Industrial control systems (ICS) underpin individual businesses and critical infrastructures around the world. They maintain control of power stations and nuclear plants, water distribution systems and manufacturing sites – and today, they are routinely targeted by cyber attackers looking to spy on, compromise and damage those organisations.
Article contributed by Darktrace.
The business of cybersecurity has changed in the past few years, presenting a significant challenge to management teams across all industries and business domains. A report conducted by the Cybersecurity Research Group found that 67 percent of companies with critical infrastructure experienced at least one cyber-attack in the last year and 78 percent expected their ICS and SCADA systems to be exploited in the next two years.
We see an increasing trend toward IT security teams taking on more accountability and responsibility for securing the OT systems, which require different specialist skills and working practices. This cultural and technical convergence will bring a steep learning curve that must be overcome.
Increasingly exposed to the same attack vectors used in the majority of cyber attacks, OT devices within ICS and SCADA environments are inherently harder to secure, but their compromise can lead to enormous physical damage and danger to human life. The critical nature of ICS environments also makes securing these devices more challenging than in IT environments. Ever since the Stuxnet malware was widely reported in 2010, threats to industrial systems have grown rapidly in both number and capability. This was made clear in, among others, the 2014 compromise of a German steel mill that caused massive damage to a blast furnace and the 2015 and 2016 attacks against the Ukrainian power grid.
Ongoing malware campaigns are actively acquiring critical data about control systems, while quietly maintaining persistent access. Existing defences such as firewalls have repeatedly proven inadequate on their own, especially against insiders who already have privileged access.
The security community is increasingly coming to the consensus that we are entering a new era of serious OT cyber-threat, with ever rising numbers of vulnerabilities being found in control system devices.
ICS Cybersecurity Issues
ICS environments face numerous cybersecurity threat vectors with varying degrees of potential loss, ranging from non-compliance to disruption of operations which could result in destruction of property and potential loss of human life.
Examples of potential ICS-related threats include advanced persistent threats, unintended spillover of corporate network compromises, disruption of voice & data network services, coordinated physical & cyber-attack, insider sabotage, hacktivist attacks, supply chain disruption or compromise, catastrophic human error and distributed denial of service.
Historically, industrial control environments were relatively isolated from corporate networks and the internet. However, computer viruses and other forms of cyberattacks have been known to bridge the gap by exploiting security holes related to the handling of removable media, or simple human error.
While security is an upside of having a seemingly closed or isolated system, the downsides include limited access or inability to access enterprise decision making data or to allow control engineers to monitor systems from other networks. Additionally, ICS often ties together decentralised facilities such as power, oil and gas pipelines, water distribution and wastewater collection systems, among many others, where the network is hard to physically secure.
ICS systems, whilst effectively designed to be interoperable and resilient, are not necessarily easy to secure. With the increasing number of connections between ICS systems, corporate networks and the internet, combined with the move from proprietary technologies to more standardised and open solutions, they are becoming more susceptible to the kind of network attacks that are found more commonly in IT environments.
Cybersecurity researchers are particularly concerned about the systemic lack of authentication in the design, deployment and operation of some existing ICS networks and the belief that they are completely secure simply because they are physically secure. It has become clear that any possible connection to the internet can be exploited, even if it is not direct. ICS-specific protocols and proprietary interfaces are now well documented and easily exploited. The use of a VPN (Virtual Private Network) is also not sufficient protection for ICS users as this can be trivially bypassed with physical access to network switches and never provides end-to-end coverage. Supply-chain risks and remote access requirements from vendors and service supplies present an often unknown level of risk for otherwise segregated environments.
While it is likely that many attacks are never revealed to the public, the list of known compromises is growing. The most notorious incident that arguably propelled the vulnerability of ICS into the mainstream consciousness was the discovery of the Stuxnet attack in June 2010, a “weaponised” form of malware. Since then several high-profile attacks have been seen against manufacturers and utilities, while others go under the radar, including long-term cyber espionage campaigns.
A 2016 industry report found that attacks targeting ICSs increased over 110 percent compared to the previous year, and a 2017 SANS study found that 69 percent of ICS security practitioners believe threats to the ICS systems are high or severe and critical.
ICS networks have also been damaged as unintended side effects of problems starting in corporate networks that took advantage of increasing connectivity, proving clearly that the standard PCs that now form part of a typical ICS are open to the same compromises as their enterprise counterparts.
The 2017 WannaCry ransomware attack that affected the IT systems of organisations across multiple verticals and geographies caused severe disruptions to Honda’s manufacturing facilities. Such incidents demonstrate that indirect compromise poses as significant a threat to operational environments as successful targeted attacks against ICSs.
Threat from ‘trusted’ insiders is an important consideration for OT environments. Over the long lifecycles involved with the building and utilisation of infrastructure and manufacturing equipment, a large number of different individuals, including both permanent staff and short-term contracted specialists, will usually have interacted with control systems. Many of them will have had privileges that allow them to modify configurations or the underlying software and hardware.
Vetting and training staff can reduce but not eliminate the risk of insider incidents from occurring. These incidents can be unintentional due to a mistake or intended short cut that puts something important at risk, or a deliberate act by a disaffected or ideologically motivated individual.
Traditional network border defences such as firewalls perform an important function in a complete cybersecurity solution, but insiders are a key example of their limitations.
Businesses face many challenges as we move into an era of ever increasing connectivity. Those trying to secure industrial control systems as well as corporate networks face additional and substantially different problems.
There is public evidence of growing motivation and capability of threat actors towards control systems, a trend likely to continue and brought into sharp focus by the attacks over the past few years. De-risking the OT environment is a perpetual challenge requiring new technologies that will deliver continuous insight and provide early warning of both indiscriminate and targeted compromise. Total prevention of compromise seems effectively impossible for the foreseeable future, but prevention of crises is an achievable goal across both corporate IT and operational technology environments.
READ MORE SOFTWARE & NETWORKS
WANT MORE INSIDER NEWS? SUBSCRIBE TO IAA NOW!
CHECK OUT IAA’S CURRENT AND PAST ISSUES: DIGITAL MAGAZINE