The digital revolution that transformed both commercial organizations and governments is now affecting systems deployed in the industrial world – and at a frightening runaway pace. Such rapid change has left many organizations struggling to secure these systems and thereby reduce the likelihood of successful attacks. A recent survey throws the extent of this struggle into stark contrast, reporting that 69 percent of organizations considered the threats to Industrial Control Systems (ICS) – which often run outdated, legacy software – to be high or severe/critical.
The term ICS describes different types of systems used to operate, control and monitor a broad range of machinery from small, single-purpose devices such as water pumps, to a large infrastructure such as a national railway network. ICS form the bedrock of organizations in industry sectors including utilities, transportation and manufacturing, and are often a key constituent of a country’s critical national infrastructure (CNI). Many ICS are now interconnected with enterprise IT or external networks and are becoming increasingly attractive targets for attackers.
ICS and Related Information Require Protection
Physically, ICS need protection from unauthorized access, interference and damage. ICS-related information, such as commands to control machinery, critical monitoring data, sensitive architectural designs and user authentication credentials, also requires protection as this information is crucial to operation.
The impact of a compromise of confidentiality, availability or integrity (CIA) of ICS-related information can include severe injuries or fatalities, major disruptions to business operations, substantial financial or operational penalties and significant reputational damage. However, protection of information is often given lower priority by ICS operators, architects and engineers, whose focus is on the safety, reliability and availability (SRA) of ICS and the machinery they control.
Organizations lack assurance over the security of ICS environments and have serious concerns about the effectiveness of ICS security arrangements. This is compounded by an increasing yet unclear level of risk to these environments and constraints on ICS protection. Consequently, there is a compelling need for business leaders to step in and demand increased security for ICS environments.
There are different types of ICS that control and monitor physical machinery in industrial environments. These include PLC, DCS and SCADA. Furthermore, an ICS may be embedded in physical machinery, located in a remote device, be it a hand-held device, a local controller or part of an integrated system in a control room, or both.
ICS are used in industry sectors that focus on large-scale physical activities, such as manufacturing, mining, utilities and transportation. ICS can also be located in an organization’s supply chain, which can influence supply chain risks with suppliers of goods and services.
ICS are often ‘mission critical’, ‘safety critical’ or support CNI. The control of physical machinery has evolved from manual operation, through mechanization, to computerized ICS. In today’s modern world, ICS – sometimes referred to as operational technology (OT) – are increasingly connected to IT systems used in more traditional corporate environments. However, the technology used in these environments can be extremely different.
A Growing Need to Protect ICS Environments
In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line. As a result, senior business managers and boards are under growing pressure to improve and maintain the security of ICS environments. This pressure is fueled by:
- Significant concerns raised about ICS and cyber risk (e.g. as highlighted by the World Economic Forum)
- Cyber attackers becoming increasingly sophisticated and well-resourced ‒ the profile and potential for misuse of the Industrial Internet of Things (IIoT)
- Major and widely publicized cybersecurity incidents, along with accompanying headline publicity
- Expanding media coverage of technical ICS security vulnerabilities
Organizations are therefore faced with a lack of assurance over the security of ICS environments and have serious concerns about the effectiveness of ICS security arrangements. This situation is compounded by an increasing yet unclear level of risk to these environments, and constraints on ICS protection.
- Uncertainty about the Security Status of ICS Environments: There are many different types of ICS with varying purposes and levels of criticality, including those used to support complex, critical environments such as a power station, a chemical plant, an air traffic control tower or a car manufacturing plant. ICS may also constitute simple process control systems for air conditioning units, elevators or vehicles that are often less critical. Consequently, many organizations are faced with a lack of assurance over the security of increasingly diverse ICS environments.
- Unknown extent of security weaknesses in ICS environments : At the Information Security Forum (ISF), our members have expressed concerns over the extent and severity of information security weaknesses in ICS environments, compounded by: known technical security weaknesses in ICS components; insufficient consideration of security requirements; a range of sophisticated attackers; and the nature, scale, complexity and costs associated with ICS and the machinery they control.
- Inconsistent ICS regulatory landscape: Some ICS environments, particularly those that support CNI, are subject to stringent legal, regulatory or contractual requirements, which often extend to providing assurance that security obligations have been met. However, for many ICS environments, information security requirements and obligations are often inadequate, vague or incomplete, particularly those relating to ICS products and services. Consequently, there can be a lack of assurance regarding ICS information security.
- Heavy reliance on ICS suppliers: Many organizations are heavily reliant on specialized products and services from ICS suppliers, who focus on functionality, often at the expense of information security. These external suppliers are seldom managed closely enough, or have sufficient input from security specialists, to ensure that the provision of ICS products and services meet security requirements.
Increasing yet Unclear Level of ICS Information Risk
Research identified details about the volume and type of attacks on ICS and related components and the exploitation of technical security vulnerabilities. However, limited quality information could be identified to help accurately determine the likelihood of attacks successfully exploiting these vulnerabilities or the true level of business impact they cause. Inherent ICS design weaknesses can be exploited ICS and the physical machinery they control are often built using propriety hardware and software, with little consideration for information security. Consequently, the implementation of many generic enterprise IT security controls may be impractical or unsafe.
Some of the reasons why ICS suffer from security-related design weaknesses are because there is:
- An absence of rigorous regulatory requirements for security in ICS
- A lack of choice for customers looking to acquire secure ICS products and services
- Difficulty in upgrading or replacing ICS components
- Insufficient pressure on vendors from customers to improve security in ICS products
Many technical ICS security vulnerabilities: Technical security vulnerabilities frequently exist in ICS, including inherent design failings; inflexible network configuration; system and network monitoring restrictions; and access control weaknesses. Once technical ICS security vulnerabilities have been exploited, ICS components are susceptible to a range of attacks (e.g. session hijacking, malware infection and account takeover).
Larger attack surface due to increased connectivity: ICS are exposed to a much larger attack surface due to increased connectivity, providing attackers with greater opportunities to access and target vulnerable ICS environments. ICS, therefore, requires a higher level of protection, including security mechanisms such as authentication, encryption and rigorous monitoring.
Targeting by sophisticated attackers: Threats to ICS environments are increasing in number, sophistication and potency. Members are particularly concerned about adversarial threats to ICS environments, including nation-states, hacktivists, organized criminal groups, suppliers, unscrupulous competitors and disgruntled employees. ISF members have reported that these threats are becoming increasingly prevalent and well-resourced.
Preparing and Instituting an ICS Security Program
Many different circumstances, also referred to as triggers, can drive organizations towards reviewing or improving the security of ICS environments. These triggers often influence the urgency with which the risk needs to be addressed.
Circumstances, such as an issue raised by the organization’s governing body, a significant audit finding or a major ICS information security incident, will result in a clear mandate for action, often in the form of an approved ICS Security Program. Conversely, if recognition of circumstances originates from concerns expressed by only a few individuals within the organization, it may be necessary for them to persuade senior management to approve an ICS Security Program before significant investment.
Following approval to establish an ICS Security Program, preparatory arrangements need to be made to ensure that the program is run in a structured, systematic manner, and that it meets both business and information security requirements.
A range of preparatory arrangements should be made, including:
- Establish an ICS Security Governance model
- Define ICS Security Program scope
- Develop an approach for assessing ICS Information risk
- Design an ICS security controls framework
Implementing a Collaborative, Risk-Based Approach
The growing need for business leaders to improve and sustain the security of ICS environments has been brought into sharp focus by recent research from many quarters.
The significant concerns about cyber risk raised during research – along with well-publicized cyber security incidents and increased media coverage of ICS security vulnerabilities – clearly demonstrates the urgency that organizations should now attach to improving information security across both ICS environments and the IIoT.
With so many organizations heavily reliant on ICS to support business operations, the potential impact of getting information security wrong can be catastrophic. Costs can be extensive, corporate reputation severely damaged and lives put at risk.
However, many of these same organizations are grappling with fast-changing, interconnected and complex ICS environments. At a time of increasing yet unclear levels of risk, business leaders are questioning the effectiveness of ICS security arrangements.
To improve the effectiveness of ICS security, organizations should implement a tailored, collaborative and risk-based approach. An ICS Security Program presents a practical and structured method for enabling actions that deliver advantages over adversaries and competitors alike.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.