This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here.  Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.

TripWire published this article on January 24, 2016, more than 4 years ago.  It contains 22 recommendations on how to secure your systems.  This is the first part of a 2-part series reviewing the first 11 of those recommendations.

Given the last 4 years, look back at any security issues you have experienced, and see if any fall into these categories.  Clearly mitigation for these attacks will not secure your system by themselves, but the process of certification will change perceptions of security threats and help build a stronger security mindset in the development and maintenance of systems.

12. Disabling Windows Script Host could be an efficient preventive measure, as well.

13.  Consider disabling Windows PowerShell, which is a task automation framework.

These two items (12 & 13) fall under user guidance as was previously seen IEC 62443-4-1 SG-3 Security hardening guidelines which is a living guidance that is reviewed when a breech occurs, at the end of projects or on some predetermined regular interval.

14.    Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).

“In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.”

15.   Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.

These 2 items (14 & 15) are part of maintaining anti-virus and malware protection capabilities in the system.  There are several places in the standard that deals with anti-virus and malware protection in the context of monitoring resources and managing access to the system.

• IEC 62443-4-2 FSA CR-3.3 Security functionality verification
• IEC 62443-4-2 FSA CR-7.2 Resource Management
• IEC 62443-4-2 FSA CR-1.2 Software process and device identification and authorization

16.    Use strong passwords that cannot be brute-forced by remote criminals.

IEC 62443-4-2 FSA CR-1.7 Strength of password-based authentication.  This is one of several specific types of guidance in the standard dealing with managing authentication.

17.   Deactivate AutoPlay.

“This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.”

IEC 62443-4-2 SAR-3.2 Protection from malicious code.  This requirement discusses managing programs that may come from any source external to the certified application.  This could be from some download or access to portable media.

18.    In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.

“This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.”

This is covered in two previously mentioned requirements from the standard – those dealing with System Hardening and Software process and device identification and authorization.  Both items discuss managing access to other parts of the system.  With access restricted the likelihood of passing the attack around the system is greatly reduced.

19.    Think of disabling remote services.

20.    Switch off unused wireless connections, such as Bluetooth or infrared ports.

Both items (19 & 20) would fall under the general topic of attack surface reduction.  By looking at all means of accessing the certified product directly or via remote service or connection, each is analyzed for a potential threat, and protection is built into the system.

IEC 62443-4-1 SR-2 Threat Modeling is an analysis tool that looks at your system from the perspective of an attacker.

21.    Enhance your protection more by setting up additional Firewall protection.

Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system.

22.   Block known-malicious Tor IP addresses.

This is another component of developing a Defense in Depth strategy.  This speaks to the many layers an attacker would have to penetrate to succeed in their attack.  This is discussed in IEC 62443-4-1 SG-1 Product Defense in Depth.

These are the remaining 11 items from the original Tripwire article.  If your product had gone through a certification process with exida sometime in the last 4 years, each of these items would have been discussed and a plan formulated for mitigating the threat.