Industrial Control Systems Security

  • Stay informed of all publicly known vulnerabilities available through CISA’s industrial control systems advisories by going to:

    https://www.cisa.gov/topics/industrial-control-systems

    For your protection, ICONICS works with CISA ICS-CERT to disclose security vulnerabilities in our products.

  • Use vulnerability scanning to ensure that you identify any threats in your system.
  • Remote penetration testing is highly recommended.
  • Follow the ICS-CERT's Cybersecurity Best Practices for Industrial Control Systems.
  • Additional system hardening tips—The following list provides some additional, specific advice, but it is not intended to be a comprehensive list.
    • Certificate management and encryption
      • Use a certificate revocation list (CRL) or an Online Certificate Status Protocol (OCSP) to invalidate compromised certificates.
      • Disable TLS 1.0 and TLS 1.1 to enforce stronger encryption protocols.
      • Disable ciphers with small block sizes to prevent cryptographic weaknesses.
      • Remove cipher suites that use cipher block chaining (CBC) mode.
      • Disable the RSA+SHA1 signature scheme as it is no longer considered secure.
      • Add support for TLS Fallback SCSV to prevent protocol downgrade attacks.
    • Authentication and access control
      • Change the default credentials for the configuration of industrial and network devices (for example, MXOPCUA, WAGO).
      • Restrict and monitor access to SNMP services and change the default public community string.
      • Disable SNMPv2 or ensure that it is configured securely.
      • Consider disabling weak SSH algorithms to strengthen remote access security.
    • Server hardening
      • Enable auditing on servers to monitor security-related events.
      • Restrict access to vulnerability-scanning tools and security assessment platforms by configuring them to be accessible only from authorized systems and implement firewall rules to limit access to trusted IP addresses.
      • Remove or modify HTTP response headers in web server configurations to prevent information leakage.
      • Add security headers in web server configurations to enhance protection against web-based attacks.
    • Network security
      • Verify whether the Modbus protocol should be accessible or, if possible, restrict Modbus server access to authenticated users only.
      • Implement firewall rules to restrict access to critical services and management interfaces.