A recent incident where a likely nation-state threat actor inadvertently shut down a critical infrastructure facility in the Middle East when testing new malware has stoked widespread concerns about the vulnerability of industrial control systems (ICSs) to new cyberthreats. Many security experts see the incident as a harbinger of a new wave of destructive attacks targeting ICS and want critical infrastructure owners to urgently update the security of their operational technology (OT) networks.
What is an ICS?
An ICS is any device, instrumentation, and associated software and networks used to operate or automate industrial processes. Industrial control systems are commonly used in manufacturing, but they are also vital to critical infrastructure such as energy, communications, and transportation. Many of these systems connect to sensors and other devices over the internet—the industrial Internet of things (IIoT), which increases the potential ICS attack surface.
"It is important that organizations leverage lessons learned securing enterprise IT but adapt those lessons to the unique characteristics of OT," says Eddie Habibi, CEO and founder of ICS security vendor PAS Global. "This includes moving beyond perimeter-based security in a facility and adding security controls to the assets that matter most – the proprietary control systems, which have primary responsibility for process safety and reliability," he says.
The following are some of the key questions that plant operators, process control engineers, manufacturing IT specialists, and security personnel need to be asking when planning for ICS security, according to several experts.
1. Do I have the people to manage and sustain ICS security?
Organizational planners often tend to think of industrial cybersecurity as largely a technology issue when often the much bigger problem is a lack of skilled resources, says Sid Snitkin, an analyst with the ARC Advisory Group. In recent years operators of critical infrastructure have increasingly deployed recommended technology controls for protecting their systems, but not enough people to man them.
"Many organizations just don't have the people in place to sustain the technology they have put in," Snitkin says. "They put in anti-malware, but don't have people to put in the updates. They can identify vulnerabilities but don't have people to fix them." Often, the ones who manage cybersecurity are the same automaton engineers and production engineers who put in the systems in the first place.
"Security is a side job for them," Snitkin says. They don't have the time and are typically more focused on keeping systems running than taking them down to address security issues. A lot of plant managers are operating under a false sense of security by thinking they have addressed their security issues by implementing a few technology controls, Snitkin says.
2. Do I know what I have installed in the field?
To properly protect you first need to figure out what you have installed in the field and which systems they connected to. If you don't have that visibility, you are dead in the water, Joe Weiss, managing director of Applied Control Solutions, says. You need to understand where you have technology controls in place already, and where technology can be used to protect. For systems that don't support modern security controls you need to be thinking about compensating controls for mitigating risk, Weiss says.
"We’ve seen hackers bypass firewalls, jump air gaps, and leverage ICS device vulnerabilities because of the lack of basic security protections," says Bill Diotte, CEO of industrial security vendor Mocana. It is vital for plant managers, operators and manufacturers need to make sure that the ICS devices themselves are trustworthy and support essential cybersecurity, Diotte says
"Often PLCs [programmable logic controllers], sensors and industrial gateways do not have a secure credential [such as a] digital certificate or private key hidden in silicon as a basis of trust," he says. Basic cyber protections like secure boot, authentication, encryption, and trust chaining are not implemented on devices that impact personnel safety, uptime and the environment, he says.
3. Do I have true cybersecurity control system policies in place?
One of the biggest mistakes organizations can make is to equate IT security with control system security. The two are fundamentally different, says Weiss.
IT security is typically focused on detecting and addressing vulnerabilities in the network regardless of actual impact on process systems. For plant operators it is the integrity and availability of systems that matters the most, Weiss says. The focus for them is not so much about the sophistication of a particular cyber threat but whether it can cause a problem to the process.
"Do you actually have control system cybersecurity policies and procedures? Not IT, not business continuity, not physical security," Weiss says. Are you thinking about how your process control systems are protected or are you just marching in lockstep with IT, he asks.
To be truly secure, you need to be able to trust the output from the process sensors connected to your controllers, actuators, and human-machine interface (HMI) systems. "Prior to 9/11, the people who owned the equipment owned everything about it. After 9/11, cyber was reclassified as critical infrastructure and taken from operators and given to IT." The result has been an overly IT-centric view of ICS security, Weiss says.
4. Can I trust the output from my devices?
Make sure you have controls for ensuring the trustworthiness of devices on your industrial control network, Diotte says. Otherwise, it is risky to trust their data.
Do your industrial control devices have features like secure boot process and mechanisms for preventing unauthorized changes to the firmware? Do you know how secure your over-the-air software updating and security patching processes are? Can your ICS devices support the use of standards-based PKI authentication and digital certificates, Diotte asks.
"Everyone is focused on the diagnosis. No one's asking if we can trust our sensors," Weiss adds. " If you are a doctor, you can't trust your blood pressure readings unless you know the monitor can be trusted."
5. Are IT security measures protecting my systems or causing more problems?
IT should not be doing anything directly with a control system without control system personnel supervision, Weiss says. Otherwise, unexpected problems can result. "In IT, if somebody tries the wrong password five times, you lock that person out." Taking the same approach to control access to a critical power plant system when somebody really needs to get to that system in a hurry can be disastrous, he says. "You are going to reduce the facility to rubble," Weiss says. "As a hacker, all I need to do is send the wrong password five times to lock you out."
It is vital to find out if your security controls are architected for OT environments, says Habibi. "Agents, network ping sweeps, and other common approaches to securing corporate IT networks are non-starters in a process control network due to possible safety and reliability impacts," he says. "Such solutions should simply never make it into production. Period."
6. Do I have the right documentation for my systems?
Whether deploying a new control system or hardening an existing one, it is important to have all documentation for the necessary and optional services for the control components says Reid Wightman, senior vulnerability analyst at Dragos. You need to know if the documentation breaks down services by function—for example, control systems protocols versus engineering protocols versus file transfer and HMI configuration protocols, he says.
When a control component experiences a fault, do you have documentation that explains the behavior of the controller’s outputs? "What proprietary network protocols are implemented in the system, and what has been done to harden their respective services?" Wightman says. You need such information to truly understand the risks you are accepting and the mitigation measures that are needed to isolate vulnerabilities should they impact your systems.
7. Do I fully understand my network access issues?
Connecting control systems to the network can make them easier to manage and administer, but you need to understand the security implications and have controls in place mitigating risks, Wightman says.
For example what assurance do you have that anyone accessing your control systems environment via the network only has read-only access to data? Does the process system vendor require any remote access to the network? What control can you exercise over that access?
Similarly, you need to know if engineers will be accessing control components remotely and why they need that access. Make sure you know what controls exist or might be need to be added to the network to achieve an acceptable level of risk and assurance that remote access is exercised securely, Wightman says.
Make sure you ask about the communications protocols you need to support by device class and device type, Mocana’s Diotte says. Find out if you have strong authentication and encryption of all communications with your control systems, identify the most vulnerable communications protocols, find out if you are communicating securely with your SCADA and IIoT networks, Diotte says.
8. Are incident response and incident management capabilities in place?
Even if the likelihood of a cyberattack is relatively low, the impact of one can be disastrous. A basic question you need to ask is about your ability to respond to and mitigate a successful attack, ARC Advisory's Snitkin says. "If an attacker really wanted to penetrate your organization and establish a base, you are not going to be able to stop them," he says. You need to make sure you have a plan and a process in place for recovering quickly and securely from a cyberattack.
In evaluating cybersecurity measures for your ICS environment, find out how equipped your organization is to recognized unauthorized changes says Habibi. "Do you have incident response protocols based on asset criticality in place to respond appropriately and quickly?" he says. "Do you know what level of attack surface exists on industrial assets?"
Evaluate your vulnerability identification and mitigation processes for both IT-based and proprietary control system assets, the level of patching that currently exists and the facilities that are most exposed, Habibi says. "If the worst-case scenario happens, do you have tested business continuity plans, including a fresh backup of the at-risk systems, in place?"