Do not blame the PLCs for a Cyber Attack
Daniel Ehrenreich
Leading ICS-OT-IIOT Cyber Security Expert, Consultant, Workshops Lecturer, International Keynote Speaker
A cyber-attack was launched recently on a small U.S. water and sewage utility in Aliquippa (PA, USA). The operation process of their facility was manipulated following the disruption of PLC controls. The report said that the attack was carried out by an Iranian cyber-attack group, CyberAv3ngers, which had already attacked several facilities in the past.
Like most PLCs produced by leading vendors worldwide, all PLCs were designed to ensure operating safety, reliability, and availability (SRA). These PLCs do not carry out cyber protection, and this task must be assigned to system designers.
To meet these challenges, please refer to the following topics:
(a) Are Industrial Control Systems (ICS) exposed to unsecured access from a public Internet network? If the control network is exposed, this severe problem at the system design level requires immediate attention to harden that access.
b) Did the organization or the assigned maintenance company change the default password for parts of the control system? If not, a strong password must be assigned for each operational area of the system.
c) Are the PLCs locked to prevent changes through the communication network? If the access to PLCs is open, there is a serious operational problem, and the organization must correct the maintenance procedures immediately.
d) Does the organization allow remote access to the ICS without appropriate protection measures? If such access is allowed, the organization must modify the practices, minimize these actions, and consider installing secure remote access solutions.
(e) Is there a preparation for instant transition from automatic to manual operation when there is suspicion of an incident? Without such a solution, the organization must change the architecture and allow it to turn off automated operations.
领英推荐
f) Did the organization conduct a risk survey in the past year to identify security vulnerabilities? If not, the organization must run that through an external party. The survey should also include an examination of physical and electronic protection measures.
g) Have the organization's employees undergone training in the past year regarding identification and response to cyber events? If not, such training is required immediately for all employees involved in the operational and maintenance process.
h) Does the organization have critical spare parts and reliable copies of Golden Image software for all system components? If not, the organization must address that issue according to its means or through a maintenance service provider.
Summary
Water, electricity, and energy systems are controlled through an ICS, which often uses wireless networks. In most organizations, these systems are not protected as needed, allowing attackers to infiltrate the control network and cause damage. As we know, cyber protection on OT systems is carried out simultaneously by several pathways:
The role of management is to keep these issues in mind and allocate the necessary resources for cyber security.
Moderator of Cyber Security and Real Time Systems & Global Digital Identity Groups
1 年CISA alert highlighted a few vulnerabilities best to read that. PLCs and SCADA systems are not designed to be secure. As such none of these systems should be connected to wiFi or internet directly without protection from properly configured and managed firewalls. Other controls mentioned by Daniel were also absent.
Principal Security Author | Pluralsight | Security Researcher
1 年"In most organizations, these systems are not protected as needed, allowing attackers to infiltrate the control network and cause damage." That's quite a big claim Daniel Ehrenreich. I've seen good and bad, but not enough to claim that most are not adequately protected. I'd appreciate any references to research you're aware of. I agree with much of what you say, but is it really true that attackers could cause damage to 'most' ICS given that, as per the defence in depth model you show, there are several layers of protection beyond control? Indeed, with Aliquippa, the first level of protection kicked in - operator intervention - and there was no disruption to supply. I'm not saying that cyber security controls weren't needed at Aliquippa, they most certainly were (a firewall, VPN and MFA would be sufficient), but the story should be seen in context to avoid generating FUD.
Senior Cybersecurity Analyst | Security Compliance
1 年Yeah I've seen some people being pretty harsh on PLCs lately....I don't think they know much about how network security and segmentation really works. It's about the security fundamentals people. If it's flapping in the wind on the world wide web, it's gonna get popped.
GICSP | Industrial automation professional with niche expertise in OT cybersecurity, telecommunications, and holistic systems engineering.
1 年I love the chart
CEO at iOT365, the first AI-driven SaaS platform in Operational Technology security. Our distributed, passive IDS and OT SOC platform is designed to safeguard critical infrastructure from emerging cyber threats.
1 年In the Prevention section is missing a real-time threat detection and SIEM visualization. Welcome to the real ICS world ??