Industrial Control Systems Cybersecurity: Importance & Protection
Industrial Control Systems are what we call the specialized industrial computers that control critical infrastructure and process automation systems.
Examples of where industrial control systems are used in critical infrastructure include the power grid, water and wastewater management, transportation, and natural gas.
Process automation systems that use industrial control systems include nuclear power plants, oil refineries, steel mills, and most types of factories. Any time an industrial process is automated, an industrial control system is likely being used.
Because so much of modern life depends upon the convenience and safety afforded by industrial control systems, cybersecurity is of utmost importance for these systems.
Imagine the catastrophic consequences that could result from a crippled power grid, a contaminated water supply, or a hijacked transportation system.
Lives could be lost from loss of power in hospitals and other care facilities, large populations could become sick from contaminated drinking water, and trains could be derailed to not only injure passengers but to render mass transit systems inoperable.
Because these systems were designed with reliability in mind, security (often considered to be an enemy of usability) has traditionally been ignored or deprioritized.
Since the first recorded attack on industrial control systems in 2010 with the Stuxnet attack on the Natanz uranium enrichment facility, the need for cybersecurity in industrial control systems has become recognized.
Threats to ICS
When you picture a hacker, you may think of a shady figure wearing a hoodie in a dark room surrounded by computers working away feverishly to bypass an organization’s firewall.
While we may never know if hackers really do like to wear hoodies or work in the dark, one thing we do know is that most of the time, initial access to a target organization is gained via phishing – that is, a malicious email that is crafted to appear as if it is from a reputable source with the intent of tricking the user into clicking on a malicious link or providing sensitive information.
According to the Verizon 2022 Data Breach Investigations Report, approximately 82% of all breaches involved some form of social engineering, making it a top concern for network defenders.
Since the Stuxnet infection of the uranium enrichment facility at Natanz, several additional notable cybersecurity attacks have occurred across the world.
These include the 2014 attack on a steel mill in Germany, the 2015 and 2016 attacks on the Ukrainian power grid, the 2017 attack on a Saudi Arabian petrochemical plant, the 2021 attack on an American gasoline pipeline, an attack on a water treatment facility in Florida, and more.
The motivation for these attacks ranges from political gain by nation-states to financial gain by organized cybercrime gangs.
With attacks on industrial control systems becoming more common every year, cybersecurity for industrial control systems is quickly becoming a necessary component for many organizations.
Current challenges in industrial control system security
One emerging trend over the past decade has been malware which is tailored specifically to industrial control systems.
Malware such as Stuxnet, Industroyer, Triton, and Pipedream, to name a few, have been used to target ICS hardware specifically, with the intent of disrupting operations or destroying equipment.
Developing custom malware is a time and resource-expensive endeavor, and is usually seen only in highly targeted attacks, although this may change soon with the recent introduction of modular ICS attack frameworks such as Industroyer and Pipedream.
More opportunistic attacks on industrial control systems usually involve an attacker manually manipulating ICS components through remote access software such as VNC or TeamViewer, as was the case in the attack on the Oldsmar water treatment plant in Florida in 2021.
The effect of a cyberattack on an industrial control system can be particularly devastating as it affects more than just the digital world.
While a ransomware attack on an IT system can cripple an organization, an attack on an OT system has the potential to not only hinder the operations of an organization, but to destroy equipment, disrupt critical infrastructure, and cause loss of life as well.
Whereas the primary purpose of IT systems is to access, transfer, and store information, the primary purpose of OT, or Operational Technology, systems is to manage industrial control systems, making them much more sensitive in nature.
Best practices for ICS cybersecurity
While there is some overlap between cybersecurity best practices for IT systems and OT systems, there are some special considerations for industrial control systems.
While IT systems are often managed using centralized management systems such as Active Directory, industrial control system components must usually be managed as standalone systems.
Too often, these default passwords remain unchanged, allowing an attacker easy access once they’ve penetrated the network.
Special care must be taken to ensure that default credentials have been changed or removed for each component. The new credentials must then be securely stored in order to prevent an attacker from gaining access to them.
Another unique aspect of securing industrial control systems is that endpoint protection software and firewall software typically cannot be installed on these systems.
Therefore, a carefully designed network architecture is required to effectively build a wall around these systems to protect them from unauthorized access.
This is usually accomplished through network segmentation using firewalls, VLANs, or software-defined networking.
In addition to adequately defending your industrial assets, it is important to have an incident response plan in place to determine how you will respond to, and recover from a cyberattack, should one take place.
This will enable you to quickly and effectively respond to an event and minimize the impact of a cyberattack on your organization.
Patching and vulnerability mitigation
In the IT world, security updates are usually applied on a regular schedule to patch security vulnerabilities. In the OT world, patching is performed far less frequently, if ever.
This is often due to the fact that these systems control critical processes, which if interrupted, could have severe consequences.
If a critical vulnerability exists on an ICS device and it cannot be patched, compensating controls should be applied to mitigate the risk posed by the vulnerability.
This could be in the form of more strict firewall rules, more robust access control measures to restrict access to only authorized personnel, etc.
If patches can be applied to ICS components, they should be tested in a development environment to ensure that the updates will not disrupt the production system.
In conclusion, cybersecurity for industrial control systems is critical to defending your organization from potentially catastrophic cyberattacks and is becoming more important every day.
Having securely configured industrial control systems does not happen by accident, and a proactive approach is required to identify risks, protect assets, detect attacks, and respond to and recover from incidents.
Cybersecurity for industrial control systems is a complex and multifaceted topic, and due to the uniqueness of each system, a customized approach to defending your industrial assets is required.
Despite the additional complexity that securing industrial control systems brings compared to traditional IT systems, it is possible, and knowing how to properly identify risk, implement defensive controls, and plan for security events will make you a valuable asset to any organization that relies on operational technology for their critical functions.
To learn more about securing industrial control systems, be sure to check out the RealPars courses on this topic. In these courses, you'll learn about ICS malware, ICS attackers, past ICS security events, and how to defend your network from similar attacks in the future.