We often discuss the vulnerability of IoT on this blog, but there’s another acronym beginning with “I” we’ve touched on less, and it’s just as vulnerable: the ICS.
ICS, or industrial control systems, control physical processes in the world around us. They’re used in factories, power plants, even office buildings to control production and operation. Reports of hacks on industrial control systems have stolen news headlines lately, but experts say there are far more attacks going on than are actually made public.
While companies who store customer data are mandated (or soon will be) to publicly disclose breaches of their systems, breaches of industrial control systems mostly fly under the radar. They’re no less serious than PPI breaches, and arguably more: undermining the security posture of these types of companies could lead to loss of production, or worse, loss of life.
What are the risks associated with industrial control systems, and why are they difficult to secure? Here are three challenges when it comes to securing the ICS, according to Tom Van de Wiele, Principal Security Consultant at F-Secure, followed by three ways to protect them:
1. Legacy systems that were not built to be online.
Industrial control systems are built for long life spans. Many in use today were built two or three decades ago, back before cyber security was a major concern. Basic security controls we take for granted today have not been built into these legacy systems – things like access control, authentication or encryption.
“Exposing ICS systems to IT and the internet opens them up to attack, something that previously was not possible,” says Van de Wiele.
2. Difficult to change or update.
A system costing millions that’s been built for decades of use is not going to be thrown out and replaced with a new one, even if it’s insecure. What’s more, updates are challenging – often, an ICS needs to be “on” all the time, especially when it comes to systems that affect critical infrastructure. This leaves little to no time for system updates and improvements. And as Van de Wiele points out, applications in the ICS world are made to be static for a reason: to be as deterministic as possible when it comes to the process they are automating.
“You do not want surprises when it comes to generating electricity, producing food or monitoring sewage levels,” he says. “You want the system and its ecosystem to work once and forever. Patching or updating systems does not necessarily fit into the security strategy of ICS, and that is perfectly fine. But exposing them at the same time should not be part of the model, and that is, unfortunately, what we are seeing today.”
3. Staff not on the same page.
“Unfortunately, industrial control companies still have an ongoing battle inside of them: the IT staff versus the industrial automation staff,” says Van de Wiele. For example, IT teams are not necessarily involved in ICS procurement, installation and maintenance, tasks that normally belong to plant engineers. This means IT is unaware of what control systems are being used and where – and you can’t protect what you don’t know about.
Attackers who successfully breach these systems are able to do so largely because of misconfigurations or because of a lack of company awareness about what is being exposed where. Insufficient segmentation between “office” IT and ICS-related IT, as well as control systems that sometimes end up directly on the internet, allow attackers to access these systems. In addition, administrative access is often not adequately restricted – common issues include high numbers of administrator accounts, the use of shared accounts, and using workstations with full administrator rights.
Protecting the ICS is a challenge, but in the age of ransomware and ever-evolving threats and emerging attack vectors, it’s critically important to follow security best practices. Equally important is adapting those practices to the target environment, says Van de Wiele.
“One size does not fit all. Unfortunately many companies get discouraged about the world of information security not understanding their needs and constraints. We need to help them find solutions that work in their environments.”
Here are Van de Wiele’s tips for protecting industrial control systems:
Allow only point-to-point communication for things that need to be reachable for other parties, with that communication protected against eavesdropping and tampering. Put all other services that revolve around internet-based communication (remote access, e-mail, control of systems) behind a VPN endpoint with two-factor authentication enabled, using personalized accounts. Where deviations are required, ensure compartmentalization by using virtualization to introduce jump hosts or other means. Several access realms (i.e. Active Directory forests) should exist to compartmentalize sufficiently.
2. Get to know your attack surface.
Use services like discovery scans combined with OSINT tools to get an overview of what is being exposed, what is potentially being risked, and what needs protection. Consider multiple vantage points – for example, third party documentation on how something has been set up, the internal infrastructure and how it is perceived, IP address ranges and IP blocks known or unknown to the organization.
Have a vulnerability management process that includes regular scans of non-business critical ICS components or as part of a test lab, combined with manual testing and detection mechanisms. Something that cannot be scanned or properly secured should be segregated from the rest of the network with other security controls in front of it.
Consider a specialized approach using ethical hackers to expose what is at stake. Doing so will help you outline a strategy to protect the organization. More importantly, it will enable you to track the progress made in closing security gaps, so the business can grow and mature as new technology is introduced in the future.
3. Realize that not every problem is a tech problem.
Some problems are less about tech and more about people, communication, organizational structures and ways of working. In the case of the IT staff versus the engineering staff, says Van de Wiele: “Both worlds need to be integrated and a trade-off needs to be made between being able to cope with today’s demand on the market, and ensuring IT scales in a way that does not undermine the company’s security posture.”