Cyber Secured Control of Industrial Processes
Industrial processes serving water and sewage operations, power plants and a broad range of manufacturing facilities are supervised by Industrial Control Systems (ICS). Worldwide-based Industry experts have struggled for long time with the question of how to protect their industrial processes from a catastrophic consequence caused by severe malfunction, hostile manipulation of operating processes, incorrect and negligent maintenance, mistaken actions or cyber-attacks.
We all know that there is no single control method, no matter how advanced or expensive, which can provide absolute defense (“there is no silver bullet”). Furthermore, the intensive use of Industrial Internet of things (IIoT) instruments and sensors deployed across facilities increase the cyber-attack surface. Therefore, the cyber defense must include several layers of supervision and protecting measures, specifically tuned for layer 0-3 of the Purdue model.
In order to detect attacks and prevent damages, cyber experts often recommend deploying a wide range of measures such as: firewalls, antivirus, Intrusion Detection Systems (IDS), visibility analysis, encryption, authentication and also deception techniques. These methods are all suitable for protecting the ICS, but the question is if all these are enough to assure the operating safety?
Layered defense across the plant
If your task is to protect a small-scale ICS with just a few computers, you may consider the Host-Based IDS (HIDS), but it will require installing the IDS software on each ICS computer. Some experts might refrain from this method, because every software change in the HMI or the Automation Server (using legacy type operating system) represents a risk of malfunction. Alternatively, selecting the Network based IDS (NIDS), requires adding a dedicated host to the control architecture. The interface to the ICS will be through “sniffer devices” or through connecting to the “mirroring” port of the network switch in the ICS zone.
Selection criteria for the process control methods
Obviously, if you feel that it is appropriate for defending your ICS from internally as well as externally generated cyber-attacks you may select both methods. This requires that for every ICS architecture you must list all the known “attack vectors” and the applicable “attack surface”. It is Important to mention here that, according to best practices for ICS, we do not consider deploying Intrusion Prevention System (IPS), because its activation might make it difficult to define risk caused by intervention with the ICS process.
We are all well aware of the famous statement: “You cannot protect what you do not know”, which means that you must have accurate details on your installed ICS. Therefore, prior to describing the IDS methods, it is important to mention that detailed visibility analysis in the ICS network plays an important role. The outcome of the visibility analysis (based on a self-learning process) will display on a comprehensive screen all important details required for IDS Process:
- Compile a list of devices connected to the ICS network (local and remotely connected IIoT), including details on the manufacturer, model number, installed firmware, IP addresses and more.
- Describe the base-line communication among these devices. It will provide detailed information on: rate of access to each device, amount of data for each session, type of data (encrypted/plaintext) and more.
- Display data exchange with external databases. Your IDS performing visibility analysis shall periodically update you about published CVEs, specifically related to devices installed in your system.
Prior to dealing with the selection task, refer to the following paragraphs describing four IDS methods:
a) Detecting anomaly conditions in communication sessions among the ICS related components
Visibility analysis is the most basic process, and it must be done with minimum risk of causing a malfunction. Upon completion of that task using one of the available technologies, you will have a clear baseline-picture on your installation and consequently your IDS will detect any communication sessions, which are of the range defined by the baseline obtained through the self-learning process.
b) Detecting anomaly in communication protocol within the ICS network
Identify error messages caused by not defined code or IP addresses and incorrect protocol formats. Your IDS should be capable of identifying the difference between a protocol error and a cyber-attack. Such an attack might start with “Reconnaissance” when the attacker is scanning your system. Since the attacker may not know which ICS protocol is used, detecting such action may indicate that something is happening.
c) Detecting unusual commands sent to PLCs across the ICS network
Attackers may try damaging the system by sending unusual, high risk commands (i.e. temperature increase) created based on what they learn during the reconnaissance phase. A correctly designed ICS (with “Operating Safety” in mind) should protect itself from commands (no matter where initiated), which are aimed damaging the process or the machinery. Consequently, when it happens, the ICS should turn itself to a fail-safe condition.
d) Detecting unsafe conditions of machinery controlled by ICS
The attacker or the attacking process must reach the PLC controlling the critical process, (what happened at the Stuxnet attack in 2010). In order to prevent damage to the machinery, the IDS must detect if the operating condition of the machinery (monitored through several field sensors) is within the safe and normal boundary. Some of the IDS types already available on the market are monitoring such conditions.
Summary and Conclusion
In addition to the use of IDS functions (already available as part of a Next Generation Firewall-NGFW), careful actions are required in order to detect unusual conditions and prevent damages. Software updates (at the PLC and the HMI levels), aimed at modifying the application program must be done very carefully. The reasons being that every software or hardware modification or change in the system might lead to an unstable and unsafe operation of the ICS. System owners should act carefully and make sure that prior to taking any risk mitigation action they have a solid rescue plan that allows them to restore the system to its original condition. They must have the most skilled resources available on site, having specific knowledge of your ICS.
Strong Cyber defense is achievable trough adherence to the PPT Triad. The anomaly behavior IDS is among several effective methods for achieving operating Safety, Reliability and Productivity (SRP) and therefore investments in these measures should be at the top of the priority list for 2020.
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, and periodically teaches in colleges and present at industry conferences on integration of cyber defense with industrial control systems; Daniel has over 28 years of engineering experience with ICS for: electricity, water, gas and power plants as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as the Chairman for the ICS Cybersec 2020 conference taking place on 21-10-2020 in Israel and for the Asia ICS Cyber Security conference taking place in Singapore in Q3-2020. LinkedIn