Original article by Joe Weiss (Applied Control Solutions) und Richard Ku
Enterprises and industrial facilities rely on control systems to manage, command, or regulate the devices and the systems that make up their operations. The processes run by industrial control systems (ICSs) not only “keep the lights on” but also facilitate productivity and safety. Everything from temperature and sensory equipment to manufacturing lines and security devices are managed by ICSs.
In the past, these systems were under the purview of engineering departments, so their design and configuration were focused on functionality and process. But after 9/11, governments and enterprises became more concerned about cybersecurity. The management of ICSs moved to IT teams and, consequently, all cybersecurity monitoring and mitigation centered on the IP (Internet Protocol) network layer. ICS security went from being mission assurance to information assurance.
Systems under the engineering department are neither managed nor secured by IT teams. This means that control system devices — such as process sensors, actuators, and drives — that were managed by engineering teams years ago, but are still in use today, do not have capabilities for cybersecurity. They have no means for authentication or cyberlogging, and most cannot be upgraded. This presents a serious problem because the old cliché is true: Security is only as strong as the weakest link. Attackers will try to enter enterprise networks through all possible weak points in security.
Any comprehensive security plan for enterprises and large organizations should include cybersecurity policies for weak links in ICSs. Since they manage many vital aspects of enterprise operations, protecting these control systems will also protect workers, valuable digital assets, and physical property.
A map of ICS attack vectors
First, there are the devices that do not have any cybersecurity elements. Modern technologies improve productivity through these reliable, accurate, and secure sensors, controls, and actuators. But as mentioned, they are missing a key factor: cybersecurity. As a result, attackers could use these small and unsecured devices as entry points into an enterprise network.
In some cases, attackers could compromise the operational technology (OT) network from the IT environment. (OT directly monitors or controls industrial equipment or processes, and ICSs are a subset of this group.) Examples include attacks on servers using malicious software, web application attacks on human-machine interfaces (HMIs), and communication protocol attacks that compromise traffic from the network router.
A typical organization’s OT and control system environment
In other cases, there are physical attacks on the network devices or software attacks to introduce malware into the system while patching or updating firmware or software. The original article provides a graphic overview.
A security strategy for ICS environments
Addressing weak points in ICS security is not an easy task. Enterprises need to contend with outdated design aspects, security concerns in third-party applications, and many other issues. These are but a few of the challenges they need to overcome:
- Unknown devices and connections to the OT network
- Lack of security in the original design
- Vulnerable and unsecure third-party applications and operating systems
- Legacy systems and environments that may be hard to secure
Reducing cyber risk in an ICS environment also requires a significant understanding of the network environment, including the sensors, the process controls, the protocols, and the communication. Security planners should also have a clear view of cyberthreats and attack vectors in the environment.
Cyber risk in ICS environments affects a great many industries, including power, oil and gas, manufacturing, pharmaceuticals, healthcare, and transportation. Because of the potential impact a cyberattack might have on critical industries and business in general, it is recommended that every organization implement a comprehensive cybersecurity strategy. A good place to start is with industry standards. Depending on what type of business is operating, there are different standards that can be enforced by governing bodies. Next, enterprises should implement a cybersecurity framework in line with the goals and the objectives of the organization. This can be done by creating a cohesive plan that works across four pillars: people, process, technology, and culture.
- People: Staff training and awareness on security, Professional skills and qualifications, Competent resources
- Process: Governance, policy, and framework, Management system, Best practices, IT/OT audit
- Technology: Testing, verification, and validation of technologies, Competent people, support processes, and an overall plan for technology deployment
- Culture: Creation of a cyber culture within the organization for reduction of cyber risk, Fostering of the cyber culture starting at the top and down to all levels of the organization
There are also basic activities that an organization can carry out to reduce cyber risk. These include strengthening account credentials, disabling unused physical and network service ports, encrypting system configuration files, and limiting the IP and media access control (MAC) addresses that can access the network.
Enterprises also need in-depth protection for ICS environments. This type of security needs to include the following key components:
There is a critical need for enterprises to deploy cybersecurity measures for the protection of ICS environments. Of course, when implementing new tools and policies, there are necessary precautions. All network tools used with control systems should be adequately tested offline before they are employed in real-time OT networks. And the appropriate technologies for ICS environments should be tested in an integrated manner offline, and then online. These technologies include the suite of OT cybersecurity technologies developed by Trend Micro and TxOne Networks.
Dangerous incidents could stem from something as small as an unprotected sensor. Enterprises and industrial facilities, especially those that carry valuable company assets and house thousands of workers, should regularly update and upgrade their security to keep up with constantly evolving threats. A comprehensive security plan that covers all levels of an ICS environment can help keep enterprise assets and staff safe and sound.
Our paper, “A Current View of Gaps in Operational Technology Security,” provides more insights into addressing weak points and reducing cyber risk in ICS environments.