Securing ICS Environments in a Connected World
To compete in today’s market-driven global economy, businesses need to have efficient production processes to reduce costs, increase output, and improve quality. Industrial Control Systems (ICS) monitor, automatically manage and enable human control of industrial processes such as product distribution, handling and production. A multitude of industries, some of them critical infrastructure, heavily rely on modern ICS for their core operations.
But increased efficiency also comes with new security problems as IT/OT (operational technology) convergence opens new attack surfaces in the cyber realm. Headline stories such as those about Stuxnet, Duqu, and Flame revealed fallibilities surrounding ICS and serve as constant reminders to be aware of vulnerabilities and attack vectors. Sophisticated threat actors have quickly learned of the value of targeting ICS in an effort to compromise their operations and cause severe impact on daily business operations such as operational shutdowns, equipment damage, reputation damage, financial loss, intellectual property loss, competitive advantage loss, and health and safety risks. Therefore, understanding ICS environments and the range of possibilities they hold for attackers, is becoming paramount for any industry.
What are Industrial Control Systems?
ICS is an umbrella term that encompasses several types of control systems, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) often found in industrial sectors as well as critical infrastructure. These systems are typically used in industries such as electrical, water and wastewater, oil and natural gas, mining, chemical, transportation, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) as well as in critical infrastructures such as air traffic control, electrical and nuclear power plants, waste water treatment plants, refineries, pipelines, and dams.
IT Administrators need to manage two different systems—ICS and IT—with conflicting operational priorities. With ICS incorporating everyday IT solutions, network connectivity, and different operational priorities, it has introduced a whole new set of exploitable vulnerabilities. In FY2015, ICS-CERT responded to 295 cyber incidents, a 20 percent increase over FY2014. Attacks against the Critical Manufacturing Sector nearly doubled to a record 97 incidents, the Energy Sector was the second most targeted with 46 incidents, and Water and Wastewater Systems Sector was third with 25 incidents.
The fundamental difference between a security incident in the IT domain and the ICS domain lies in the potential impact. The main challenge in the ICS domain is linked to the fact these systems typically control physical processes in these facilities and sophisticated attackers that have a thorough understanding of them, in theory can achieve a true cyber-physical attack rather than just intrude towards the end of espionage, ICS disruption or intellectual property theft.
Threat actors targeting these ICS
Threat actors targeting ICS systems have a variety of goals in mind. The classic modus operandi for cybercriminals revolved around the theft of money, financial information, and PII. Attackers, however, slowly came to understand the value of stolen sensitive data. Therefore, one very compelling motive for attacks on ICS is simple economic gain through industrial espionage. There is a huge gap between the top and bottom companies in manufacturing and production industries—it is obvious that insights that could help closing that gap have great economic value. With regard to this, penetrating the ICS (OT side of things), can help them move into the organization laterally for the next steps.
The more high-profile cases, however, also involve kinetic attacks that can have actual physical ramifications and/or disruption of processes, and have been found to have been perpetrated by nation states. Campaigns such as BlackEnergy that affected power generation facilities in Ukraine that left customers without power demonstrate the range of attacks against ICS. Among the most common threat actors are national governments, terrorists, criminal syndicates, industrial spies, and hackers who are contracted or motivated to do this out of some hacktivist ethos. Threat vectors do vary with the insider threat being high on the list, but the top vector consists of external actors (hacktivists or nation states).
What can be done to protect ICS environments?
Today’s ICS environment is difficult to secure and requires a layered approach. Historically, ICS environments were protected from cyber attacks by physically isolating them, a practice known as “air gapping.” However, this technique alone is no longer a functional or operationally feasible solution in today’s connected world.
Even the ICS community does not fully understand the extent of the possibilities available to an attacker. It is absolutely paramount when discussing effective protective and defensive strategies, to involve IT and OT personnel as well as policy makers and engineering experts to comprehensively map out and analyze various possible scenarios in which ICS infrastructure at different facilities can be exploited in order to help them understand the potential achievable goals of an adversary—in simple terms, be able to view your network through the eyes of the attacker. The cybersecurity maturity level of an organization depends on how well it knows and understands its control system and network. One effective way to understand ICS attacks and re-assess the kill chain is to review case studies of intrusions and attacks targeting ICS. From there, a comprehensive plan for protection and defense can be developed.
Visit the Threat Intelligence Center for more on ICS and SCADA systems and industrial cyber security.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale