1) Review the NIST Framework document at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
Then, create a list of best practices for firewall and VPN management based on the framework (5 to 10 best practices).
2) discussion response in three lines:
Best practices for firewall
A formal approach for managing which services are allowed through the firewall should be implemented. For example, when new applications are being considered, a configuration control board could evaluate new services before the firewall administrators are formally notified to implement the service. Alternatively, when an application is phased out or upgraded, the firewall rule-set should be formally changed. This approach adds some rigor and discipline to the firewall policy implementation, minimizing the presence of old and potentially insecure rules that are no longer needed.
Firewall installations as well as systems and other resources must be audited on a regular, periodic basis. In some cases, these periodic reviews can be conducted on paper by reviewing hardcopy configurations provided by appropriate systems administration staff. In other cases, periodic reviews should involve actual audits and vulnerability assessments of production and backup infrastructure components, computer systems, and other various types of resources.
It is equally important that companies or agencies with Internet connectivity employ additional measures to ensure the overall security of these environments. These specialized audits or assessments are known as penetration analyses. Penetration analyses should be employed in addition to, not instead of, a conventional audit program. Penetration analyses can be either seeded or blind, depending on the circumstances involved.
A seeded penetration is a penetration analysis in which the organization or team conducting the assessment has been provided with detailed network and system information prior to the execution of the assessment. Because this type of assessment does not require any advanced discovery techniques on the part of the entities executing the test, this type of test is typically conducted by entities that lack the expertise to conduct a blind penetration. Also, a seeded penetration might be employed when an organization or agency wants to limit the scope of an analysis to a given environment or set of systems.
A blind penetration is an assessment where minimal information exchange occurs prior to the beginning of the assessment. It is therefore up to the organization or team conducting the assessment to obtain all information relevant to the conduct of the assessment, within the time constraints of the assessment. This initial discovery effort makes a blind penetration analysis much more difficult than a seeded penetration. Likewise, the results of a blind penetration are much more realistic and dramatically more indicative of the actual level of risk associated with global connectivity.
Best practices for VPN
Below is a list of best practice recommendations for energy and utility companies that need to provide secure remote access. These recommendations are not limited to energy supply companies and apply to any industrial enterprise. These best practices will ensure high availability, reliability and safety without compromising operational security.
1) Implement top-down control – all third party remote access to the operational network should be funneled and authenticated through a single location. This eliminates difficult to manage VPN and vendor-based connections. Consolidating all the remote connections through a single point reduces the number of connections and creates a more secure access framework.
2) Protect asset credentials – grant remote users privileged access without proving the credentials to any assets. This can be accomplished by using a password vault. This facilitates access without sharing the actual password. This method avoids the compromise of credentials through keylogging and risky password management. It also eases the management of password expirations and renewals. In a time of crisis, a third party can gain rapid remote access without the risk of forgetting a unique password.
3) Enforce accountability and monitoring – all user activity should be monitored and audited. IT and OT teams should be able to approve, deny or terminate any session as necessary. Network monitoring capabilities can be used to evaluate the traffic passing through these connections and alert on anomalies.
4) Use a policy for access – manage all user access at the “least privileged” mode and grant exceptions to the policy on an individual basis. A flexible rule engine can be used to configure access granularity, such as who can access which asset, when, from where, using which protocols and performing which activities.
5) Allow data and file transfer – build a secure framework to transfer files to the ICS systems, such as for patch management and sending logs and alerts from the ICS to the control center.
Additional best practices for a secure remote access control set up that provides the business logic for authentication, privileges management and accountability include the following:
The connections between remote users and operational equipment should be highly secured. As such, single outbound port for all simultaneous connections to the operational facility rather than multiple VPNs should be used. All traffic should be funneled through this port, which should be controlled and monitored by both the IT and OT security teams.
Use standard secure communication protocols, such as TLS, to encrypt all communications.
Multiple protocols must be supported due to the uniqueness and diversity of vendor and purpose-built systems.
There should be the ability to connect to existing IT solutions such as SIEM, LDAP and Jump servers.
3) discussion response in three lines:
FIREWALL MANAGEMENT PRACTICES –
The firewall that is incorporated in the enterprise systems needs to be clearly delineated along with its objectives in an unambiguous manner. This also includes the change management. The prospective changes in the firewall plan needs to be comprehensive and congruent to the functionality of the system. Clearly define a firewall change management plan.
Any firewall policy change shall be subjected to rigorous testing and tuning in real time. This is the only way to establish the efficiency and efficacy of the changes to be incorporated. Such undertaking shall gauge the impact of the changes and offer vivid feedback about further development.
Optimization and scheduled audits of the standard rule base – Firewalls are designed and put in place with a certain set of objectives which in this case are termed as rules. These rules need to be amended from time to time and redundancies need to be eliminated so as to enhance the overall efficiency and avoid unnecessary hindrances installed in the system.
Undertaking unplanned as well as scheduled Firewall security audits – Security audits offer a vivid and comprehensive state of affairs of the security apparatus within a system. Therefore security audits of the installed firewalls form an indispensable part of the entire security regimen. Any vulnerability that is resident can be pre-emptied before it causes any major damage.
Standard logging and documentation of the personnel authorized to access the firewall controls needs to be commissioned – In order to obtain a ready reference of all the benign of inside human intervention, the log needs to be maintained. This shall eliminate any unauthorized access or breach of the system from the people within the enterprise or company.
VPN MANAGEMENT PRACTICES –
Incorporate Authentication – The primary means to ensure the security of a virtual private network or any other network is the authentication. So here also a standard authentication procedure needs to be incorporated wherever a VPN is commissioned.
Network performance – Before setting up a VPN, the magnitude of the traffic that is going to flow through such a network needs to be accurately estimated so that the performance is not adversely affected. Appropriate bandwidth needs to be installed, moreover adequate bandwidth shall also reduce the latency , thereby ensuring a better performance.
Security – A certain degree of security needs to be installed so that only the authentic and authorized end points communicate and access isn’t granted to outside malicious party. In order to ensure this, traffic filters need to be installed to keep out the malicious parties.
To be installed as a secondary or subsidiary network – Certain inherent properties of the VPN make it a highly reliable and hassle free alternate network between company nodes whenever there is a main network outage. In case of the main network breakdown, the VPN offers a fully functional alternative.
Full Tunneling – Full tunneling enables entire traffic to traverse through the VPN thereby subjecting the data to rigorous security procedures. However in case of the Split-tunneling the traffic is divided into two categories , one passes through the VPN and the other doesn’t thereby giving rise to the security risks. Therefore it is always advisable to go for the full-tunneling of traffic to ensure maximum security of the data and network.