Industrial Control Systems Security

  • Stay informed of all publicly known vulnerabilities available through CISA’s industrial control systems advisories by going to: https://www.cisa.gov/topics/industrial-control-systems For your protection, Mitsubishi Electric Iconics Digital Solutions works with CISA ICS-CERT to disclose security vulnerabilities in our products.

  • Use vulnerability scanning to ensure that you identify any threats in your system.

  • Remote penetration testing is highly recommended.

  • Follow the ICS-CERT's Cybersecurity Best Practices for Industrial Control Systems .

  • Additional system hardening tips—The following list provides some additional, specific advice, but it is not intended to be a comprehensive list.

    • Certificate management and encryption

      • Use a certificate revocation list (CRL) or an Online Certificate Status Protocol (OCSP) to invalidate compromised certificates.

      • Disable TLS 1.0 and TLS 1.1 to enforce stronger encryption protocols.

      • Disable ciphers with small block sizes to prevent cryptographic weaknesses.

      • Remove cipher suites that use cipher block chaining (CBC) mode.

      • Disable the RSA+SHA1 signature scheme as it is no longer considered secure.

      • Add support for TLS Fallback SCSV to prevent protocol downgrade attacks.

    • Authentication and access control

      • Change the default credentials for the configuration of industrial and network devices (for example, MXOPCUA, WAGO).

      • Restrict and monitor access to SNMP services and change the default public community string.

      • Disable SNMPv2 or ensure that it is configured securely.

      • Consider disabling weak SSH algorithms to strengthen remote access security.

    • Server hardening

      • Enable auditing on servers to monitor security-related events.

      • Restrict access to vulnerability-scanning tools and security assessment platforms by configuring them to be accessible only from authorized systems and implement firewall rules to limit access to trusted IP addresses.

      • Remove or modify HTTP response headers in web server configurations to prevent information leakage.

      • Add security headers in web server configurations to enhance protection against web-based attacks.

    • Network security

      • Verify whether the Modbus protocol should be accessible or, if possible, restrict Modbus server access to authenticated users only.

      • Implement firewall rules to restrict access to critical services and management interfaces.