Industrial Control Systems (ICS) Cyber Security Calls for Focused Attention
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Over past years not enough resources have been allocated for protecting Industrial Control Systems (ICS) serving manufacturing plants, controlling water and energy systems, etc. This happens in spite the fact that penetration of Industrial Internet of Things (IIoT) components to the ICS architecture expand the attack surface. On the other hand, organizations upgraded the IT security mainly due to published attacks, which made IT managers concerned. There are many justifiable reasons for different handling of IT and ICS cyber security mainly due to technology reasons and negligence of experts or the lack of budgets. The good news are, that in recent years tens of companies entered to this segment and focus on creating modern cyber defense for ICS.
Why we cannot control the attack surface?
As you know, the prime focus of IT personnel is directed to protecting the Confidentiality, Integrity, and Availability (CIA) of their business data. In contrary, to role of ICS experts is to focus on the operational Safety, Reliability and Productivity (SRP). Therefore, people in charge of cyber security for ICS might object any technology change that jeopardize the SRP goals.This conservative approach is applicable for patching operating systems and application programs and also control process improvements.
Based on my many years of experience, I am brave enough to sympathize with their approach, mainly because control architectures were always built with operation safety and reliability in mind, without fear of intentional cyber-attacks. Consequently, you should not be surprised when you hear some managers saying: “I’m responsible and I’ll not allow any change that might create safety risks”. While regulations for IT systems call for proactive vulnerability detection methods such as active scanning and pen-testing, these are not practical for ICS, as they might cause harm to the infrastructure and risk peoples’ safety
Can we act differently?
People are often asking: “If the risk is so high, why we do not hear about attacks on ICS at an alarming rate.” This argument is might not be true, because many attacks are not published and no one knows about malwares which already penetrated to the ICS network (Logic Bomb).
The significant change occurred after the attack on the Iranian nuclear plant (Stuxnet 05-2010). Until that event, ICS managers wrongly believed and claimed that their system is isolated from the Internet (Air-Gap) and therefore is safe from cyber-attacks. This “blindly approach” collapsed after the Stuxnet, and since then corporate managers are allowed to access to the ICS for real-time analysis of the control process. As already stated above, cyber security tools for IT are not suitable for ICS, and as a result of new requirement to connect the ICS and the IT systems, some evolving standards such as NERC-CIP and IEC 62443 became the relevant choice for achieving system resiliency. But, …. anyone who invested in the deployment of these methods learned that the legacy-type ICS structure, which was designed before the era of cyber-attacks did not allow inclusion of cyber defense measures.
Targeted solutions for security systems
In light of warning by US Department of Homeland security (DHS) on expected cyber-attacks on ICS, managers in charge shall deploy cyber protection measures that have been specially adapted for ICS. Consequently, they must deploy robust and highly resilient solutions based on proven defense concepts and available technologies. The PPT (People-Processes-Technologies) cyber defense is a well know three-fold process:
- Training on cyber risk awareness and drills for all employees in the organization (people)
- Procedures and policies for secured integration of IT and ICS networks (processes)
- Deployment of ICS-adapted solutions that is matching the control architecture (technology)
We are now in a much better situation compared to years ago, and technologies that are well suited for ICS cyber defense are now available. However, it is important to highlight that there is no single defense measure (no matter how advanced and expensive) that provides an absolute defense against all attack vectors, and therefore a set of comprehensive measures is required. Among these measures and solutions, you can find:
- Deployment of physical security especially at distant unmanned locations.
- Anomaly behavior detection-based Intrusion Detection Systems (IDS)
- Authenticated Proxy Access (APA) for secured access to remote ICS sites
- Unidirectional Security Gateway systems (Data Diode), where applicable
- Continuous monitoring of the entire ICS operation and visibility analysis
- Broad selection of ICS-aware firewalls combined with deep packet inspection
- Demilitarized Zone (DMZ)-based segmentation between different hierarchies
- Security Information and Event Management (SIEM) for analyzing log inputs
- Reliable and enhanced User Authentication based on behavior analysis
- Internal policies which enforce strict access to remote ICS sites
- In-depth examination of files that are brought into the organization
- Deception based malware detection performing also risk mitigation
The ICS cyber security experts have the knowledge and experience required to implement effective cyber defense solutions. This topic shall be granted top priority in all organizations, but if we do not act quickly, effectively and with great deal of dedication, organizations that will be attacked and suffer heavy damages. The topics outlined in this paper may put you one step ahead of the cyber attackers and help you assuring business continuity in your organization.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin