Industrial control systems are the backbone for some of society's most critical services -- water, power and natural gas, to mention a few. A successful cyber attack on any of these systems poses severe economic, social and political ramifications.
Let's look at some of the top challenges and threats facing ICSes today and examine how to keep these systems secure.
1. Old systems
Many ICSes were designed decades ago when cybersecurity wasn't a key consideration. Overlaying modern security on top of legacy architecture can be difficult. Likewise, the software ICSes run is often old and does not contain many of the security features today's software can accommodate, such as strong authentication, encryption and protection against web application attacks, such as cross-site scripting or SQL attacks.
2. Limited visibility
If security was not implemented when the ICS was installed -- which is typically the case for most legacy systems -- hardware and software visibility are missing. This makes monitoring and log management nearly, if not completely, impossible and hinders auditing capabilities.
3. Unpatched or out-of-date systems
Patching systems requires downtime. The systems being updated, however, often cannot be taken offline because they enable critical services. To further the problem, many legacy ICSes don't have automatic failover. For these reasons, many companies do not patch the systems. Critical security holes that open the door to potential breaches can result.
4. Integrating ICS and IT systems
ICSes and operational technology (OT) systems are typically managed and operated by an independent team separate from the IT organization. Once ICSes are upgraded, they require more IT expertise. IT/OT integration -- merging ICSes with IT systems -- requires reorganization, rethinking and more efficient exchange of information, all of which can create friction.
5. Making the business case for ICS security
Investing in ICS security requires a strong business case. Unlike business investments, the cost and return of ICS security spending can't be easily measured. Managers should use loss prevention -- not ROI -- as the standard gauging the importance of ICS security funding.
Infecting ICSes with malware historically involved a physical threat, such as plugging an infected USB drive into the ICS. Connecting ICSes to the internet has expanded the threat of malware.
Like other systems, ICSes must be protected against malware and other cyber attacks. Triton and Stuxnet are two examples of malware that specifically targeted ICSes, though other everyday malware is just as threatening. Worms, Trojans, ransomware, wiper malware and other threats must be mitigated against. Botnets and DDoS attacks are also common threats.
7. Persistent and enduring threats
Because ICS visibility is limited, intrusions can embed without detection for a long time. This makes it possible for bad actors to extract and exploit valuable information.
8. IT and ICS lateral attacks
Unless ICS and IT systems are interconnected correctly and safely, attacks can spread laterally across both networks.
9. Activating extended update mode
In this attack, malicious actors break into an ICS and activate the firmware update mode on a sensor or device. The firmware update is never done, however, and the hardware is put into a holding state. Attackers take advantage of this, as the device's normal functions -- for example, process monitoring -- may be disabled, leaving the attacker free to infiltrate the device and system.
10. Default credentials and configurations
Attackers look up default or hardcoded usernames and passwords for manufactured devices and use those credentials to gain access to a company's ICS network.
How to mitigate ICS security threats and challenges
Take the following steps to prevent, detect and mitigate the aforementioned issues:
- Perform a basic threat assessment. Review the configurations, patch status, public vulnerabilities disclosed and other potential threats, and implement a plan to address them.
- Turn off or limit access. Limit or remove device access -- both inline and administrative -- unless there is an identified need that is documented.
- Conduct tabletop exercises. Simulate outages due to malware, DoS or other attacks to test the mitigation plans in place to counter them.
- Share information between IT and OT teams. Ensure IT and OT teams have the information needed to build cybersecurity awareness and accountability.
- Tap into industry knowledge bases. Use organizations such as Mitre to acquaint IT teams with the information they need to oversee ICS security.
- Conduct audits. Schedule regular systems scans to identify unpatched software, admin privileges, insecure configurations, and other potential security vulnerabilities and weaknesses.
- Change default manufacturer-supplied credentials. Change the default admin username and password for every device to prevent unauthorized access.