In my previous post, I explored the challenges we all face within today’s rapidly-evolving cybersecurity threat landscape—and the responsibilities we share in securing safety-critical processes from malicious attacks. I also highlighted the new technology, tools and resources included in KEPServerEX version 6.5 that support our customers’ defense-in-depth programs. Today, I’m going to walk you through one of those new resources: our Secure Deployment Guide.
The Secure Deployment Guide instructs users on how to deploy KEPServerEX with maximum security from installation to upgrading. It does not intend to identify and implement best practices for network environment and system configuration; instead, it encourages users to develop in-house expertise, work with experienced systems integrators and consult expert resources (like the National Cybersecurity and Communications Integration Center’s Industrial Control Systems Cyber Emergency Response Team [ICS CERT]).
The Secure Deployment Guide provides strategic recommendations for security in 6 key areas:
- Host operating system, including system security, user management, firewall settings and file management
- Installation, including validating the KEPServerEX install, installing required features and setting a strong administrator password
- Post-installation, including disabling unsecure or unused interfaces and configuring server users and user groups according to the principles of least privilege
- Secure protocols, including OPC UA, MQTT, REST, SNMP, ThingWorx Native Interface and more
- Configuration API, including how to configure and use securely
- On-going server maintenance, including upgrading KEPServerEX, monitoring external dependencies and following best practices throughout the system and environment’s lifecycle
It also provides recommendations around documentation to ensure that users will have the information they need to roll-back to previous system states or to replicate configurations when necessary.
Using the Guide
We advise new users to utilize the Secure Deployment Guide when configuring new production installs of KEPServerEX. Existing users should compare current configurations with the recommendations provided in this guide, adjusting as needed.
Industrial control system security is critical, and everyone needs to do their part in mitigating cybersecurity threats. It’s your responsibility to deploy and maintain KEPServerEX according to our best practices. We encourage you to read the guide to gain the practical information you need to ensure it is as secure as possible.
Have questions? Leave me a comment below, and I’ll do my best to make sure you get the information you need.