. Platform Management Vulnerability Identification Content and Operations
Platform management vulnerability identification refers to the verification of vulnerabilities in the organization’s security management policies, systems, personnel, and operational management.
The identification operations for platform management vulnerabilities are as follows:
(1) The assessor reviews the security management and policy documents prepared by the assessed party to see if they are appropriate, clear, specific, and consistent with applicable laws, systems, policies, regulations, standards, and guidelines, and whether training is provided to relevant personnel based on this. (2) The assessor reviews training materials and training records to determine whether security training is based on job roles and whether it raises security awareness among staff.
(3) The assessor reviews the procurement service contracts signed by the assessed party regarding the industrial control system to see if the contract describes the functional characteristics of the security control measures used in the industrial control system and its components and services, as well as detailed information on the design and implementation of those security controls.
(4) The assessor reviews whether the assessed party has conducted a security assessment of the purchased equipment.
(5) The assessor checks whether the assessed party has conducted a security assessment of the industrial control system supply chain.
(6) The assessor verifies on-site whether the installation and usage guidance documents for the industrial control system equipment are missing.
(7) The assessor checks whether the assessed party’s security management organization, functional department settings, job settings, personnel allocation, etc., are reasonable, whether divisions of labor are clear, responsibilities are distinct, work is implemented, and whether records of activities related to security management organization are maintained.
(8) The assessor reviews whether items related to the industrial control system are returned after personnel leave or are reassigned, such as system management technical manuals, keys, identity cards, etc., and whether their access rights are revoked. Whether the departure agreements signed with departing personnel contain confidentiality provisions.
(9) The assessor verifies on-site the emergency plans, emergency training records, emergency plans, etc., of the assessed party.
(10) The assessor checks the backup storage and processing equipment, system backup, and backup frequency of the industrial control system on-site. Whether the assessed party stores backup data at a remote disaster recovery center.
(11) The assessor verifies on-site whether the assessed party has a system recovery and reconstruction implementation plan that can restore the industrial control system within the specified time.
(12) The assessor checks the scope and content of the audit defined by the assessed party, whether it clearly specifies which components of the industrial control system are to be audited.
(13) The assessor checks whether the assessed party audits on-site equipment, and whether the audit includes: user logins, logouts, connection timeouts, configuration changes, date changes, password creation and modification, communication anomalies, etc.
(14) The assessor checks the retention time of audit records and the storage space for review, whether it can retain at least 3 months, whether the on-site equipment supports at least 2048 event records, and whether an alarm is issued when space is insufficient.
(15) The assessor checks whether alerts can be issued to relevant personnel in a timely manner when auditing fails and whether appropriate emergency measures are in place.
(16) The assessor checks the permissions for accessing audit information, whether only authorized accounts can access it.
(17) The assessor verifies on-site whether the assessed party has configuration management documents supporting the implementation of configuration management, such as configuration management plans, system component lists, configuration management scopes, etc.
(18) How the organization implements configuration change management, whether there are configuration change request forms, change records, change audits, etc.
(19) Whether the organization conducts security assessments or security impact analyses after configuration changes, whether there are assessment reports or analysis records.
(20) The assessor verifies on-site whether the assessed party plans, implements, records, and reviews maintenance and repair records for system components according to vendor specifications and the assessed party’s management requirements.
(21) Whether all operational activities are approved and supervised by the assessed party.
(22) Whether the assessed party deletes storage data during remote operations for approved remote maintenance devices.
(23) The assessor verifies on-site whether the assessed party sets control permissions and control time windows for remote control ports when using remote maintenance methods.
(24) The assessor checks whether default usernames and passwords are used.
(25) Whether devices, information, or software are allowed to leave the assessed party’s premises.
End