Eaton INDGW-X2 User Manual

Also see for INDGW-X2: Manual

Cybersecurity considerations for electrical distribution systemsSecuring the Network Management Module – 198••••••••5.1.6.3 Intrusion detection and prevention systems (IDPS)These are systems that are primarily focused on identifying possible incidents in an ICS network, logging the information aboutthem, attempting to stop them, and reporting them to ICS security administrators.Because these systems are critical in an ICS network, they are regular targets for attacks and securing them is extremely important.The type of IDPS technology deployed will vary with the type of events that need to be monitored.There are four classes of IDPS technology:Network-based IDPS monitors network traffic for particular ICS network segments or devices and analyzes the network andapplication protocol activity to identify suspicious activityWireless IDPS monitors and analyzes wireless network traffic to identify suspicious activity involving the ICS wirelessnetwork protocolNetwork behavior analysis IDPS examines ICS network traffic to identify threats that generate unusual traffic flows such asDOS attacksHost-based IDPS monitors the characteristics and the events occurring within a single ICS network host for suspiciousactivity5.1.7 Policies, procedures, standards, and guidelinesFor the defense in depth strategy to succeed, there must be well-documented and continuously reviewed policies, procedures,standards, and guidelines.Policies provide procedures or actions that must be carried out to meet objectives and to address the who, what, and whyProcedures provide detailed steps to follow for operations and to address the how, where, and whenStandards typically refer to specific hardware and software, and specify uniform use and implementation of specifictechnologies or parametersGuidelines provide recommendations on a method to implement the policies, procedures, and standards5.1.7.1 Understanding an ICS networkCreating an inventory of all the devices, applications, and services that are hosted in a network can establish an initial baseline forwhat to monitor. Once those components are identified and understood, control, ownership, and operational consideration can bedeveloped.5.1.7.2 Log and event managementIt is important to understand what is happening within the network from both a performance and security perspective. This isespecially true in a control systems environment.Log and event management entails monitoring infrastructure components such as routers, firewalls, and IDS/IPS, as well ashost assets. Security Information and Event Management (SIEM) systems can collect events from various sources and providecorrelation and alerts.Generating and collecting events, or even implementing a SIEM is not sufficient by itself. Many organizations have SIEM solutions,but alerts go unwatched or unnoticed.Monitoring includes both the capability to monitor environments and the capacity to perform the monitoring. Capability relates tothedesign and the architecture of the environment. Has it been built in a manner that takes into consideration the ability to monitor?Capacity speaks to the resources (personnel, tools, expertise) needed to perform meaningful interpretation of the information andinitiate timely and appropriate action.Through monitoring, the organization can identify issues such as suspicious or malicious activities. Awareness can be raised whennew (potentially unauthorized) devices appear in the environment. Careful consideration should be taken into account to ensure thatlog and event management does not adversely impact the functionality or the reliability of the control system devices.5.1.7.3 Security policy and proceduresIt is important to identify “asset owners,” and to develop policies and procedures for a cybersecurity program. These policies needto be practical and enforceable in order to be effective. Policies should also address access related issues, such as physical access,contractors, and vendors.