Industrial Control Systems and Cybersecurity

by Craig Reeds

Let's start with some definitions, to make sure we are all on the same page.

An Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) system is an industrial computer system that monitors and controls a process.

This can be everything from flood control pumps, the electric utilities power generation and distribution system, to building cars and making candy bars.  Another set of terms I will be using are IT and OT.

IT is your normal office Information Technology, where OT is Operational Technology, the sort of technology used in manufacturing or industrial environments.

Industrial control systems have been around in one form or another since we started manufacturing things centuries ago.  In their current incarnation, they are electronic, computerized systems.

With the advent of the Internet and, more recently, the Industrial Internet of Things or IIot, industrial control systems are being pushed into being connected to the Internet.  This is a step that can only cause problems.

Connecting industrial control systems to the corporate network and/or the Internet has opened the floodgates to serious cybersecurity risks, threatening to cause billions of dollars in damage and possible death to people and livestock.  Even though we are faced with this danger, cybersecurity spending by critical infrastructure companies and manufacturing companies is lagging.

The first computer virus was created in 1981 and up until Stuxnet in 2010, viruses were confined to just damaging computers and could not affect the physical world.

Now we are faced with viruses and hacking attacks that are intent on disrupting the physical world.

Over the past years, we have allowed Internet-borne cyberthreats to find their way into industrial control systems and cause lots of problems and dangers for the people that work with and around them.  A well placed cyberattack can cause human casualties, billions in infrastructure damage, and even bring certain operations of our critical infrastructure to a screeching halt.

Cyberattacks such as LockerGoga, WannaCry, NotPetya, Triton, Project Sauron, CrashOverride, and many of their mutations have proved that Industrial Control Systems are not only vulnerable, but very attractive targets.

Some statistics, according to the latest threat landscape for Industrial Automation Systems in H2 2018 data from security vendor Kaspersky Lab:

• Nearly 41 percent of all ICS endpoints were attacked.
• Trojan malware was found on 27 percent of ICS endpoints.
• 26 percent of attacks come from the Internet.
• A survey commissioned by Tenable found that in industries using industrial control systems (ICS) and operational technology (OT), 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks.
• 37 percent report at least one significant disruption caused by malware and 23 percent report at least one nation-state attack. 23 percent report at least one instance of economic espionage and 21 percent reported an instance of cyber extortion, such as a ransomware attack.

So, now that I have scared you a little, let's look at why these things are happening and what we can do to protect industrial control systems.

Many companies are pushing to combine their IT and OT departments, something they call IT/OT Convergence, and it is really not a very good idea, since IT and OT have differing goals.

IT's primary goals are Confidentiality, Integrity, and Availability - the CIA triad.  While doing this, they also try to make it possible for the users to access the network from any location that they are working from, using whatever computing device they have with them.  The goal is to make it as easy to work from an airport, hotel room, or coffee shop as it is to work in the office itself.  Technology is updated and replaced often.  Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT's primary goals are availability, integrity, and confidentiality, a complete reversal of the CIA triad.

They strive to keep production running, be it an electric utility, an oil rig, or a Pop-Tarts factory 24/7/365.

In the case of an electric utility, in order to meet the required standards, it is a closed system without the open access provided by IT systems.

However, back in January, the Wall Street Journal published an article detailing how some bad actors (they said Russians) hacked into the electric grid here in the United States.  They were able to do this due to a lack of security on the jump servers at low impact facilities.

This vulnerability has been closed, or should have been closed, based on the changes for low impact entities detailed in NERC CIP-003-6 Attachment 1 which went into enforcement September 1^st, 2018 and NERC CIP-003-7 that goes into effect January 1^st, 2020.

Something else to realize about this hack is that it started on the IT side of the house.  If IT and OT at the attacked facilities had understood each other better, it could have been stopped.

The primary goal of Operational Technology cybersecurity personnel is to make the control systems as secure as possible, and this means controlling how users connect and what they use to connect with.  This is accomplished by having very strict firewall rules and only opening secure ports or running services if they can be justified.  OT systems such as these were never meant to be connected to the Internet and never should be if the goal is to protect them.

When it comes to OT, it doesn't matter what industry you run a cyber vulnerability or penetration test scan on.

You will always find some out of date system, like a Windows XP computer, or a PLC that is pivotal to the operation that has an unpatched security flaw.  Many times, systems are running the same software they were when they were installed, patches have not been loaded either because they were never tested by the vendor who supplied the equipment or thought to be unneeded since the equipment isn't connected to the Internet.

Remember, some of the OT equipment is 10 to 20 years old; it was never meant to be connected to the Internet.  These devices often do not have built-in security capabilities because no one ever figured they would be connected to the Internet.

Moving away from the traditional "air-gapped" (no external connections) industrial control system to a corporate network or Internet connected system is dangerous.  The security procedures, protocols, and protections that make sense for corporate IT cannot be applied to systems that were never created to be connected to the outside world.

When it comes to cybersecurity of industrial control systems, the biggest issue is the lack of operational technology knowledge among cybersecurity professionals.  Most everyone has the IT knowledge, but it cannot always be applied to an OT situation.  For instance, when running an Nmap or OpenVAS scan on an industrial control network, do you know what equipment could lock up if you do too deep of a scan?  There is a major difference between IT and OT, and it needs to be understood before any sort of scans are run.

Many universities and colleges have amazing cybersecurity programs that teach the students how to protect and configure all the latest and greatest equipment.

Those students graduate ready to stop the evil Bad Actors from attacking corporate networks all around the world.  This is a great thing - we need them there, fighting the good fight and providing us with those protections.  However, when it comes to industrial control systems like those at our utilities and manufacturing plants, there is a lack of cybersecurity knowledge and support.

So how do we solve these problems?

1. You have potential OT cybersecurity gurus in your maintenance department.  Take someone that knows the process and teach them cybersecurity.
2. Resist merging IT and OT into one department.
3. Forget traditional anti-virus software and implement application whitelisting.
4. Ensure proper configuration/patch management.
5. Reduce your attack surface area - disconnect from the office network and the Internet.
6. Build a defendable environment - segment the network.
7. Manage authentication - multi-factor authentication.
8. Implement secure remote access.
9. Monitor and respond.