Before industrial control systems (ICSs) were network-connected, operators had little to worry about in the way of cyber threats. But as industrial environments, such as energy utilities, become more connected, they’re exposed to vulnerabilities and attacks. ICSs are used in large amounts of critical infrastructure, including the electrical grid, transportation systems, and wastewater plants.
How ICS Attacks Work and What They Cost
Most industrial cyberattacks aren’t initiated directly against the ICS, but leverage weakness in other systems or devices to gain an entry point into the process control network. From there, attackers move laterally within the control network to go after process logic controllers (PLCs) or distributed control systems (DCSs). As such, the top targets within industrial networks are those devices running commercial operating systems and databases, such as Microsoft Windows, Linux, Microsoft SQL Server, and Active Directory, that attackers leverage to gain an initial footprint in the industrial network. These systems run supervisory control and data acquisition (SCADA) applications, manufacturing execution system (MES) applications, engineering workstations, historians, and human-machine interfaces (HMI).
Security breaches can give hackers access to ICSs for monetary and intellectual gain, but those aren’t the only risks. In some cases, intruders can actually cause physical damage to plants and harm employees. Another concern for ICS operators is the risk of downtime because of its financial impacts. Downtime can cost companies $100,000 per hour or more.
Why Is ICS Security Such a Big Deal Right Now?
If it seems like ICS security is a topic you’re seeing everywhere, that’s because industrial operators find themselves scrambling to put out a number of metaphorical fires. In addition to increased connectivity making ICS more inviting to cybercriminals, there are a few other ways in which industrial environments are experiencing growing pains.
IT-OT Convergence. Over the last five decades, operational technology (OT) has been adopting information technology (IT) systems to improve efficiencies. Over the last two decades, however, this adoption has accelerated. Wireless networking, for example, took less than 10 years to be adopted from IT into OT. This adoption time period will get smaller and smaller over the next decade.
Not only has there been a convergence of technology, but there’s also been a convergence of staff responsibility, especially around industrial cybersecurity. IT has been dealing with cybersecurity for more than 20 years, while this is a relatively new challenge for OT. As such, more and more IT staff are having cybersecurity responsibility for OT, even though they might not fully understand the different operational needs of an industrial network.
The Rise of Regulation. Industries across the globe are being forced to adhere to cybersecurity regulations, such as North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) standards for North American utilities. Guidelines like the International Society of Automation’s ISA-99, the International Electrotechnical Commission’s IEC 62443, and the National Institute of Standards and Technology’s NIST 800-82 are also forcing operators to provide evidence that they’re adhering to cybersecurity best practices.
As these regulations are implemented, ICS operators have to provide audit-ready evidence to prove regulatory compliance. Maintaining proof of compliance using manual tracking methods is near-impossible given the size and complexity of ICS environments, so operators are looking to automated compliance solutions that keep their systems configured correctly at all times. After all, failing an audit can be devastating.
Three Things All ICS Operators Should Be Doing
To reduce the attack surface of an ICS and ensure it recovers from dreaded downtime as quickly as possible, ICS operators must make use of continuous monitoring, vulnerability assessment, and log management tools.
Continuous Monitoring. Many ICS operators lack visibility into what’s happening on their devices, such as switches, routers, and firewalls—a lot to keep track of. But to make matters more difficult, devices connected to the network, such as servers running SCADA or MES applications, engineering workstations, data historians, intelligent ethernet devices, and PLCs, must also be monitored. Unauthorized or unexpected configuration changes to assets like these can go unnoticed until it’s too late.
Continuous monitoring is about using security configuration management (SCM) to detect each and every relevant change that occurs in the ICS. Changes that must be monitored can take place in files, open running ports and services, database schema, network device configurations, and active directory configurations. In order to keep track of important changes that could indicate higher potential risks, a secure baseline must first be established to measure against. To do this, search for a security tool optimized specifically for ICSs that puts SCM front and center.
Vulnerability Assessment. Fixing known vulnerabilities is fundamental to the health of an ICS. That means end-users must understand what assets are exposed to vulnerabilities disclosed by major automation vendors, such as Rockwell, Siemens, ABB, and Honeywell, as well as from the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT). ICS operators must get into the habit of identifying and classifying published vulnerabilities from either vendors or organizations tasked with identifying and communicating cybersecurity-related activities.
The best way to do this is to rely on a tool that automates the process by identifying the systems, networks, and applications running in an environment, and then matching known vulnerabilities to them. Look for a network scanner that will scan for devices, determine what the device is and what it is running, and then report back on what vulnerabilities are applicable to that device.
Log Management. Many devices on the ICS have the ability to send logs. These logs contain information on how the network is running, whether there are any potential faults around operational disruption, and security events like a number of unsuccessful logins. But without a log management tool, that data isn’t actionable.
Log management is the capability to harvest logs from a number of different kinds of assets (like servers, applications, network devices, firewalls, and databases) into a central repository that can be used for forensic analysis. Security event information management takes log management to another level by being able to correlate different kinds of log events from multiple sources to see if events can be tied together.
Avoiding downtime requires equipping ICSs with tools for continuous monitoring, vulnerability assessment, and log management. These are the foundational strategies needed to measure your ICS security posture to help reduce the attack surface from potential threats and identify early indicators of compromise.
—Gabe Authier is product manager with Tripwire.