As you’ve likely seen in the news – cybersecurity for Industrial Control Systems (ICS) is a hot topic lately, up for much scrutiny and debate. The rising number of attacks on ICS and critical infrastructure proves that the way networks and operational technology (OT) have traditionally been managed is no longer viable.
Since Stuxnet malware was discovered in 2010, and with the number of ICS targeted attacks that have followed, there has been a much-needed industry-wide awakening. Forward thinking companies are looking for ways to protect not only their technology assets, but the welfare of their employees and constituents.
Protecting OT, ICS and SCADA networks is our specialty. We are experts in the kind of attack facing this industry and we have spent years developing solutions designed to prevent hacks before they happen.
We’ve put together answers to a few frequently asked questions about recent industrial-facing cyber-attacks. Have a question that isn’t answered here? We’d love to chat with you about it. Feel free to reach out to the Blue Ridge Networks team at firstname.lastname@example.org.
Why are Industrial Control Systems a prime target for cyber attackers?
In the past Operational Technology (OT) systems within ICSs typically ran on proprietary networks, used proprietary equipment, and were traditionally logically isolated, or air-gapped, from IT infrastructure. This made them exponentially more difficult to breach, than widely connected IT networks. While the ‘security through obscurity’ or ‘security by air gap’ way of thinking may have been effective at the time, the convergence of IT/OT has eroded this way of thinking. Now, as systems have evolved and become increasingly interconnected, attackers have identified them as a viable target.
Industrial organizations represent tremendous economic value and contain high volume transactions. Networks are traditionally dispersed with several service providers accessing equipment and potentially opening backdoors for adversaries to gain access to critical critical infrastructure. The ramifications from these data breaches are much more severe than commercial data hacks. Intent varies depending on the threat actor, but can range from causing a nuisance to operational disruption or outage of power transmission and distribution. In the most extreme case, bad actors could cause physical damage and potentially threaten health and safety and cause serious damage to the environment.
What’s wrong with the way things have been managed in the past?
Even today, ICS networks are typically flat and widely open. They have weak or no authentication in place and don’t encrypt communications. Field sites are often equipped with remote access capabilities to allow vendors and operators to perform remote diagnostics and monitoring, usually over a poorly secured connection. There typically isn’t a single pane of glass view into the varying communications media, protocols, and equipment that are openly communicating to keep operational processes flowing.
Historically, there has not been a great need for specific ICS cybersecurity solutions. OT systems weren’t built with security in mind so typically IT security professionals have recommend simply adding extra tools that would provide minimal cover, and ultimately degrade system performance. Alternatively, they suggested ripping and replacing the entire network architecture to accommodate for new technology and system updates.
These are difficult options considering OT systems are a few decades old, often cannot be patched, and still completely need to be functional for their intended use – not to mention it would be extremely costly and time intensive. This represents the cultural impact of the IT/OT convergence. To properly address ICS cybersecurity, it’s imperative to create a cross-functional cybersecurity team that consists of both IT security staff and control system engineers or operators.
Why can’t critical infrastructure operations, like power grids, rely on intrusion detection, attack signatures, and/or patch management approaches alone?
Even the best and most widely used IP cybersecurity tools are ineffective for most of an OT infrastructure. For instance, network IDS and even firewalls depend upon detection of anomalous behavior of standard protocols and applications. An OT infrastructure is rife with proprietary operating systems, applications and protocols. Vigorous patch management is widely considered the most effective preventative measure among IT security professionals. But many OT product vendors do not issue patches, and their customers do not demand them, because patching of existing infrastructure can be very disruptive. Imagine this – what would happen if the power company announcing power outages once a week for patch application?
Knowing that bad actors are likely already in our most critical systems, what can be done now?
To limit the exposure of existing compromised devices, industrial organizations should isolate and contain, or segment potentially infected networks from other uninfected networks to limit their exposure. True isolation and containment coupled with granular access control and session authentication can cut off the adversary’s access to command and control channels, thereby limiting the effects of the attack they were intending to carry out.