A Three-Stage Strategy for Protecting ICS Networks

June 10, 2020
Maintaining the productivity of industrial facilities is a critical concern for network security staff

Industrial control systems (ICS) has evolved over the past few decades and has become the backbone of almost every industry. Modern ICS is no longer composed of isolated controllers, but rather is based on sophisticated distributed software and networking, making the boundary between OT and IT vague, and sometimes even nonexistent.

The combination of the tremendously high impact of compromise to an ICS, and the ability to achieve this remotely using standard IT malware, has caused ICS cyberattacks to proliferate over the past two decades. We are all aware of high impact cyberattacks on critical infrastructure carried out (allegedly) by nation-state actors - nuclear facilities, power grids, oil industry - none of these are immune.

Malware targeting ICS has also evolved over the years, making such attacks easier to perpetrate and hence more common. However, as pointed out by FireEye researchers in a recent article (1), it could be that a critical mass has been reached, and that off-the-shelf packages of hacking tools can now be put to use by the occasional cybercriminal, rather than by well-funded and skilled nation-state actors. This makes the direct threat to ICS networks, in any industrial organization, more prominent.

The anatomy of an attack against an ICS is not that much different from that of an attack against an organization’s IT infrastructure. The final objective of the attacker might be different at times (which is why some hacking tools in the arsenal specifically target equipment manufactured by ICS vendors), and so is the environment - such as networking equipment and operating systems. However, the attack flow remains pretty much the same: after identifying the target and choosing the right hacking tools, an attacker starts by establishing a foothold within the targeted organization.

Once a foothold is established, the attacker proceeds with the standard cyberattack playbook. This begins with establishing communication with its C&C (Command and Control) server and includes lateral movement and privilege escalation. It continues until the attacker has the target in his crosshairs, and he can inflict the damage that he intends - be it sabotaging actual industrial systems, stealing information, or paralyzing the organization by using ransomware or other types of DoS.

The fact that many devices on ICS networks were deployed many years ago or even decades ago, and that these devices do not use standard, modern software [that can be easily upgraded to add security capabilities, or patched to fix vulnerabilities], makes life very challenging for ICS security teams. These realities make it difficult to deal with malware once it has already infiltrated into an ICS network, so affected organizations usually take measures to keep these threats out in the first place.

Isolation First

Most experts agree that the first step in any strategy for protecting an ICS network is to isolate it from all standard IT networks. IT networks, by design, are exposed to many attack vectors that can be exploited. To do their jobs, employees must be able to receive an email, connect to the internet, transfer files using USB devices, install software, and access the organization remotely. Even the more restrictive organizations must let their employees do some of these actions. Each of these daily actions, as well as many others, is in itself an attack vector that is easily exploitable by a malicious actor.

Furthermore, to maintain secure ICS networks - apply new firmware, apply patches, and troubleshoot issues - organizations typically leverage services rendered by contractors and other third parties. The control that organizations have over the health of IT equipment used by these third parties is usually very loose, which makes an even stronger case for isolation.

This first step towards isolation translates into connecting all ICS devices to a dedicated network, isolated from all other networks in addition to the Internet, and keeping all standard IT equipment off-limits. Any PC connected to such a network must be extremely locked-down in order to keep all attack vectors away from these networks. Machine lock-down means no access to other networks, no ability to connect external hardware, or install the software. This also means making sure that a PC on such a network cannot be mobilized and connected to other networks to prevent it from carrying infection into the ICS network.

Use a Dedicated Endpoint

In order to control ICS equipment, technicians and administrators typically connect to these networks via specifically crafted routes, carefully configured firewalls, and jump boxes guarded by two-factor authentication. While this approach prevents the occasional malware from infiltrating the network, APT actors can still take over the IT machine used to access the ICS network and use this IT machine as a beachhead to attack the ICS network itself.

One way to overcome the risk that a compromised IT endpoint -- used for accessing the ICS environment could compromise the entire ICS network -- is to ensure that even the control of the ICS network is done through a dedicated, locked-down device, rather than by IT equipment that is used to carry out other daily chores. This ensures that this special-purpose endpoint, used by administrators and technicians to access the ICS network either locally or remotely, is of the same security standard as the other components of the ICS network.

Stay Fully Productive with OS Isolation

Organizations are justly concerned about the negative effect on productivity caused by forcing their employees to use two separate computers. It is a major hassle to switch between two devices all day, not to mention the burden of mobile workers having to carry around two devices.

One solution to this problem is OS isolation, which allows running two separate operating systems on the same physical device. Using this approach, organizations can maintain strict OT/IT isolation, allowing them to remain safe, while employees can work with relative freedom, reading their email and performing other corporate activities alongside operating ICS equipment on the same device.

In summary, here is the three-stage strategy for protecting ICS networks from compromise, while maintaining productivity:

1.   Fully isolate ICS networks from IT networks, making sure anything connected to the ICS network is locked down to the extreme.

2.    Use dedicated endpoint devices to access and control ICS networks, either locally or remotely.

3.    Use OS isolation to enable employees to remain fully productive while securely operating ICS.

References: (1) https://www.zdnet.com/article/fireeye-warns-about-the-proliferation-of-ready-made-ics-hacking-tools/

About the Author: Yuki Arbel is Vice President, Product Management of Hysolate.

An industry veteran with 20 years of IT, networking and cloud experience, Arbel, started his career at P-Cube, a networking startup that was later acquired by Cisco. After his position as a system architect at Cisco, Arbel became CEO of Comsleep, an energy-saving startup. Most recently, Arbel served as Head of Product for Nokia’s NFV infrastructure, driving telecom networks towards virtualization. A graduate of the prestigious Talpiot program, Arbel holds a B. Sc in physics and mathematics from the Hebrew University of Jerusalem as well as an MBA from Tel Aviv University. Reach him at [email protected], through LinkedIn at linkedin.com/in/yukiarbel or follow him on Twitter, @yukiarbel.