Safeguarding control systems - Minimising ICS cyber-security threats

Opinion by Robin Whitehead

New risks occur as IT and OT converge and become increasingly connected as many control systems are now overlapping with enterprise systems to provide accessible, secure, information that is visible across organisations.

A recent report by cyber-security training provider, SANS revealed that 40 percent of industrial control system practitioners are not adequately equipped to defend against cyber-attacks on critical plant infrastructure, hence the importance of safeguarding control systems from cyber-attacks in the connected world.

Industrial control systems (ICS) encompass a variety of interconnected field devices that capture and deliver process-critical real-time data to programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS). These systems have traditionally operated in isolation and therefore have been inherently immune to cyber-attacks.

Localised and expanded connectivity between the components of an ICS is not a new concept; a multitude of manufacturer-specific communication platforms, protocols and cabling systems have existed for decades. However, over recent years, with the successful adoption of ethernet in the corporate world, the open platform has quickly become commonplace in industrial settings. This means, instead of communicating through closed applications using protocols that are inherently secure, control systems using TCP/IP are now accessible and connected to the wider world.

The threat 

Plant managers are now demanding more from their ICS to deliver operational improvements through smarter, information-enabled machines. As a result, the domains of IT and OT are converging and becoming increasingly connected as many control

systems are now overlapping with enterprise systems to provide accessible, secure, information that is visible across organisations.

In 2010, Stuxnet, a malicious computer worm, targeted Iran's nuclear enrichment programme, infecting 100,000 computers at 22 manufacturing sites, destroying 1,000 centrifuges. The worm was initially spread using removeable devices, but went on to exploit controller architecture.

Unsecured control systems can have a devastating effect on plants if risks are not identified and resolved quickly. One of the most significant security risks posed by control systems is the use of legacy systems. Typically working on closed, proprietary communication protocols, the migration to open protocols can present a number of issues, including unpatched software and hard-coded passwords.

IT vs OT

While the convergence of IT and OT systems has led to increased connectivity, the two still have many differences when it comes to security. Attacks on IT systems often lead to the theft or corruption of data, however attacks on OT systems can affect the physical operation of a facility, leading to unplanned downtime, or in the case of Stuxnet, damaged or destroyed equipment.

Despite their differences, security of both systems overlaps, many security issues faced by OT are identical to those of IT.

In 2016, internet security software firm Kaspersky Lab, released a report identifying 75 vulnerabilities in the ICS components of a group of vendors. The vulnerabilities were categorised into five groups; remote code execution (RCE), denial of service (DOS), code injections, file manipulations and user access account manipulation.

These vulnerabilities range from enabling arbitrary code to be remotely executed in a target system (RCE) to enabling file manipulation, where files are remotely created, deleted or moved.

Security framework 

To truly prevent any form of cyber-attack, a plant must have a robust security framework that encompasses people, processes and technologies. While having the latest firewalls, antivirus and intrusion detection software is important, it is redundant if staff are not trained properly.

Plant managers should define cyber-security roles and responsibilities in their facility. Security should not be left to one person — each member of staff must understand their role and what is expected of them to ensure the site and systems remain safe.

Standards such as ISO/IEC 27000 can provide a strong foundation for protecting information and assets. In particular, ISO/IEC27001 describes best practice guidelines for information security management systems (ISMS), with details on how to manage, monitor, audit and improve security.

As companies invest in new technologies to realise the competitive advantage created through smart manufacturing, the demand on industrial control systems will continue to grow. Increased connectivity means the security of these systems will only become more imperative to tackle the risks posed by cyber-attacks.

Security frameworks need to evolve and adapt, like the businesses they are protecting. Without a commitment to security, manufacturers will fall victim to the many pitfalls faced by open protocols.

Contributed by Robin Whitehead, strategic projects director, Boulting Technology.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event