Navigating ICS Security: Part 1

It is imperative that ICS are protected against all cyber events—accidental or malicious—because the physical ramifications of such events pose major threats to both public safety and to any industrial entity’s ability to stay operational and competitive.

What is an ICS?

ICS is a generic term that encompasses several types of control systems. These control systems can be found in discrete manufacturing, process automation, energy and transportation verticals, many of which operate critical infrastructure. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to operate and control a physical process.

Industrial Control System Basics

While OT and IT both need to protect their systems and data from compromise, each group tends to approach systems differently because they have varying priorities.

For example, ICS control engineers can be hesitant to upgrade equipment even when it would enhance their cybersecurity outlook. This is due to the focus on maintaining constant uptime and measuring performance characteristics before other priorities like running the latest and greatest firmware. These three imperatives tend to dominate the OT cybersecurity conversation: safety, quality and uptime.

Many industrial devices are running older, highly-vulnerable versions of Windows that have not been hardened or patched. Operators often feel they can’t take these systems down for routine maintenance to improve security because they are critical for the overall operation of the plant or service. In some cases, security vulnerability scans typically used in IT environments are too disruptive to use in OT environments.

Even when organizations can overcome these obstacles, cybersecurity is a relatively new discipline for an operations teams running an ICS environment. They may choose to delay acting on security issues because of real concerns about safety, quality and uptime. While such concerns are understandable, cyberattacks against critical infrastructure are escalating.

3 Classes of ICS

Industrial organizations have options when it comes to automation equipment. For instance, some systems must be distributed to be able to manipulate instruments that are physically distant from one another. Others are localized, with oversight of multiple subsystems for a large number of control points managed within close proximity. Most ICS run on one of the following types of systems:

1. Distributed control systems (DCS): Manages and automates thousands of control points within a process. Typically found in oil and gas refineries, chemical, pharmaceutical and power generation plants.
2. Programmable logic controllers (PLC): Acts as an industrial computer and makes decisions, such as turning a motor, through input received by sensors.
3. Supervisory control and data acquisition (SCADA): Centrally manages, monitors and controls remote field devices that are often spread over thousands of square miles.

The Industrial Cyber Threat Landscape

Industrial operators have to be knowledgeable about common adversarial tactics like phishing and malware, but they also need to understand emerging tactics designed specifically to compromise ICS.

So how exactly are threat attacks managing to make their way into vulnerable ICS? That depends on how mature the cybersecurity program is. For example, if an industrial organization doesn’t have basic change monitoring as part of its cybersecurity program, attackers have much more low-hanging fruit to pursue. For example, attackers can linger within the industrial network undetected, exfiltrating data and gaining access to privileged accounts. On the other hand, a similar organization with a highly-mature program that monitors their devices and networks raises the stakes for adversaries, the initial access and reconnaissance activities will be detected before damage can be done.

Intentional vs Accidental & Insider vs Outsider Threats

If you read a headline about a critical infrastructure cyberattack, a coordinated nation-wide attack might be what first comes to mind. While intentional outsider threats pose serious risks to public safety, not all cyberattacks carried out within an ICS are the stuff of action movies.

According to the 2019 DBIR, 30% of cybersecurity incidents were the result of internal threats. Internal threats can come from insiders being paid to engage in espionage or disgruntled employees aiming to inflict financial losses or operational damage. In many cases, cyber events can be the result of simple human error. Accidental insider threats can look like an employee configuring the incorrect switch resulting in downtime or even leaking confidential information by way of a password absentmindedly left in the open.

Real World ICS Breach

In December 2015, more than 230,000 Ukrainians in three different regions suddenly found themselves without electricity on a cold winter evening. A single, coordinated attack had taken down 30 public power substations.

This attack may have seemed sudden to the utility company but it was the result of careful plotting over the course of six months on the part of the cybercriminals. They used a combination of phishing, keylogging, VPN hijacking, denial of service, firmware modification and more.

Protecting systems from cyberattacks is more critical than ever due to the shift towards smart and future-proof technology. Prioritizing security in industrial environments would mean an increase in safety, quality and uptime for machinery vulnerable to these threats.

In the next series of Navigating ICS Basics we will cover building your cybersecurity program.