Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Cyber security for Industrial Control Systems (ICS) managing water and electricity supply, transportation, communications and manufacturing facilities should be very high on the priority list of top-floor executives. Educating control engineers and users on cyber security risk can only be done through well-defined methodology.
This program shall involve a) ICS operators and experts who must expand their cyber security knowledge, b) IT experts who must learn ICS basics and about specific risks and solutions related to ICS architectures and finally, c) managers who must have the knowledge needed to make correct decisions related to allocation of resources. This paper highlights a few important topics and allows you to achieve these goals effectively.
Principal differentiation among IT and ICS
IT experts interested becoming ICS cyber security experts shall adopt a few basic principles related to control systems in order to deal effectively with ICS Cyber security related challenges.
- Prior to dealing with ICS Cyber security for their industry, they must study their ICS architecture as described in layers 0-2 of the Purdue Model. Furthermore, they need to understand the principal differences among IT and ICS. While the goal of IT experts is focusing on assurance of Confidentiality-Integrity and Availability (CIA), the goals of ICS experts are focusing on Safety-Reliability and Productivity (SRP).
- Cyber defense tools and measures for IT and ICS are very different. For example, a penetration testing process to an IT system may cause temporary shutdown, and conducting active inspection (i.e. penetration testing) on an ICS might lead to mechanical damage and even put people at risk.
- IT experts are frequently patching, updating and upgrading their systems. ICS experts cannot do that, as every change or update represents risk to operating safety and reliability. While there is no single cyber defense method which may prevent an attack on your ICS, the best you can do is deploy layered cyber defense combining the PPT Triad (People, Processes, Technology) principles.
Methods for analyzing cyber risk factors
Understanding the attack surface-related risk vectors is among the key principles, as such knowledge allows you to predict most paths which an attacker may consider. Furthermore, in order to achieve a more granular prediction, you may correlate these paths with the Industrial (Lockheed Martin) Cyber Kill Chain.
- Non-attack risk factors: Prior to dealing with cyber-attacks, you must consider 2 risk-factors which might interfere with the ICS process; a) failure of a sensor, PLC or a software bug and b) incorrect action carried out by an authorized person. Both may lead to a panic response by the ICS operator as well as damage.
- Negligence of people: You must consider cyber-attack actions such as inserting a foreign USB stick to one of the ICS components, failure to detect social engineering attack, negligent supply chain processes, consistent use of simple or repeating password, poor physical security, and more.
- System oriented attacks: The adversary may attack the ICS through a “Cloud Control” operation, manipulate processes coordinated by ERP, or reconfigure control processes in buildings (air-conditioning, elevators, data center cooling, high voltage connections, UPS, generators, fire alarms, etc).
- Attacking the ICS Network: Direct access to the ICS network through “Backdoor” connection, MitM access, remote access through spoofed identity, DDoS attack on the ICS network, compromising the firewall between the IT and ICS networks, leaking out information from the ICS, etc.
- Attacking the process: Considering attacks on the HMI, Engineering station, firewalls, PLCs, field sensors, the synchronizing GPS, manipulating the process through APT attack, exploiting Zero-Day vulnerabilities, etc. The goals are always directed towards causing outage and damaging machinery.
Methods for ICS cyber defense
Deployment of an effective cyber defense on ICS must be decided based on the overall risk factor, calculated by the probability of occurrence and the impact of the attack. However, the selected method using layered defense should be defined according to the network architecture, communication protocols, media, etc.
- Adhere to corporate policies related to secured servicing the ICS devices and computers
- Perform updates for the OS, antivirus and ICS application only after intensive testing
- Conduct periodic cyber security assessment on the ICS for detecting new vulnerabilities
- Strengthen the physical security for all remote installations which may serve attackers
- Deploy hierarchical zoning among segments which are not communicating with each other
- Prioritize using ICS oriented firewall, DMZ or Data Diode between the IT and ICS sections
- Use of IDS for detecting ICS-related anomaly conditions at levels 0,1,2 of the Purdue Model
- Deploy authentication (i.e. 802.1X) prior to connecting ICS devices and network equipment
- Perform in-depth inspection of all files and media prior to transferring them to the ICS network
- Prevent remote access to the ICS, network unless it is mandatory for critical purposes
Educating your staff on cyber security risks
Cyber security experts know full well, that a very high percentage of “successful” cyber-attacks have been possible because people could not prevent these actions due to lack of awareness and lack of experience with detecting and mitigating such attacks. Therefore, periodic education for all personnel in the organization should be a mandatory requirement for evolving the ICS Cyber security awareness. Who should attend?
- System operators and ICS maintenance engineers who must upgrade their cyber security skills
- IT cyber security personnel who must learn how ICS operates and how it can be protected
- Managers and decision makers who must understand this topic for properly allocating resources
The training program should include frontal sessions on the ICS architecture, description of risks on the ICS architecture and drills using a live demo illustrating an attack in process. The corporate CISO and the management must clearly define responsibilities in their organization for dealing with the following:
- Attack mitigation, preventing lateral expansion and minimizing possible damages
- Collection of forensics on attack-related details and reporting to all stakeholders
- Effective and rapid restoring of the business continuity according to the defined BCP
Industrial organizations must have documented methodology for preparedness related to cyber incidents and response when such an event takes place. ICS cyber security experts have the knowledge and experience required to support their organizations according to the described methodology and beyond.
These actions will help you comply with regulations, mitigate incidents that might risk the lives of people and prevent operating outages and damage to machinery. Therefore, the management should devote adequate resources and acquire the necessary expertise for effectively dealing with ICS cyber security.