twobee - Fotolia


An introduction to ICS threats and the current landscape

ICS threats have become more prevalent, so the need for organizations to understand the risks has grown. Expert Ernie Hayden explains what enterprises need to know.

An unusual attack that used the malicious Triton framework tool against a safety instrumented system at an oil...

processing plant in Saudi Arabia in 2017 precipitated some active discussion about industrial controls security.

However, attacks on industrial control systems (ICSes) are not uncommon; they affect factories and processing plants daily -- if not hourly. Why is this? How exposed are these systems?

It's important to explore these questions about ICS threats; but first, you should learn what an ICS is and how it differs from IT.

Quick definitions -- IT, OT, ICS

To understand the threat landscape for ICSes, it is helpful to understand the difference between information technology (IT) and operational technology (OT), as well as what industrial control systems are.

For IT, the easiest way to grasp this collection of systems and processes is to think of data processing. IT includes systems and technologies, including software, communications technologies, hardware and related services, to process and manage data.

Operational technology -- often referred to as OT -- is the collection of systems and processes used to detect or cause a change through direct monitoring and control of physical devices, processes and events in a factory or processing plant.

IT is for data processing, and OT is for physical process management and control.

An ICS is a key underlying element of the OT world. According to the National Institute of Standards and Technology report NIST SP 800-82 R2, "Guide to Industrial Control Systems (ICS) Security," ICS is a "general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures."

ICS is used in the industrial, manufacturing and critical infrastructure sectors. For instance, railway controls are a type of SCADA. A street light controller may be a PLC, but it can also be part of a SCADA system.

Finally, an ICS includes combinations of control components, including electrical, mechanical, hydraulic or pneumatic, that act together to achieve an industrial objective, such as manufacturing, transportation, or the distribution of material or energy.

IT vs. OT architecture

Acceptable exposure of IT systems to the internet is substantially different from acceptable exposure of OT systems.

In normal configurations, IT is connected to the internet via controlled firewall connections. On the other hand, the ICS should not be connected to enterprise IT systems, let alone to any outside systems over the internet. Unfortunately, that is theoretical and not a common practice.

While, in theory, an ICS should never be exposed to any outside networks, in practice, such connections may be deemed necessary. When that happens, those systems should only be connected to the internet or enterprise systems with substantial controls to ensure that malware from the enterprise network and internet -- and other ICS threats -- cannot interfere with the ICS.

Comparing security philosophies

One last comparison to help understand how ICS threats can interfere with IT and OT operations uses the classic CIA model of security. Here, the IT security focus should be in the following order:

  • C -- confidentiality of data
  • I -- integrity of data
  • A -- availability of data and systems

However, the security priorities for an ICS actually flip the CIA triad to some extent. OT security should follow this order:

  • S -- safety (industrial)
  • R -- resilience/reliability
  • A -- availability of data and systems
  • I -- integrity of data
  • C -- confidentiality of data

You can see that safety, resilience/reliability and availability are at the top of the OT security priority stack.

ICS threat landscape

The points of emphasis above provide a sense of the profound differences between IT and OT, where industrial safety, reliability, resilience and availability are intentionally built into the OT layers. Therefore, any ICS threats or attacks that can negatively impact these key points should be viewed as important issues that need to be addressed.

Consider operating system patching for instance. Patching an enterprise server -- depending on the timing -- is usually not a major issue. The patch can usually be rolled out and the server rebooted with minimal chaos, and a brief delay due to a patch is acceptable. That said, a patch to an industrial control system could have huge consequences.

Imagine the patch being rolled out for a pulp and paper mill or plastics manufacturer where continuous operations must be assured. A patch that affects the process servers and computers for such factories could result in destroyed equipment, frozen plastic, and even injuries or death. An attacker may simply want to cause the processes to have a hiccup that results in catastrophic failure at the factory.

One example of this type of ICS threat occurred at a German steel mill in 2014. Although the details of the attack are still unclear, the attack on the steel mill's furnace controls prevented the mill operators from shutting down the furnace in a controlled manner. Here, the attack negatively affected the availability of the furnace controls and resulted in reduced plant safety and reliability.

ICS threats -- Component lifetime

Professional and detailed security oversight and maintenance of an ICS became more common after the 2010 Stuxnet attack on the Natanz Uranium Enrichment Facility in Iran. This attack affected the industrial safety of the plant, as well as its availability, by means of an attack on the industrial controls for the uranium centrifuges, causing them to speed up.

Unfortunately, security of an ICS and process systems before Stuxnet generally did not include any security oversight or emphasis. And, because upgrades of systems and components at these factories may be delayed for years, some systems may not even be capable of handling security updates.

The normal equipment refresh rate for IT systems is around three to five years. Unfortunately, some ICS tools and equipment may simply be so old that they age out of the vendor's support window.

It is not uncommon to find older and unsupported operating systems, such as Windows NT, Windows CE or Windows 2000, installed in some plants. Yes, the equipment works fine and provides the necessary availability; however, the equipment can be compromised because it is not patched against current threats.

There are several differences between IT and OT relative to cybersecurity. With this in mind, the operators of ICS tools need to focus their efforts on improving their threat exposure. These actions should include ensuring the components and systems in the factory are segregated from the enterprise network and internet using practices such as the Purdue Enterprise Reference Architecture.

ICS operators should also ensure their components and systems are updated so that they can be securely maintained and patched with current defense capabilities. And finally, ICS operators should focus their efforts on ensuring that the plant security priorities are industrial safety, resilience/reliability and availability.

This was last published in July 2018

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing