The EU Agency for Network and Information Security (ENISA), said in its annual Threat Landscape Report  that: “hostile agents (the bad guys) have advanced their malicious tools with obfuscation, stealthiness, and striking power”. Evidence of this was demonstrated in the recent IoT-based DDoS, which temporarily shut down Twitter, Spotify, CNN, Netflix, and a dozen other websites. This attack was so serious that MIT professor of mechanical engineering, Sanjay Sarma, has warned: “There's more coming, sadly perhaps a power plant” .
One of Europe's foremost specialists in securing the technology that controls critical infrastructure, Mark Carolan, believes information security pros should be worried about ICS in their infrastructure. As cyber-risks increase, practitioners must start looking beyond the scope of their area of governance and consider parts of the business that operate computer systems “outside of their control”.
ICS are complex IT systems that operate a range of critical infrastructure (such as power stations, airports, traffic management through to oil and gas pipelines). Often they can have inherent security flaws because they were built before the era of internet connectivity. The technology that has enabled critical infrastructure to become networked together exposes these systems to a huge portfolio of cyber vulnerabilities such as: advanced persistent threats; viruses; malware; opportunistic hacking and direct hacking attacks from criminals or state nations.
The problem with ICS
Considering poor security in these systems has the potential to unleash national catastrophes, any IT infrastructure that supports any kind of industrial network (with either a direct connection or an indirect connection such as diode/gateway or air-gapped) should have this component included in the scope of their security programme. Otherwise IT security teams risk becoming innocent threat actors in cyber-attacks.
As every IT Security Manager or CISO knows, security is only as good as the weakest link in the chain. In many cases, the connections (and there are always some) to ICS are that weakest link.
Here are some examples:
1. OS and OS Security updates: How and when are operating systems in the ICS domain updated? Are they frequent and all-encompassing? Or are they “as required” and hiding behind an “air-gap”. Does their absence introduce a known vulnerability to an otherwise well protected enterprise? Furthermore, how long can a system survive without these updates with increasing pressure from the vendors to continually update to remain within tech support parameters?
2. IDS/IPS/AV updates: How and when? Or does the above statement apply? How does a less than perfect “periodic” update schedule affect overall security posture?
3. MIS feeds from ICS to Enterprise: How is management getting their feeds on production rates and consumable usage? Unless the feed is one-way, how is the inherent integrity of the ICS system maintained?
4. Vendor/Supplier remote access: Whether this is for diagnostics or routine maintenance, how is the access to ICS systems controlled and where are the attack vectors?
5. The so called “air-gap”: How is it policed? Does it have logged/monitored ingress points and how are they reported? Are the mechanisms ICS protocol-aware or just access points for potential state-sponsored/organised crime introduced malware?
There are numerous examples of security policy violations being allowed because they do not sit firmly within the well-governed IT world. Ultimately a lack of security governance could adversely affect the company and impact all those who work in IT.
The view from the other side of the fence…..
Those who work within ICS environments understand that although events happen on a split second timeframe, they generally happen in a well-understood environment where change is infrequent and therefore outcomes are known and planned for in advance. This however cannot continue indefinitely. The word “smart” is increasingly featured with respect to these environments, and that means only one thing – massively increased numbers of potential ingress points on the periphery of the environment with real authenticated and authorised IP addresses. Not only that but “open standards” and visible network packets of un-encrypted data across a network will fall within the scrutiny of the general public (and therefore nefarious individuals who fit the categories examined in example 5 above).
Bearing in mind even those large ICS projects, which are just now coming on line were five years in the planning and only some of those are using the newest ICS security products, there are still a vast majority of systems in daily use which have:
- No authenticated access methods – especially machine to machine
- No encryption of data in transit or at rest
- No forensic data capabilities
- No security or audit logging capabilities
- No intrusion detection or prevention capabilities whatsoever
…. And these systems are continuously being networked across public networks like MPLS or the common internet, or even VSAT and IEEE 802.x
Thankfully, like the IT world, there are emerging ICS ISO standards like IEC 62443 and many other industry specific examples. Legislators too have recognised the need to move swiftly. The European Parliament recently passed the Directive on security of Network and Information Systems (NIS Directive). It is part of a series of measures the Commission has adopted to raise the EU's preparedness to ward off cyber-incidents.
Not on my watch
In a backdrop of sophisticated and exponentially growing cyber-attacks, organisations need to look at establishing a unified cyber-risk programme that encompasses the ICS environment. The ongoing securing of ICS and IT systems requires a robust and collaborative approach between all the stakeholders, - IT security, engineering, senior management and operations (both plant and IT).
For their part, IT security teams must be assertive in making demands that best integrate cyber-risk management into production disciplines. This must be in-depth and detailed in every aspect with specific actions to improve security implementation, including measures to establish essential underlying management processes and specifically mandating that risks are continuously reviewed.
Ultimately the ethereal “air-gap” between IT and ICS will need to fall into one camp or the other, because otherwise we will be no better off than we are now!
Contributed by Mark Carolan, head of R&D, BSI Espion