ICS Connected to the Internet

I have been fighting this battle since 2014 and cannot believe that it is still going on. There is no reason for Industrial Control Systems (ICS) to be connected to the Internet. Rockwell recently stated this again in their SD1672 Notice ( https://www.rockwellautomation.com/en-us/trust-center/security- advisories/advisory.SD 1672.html ). For those of you new to this, or that need a refresher, let's look at the problem and possible solutions.

Let's say you own a company that manufactures widgets. You have your IT network that gives your employees access to email, Zoom or Teams, share printers and the internet. Then you have your OT network that contains all of the equipment needed to actually manufacture the widgets. The IT network has all of the newest Windows 11 desktops and laptops, and they get software and firmware updates whenever they are available. Your OT network on the other hand is way different. The manufacturing facility was built over 20 years ago when Windows XP was the state of the art. Now, here is the problem. If you update the Windows XP computers on the line to Windows 11, they will cease to talk to the equipment that they are connected to. So, you end up having to replace most of the production line. This is not always an optimal solution. So, you continue to run your out of support systems, so production runs smoothly.

One day your production manager says, "Man, I wish I could work remotely and run the production from home!" or the Plant Engineer says, "I don't want to walk all the way over to the plant to load this PLC update." Or you purchase the newest IoT device and add it to your production network, but it needs to be able to communicate with its Mothership. So, the firewall that separates the IT network from the OT network has a new rule put in it, that gives bi-directional communications between the two networks. Suddenly, your once "air-gapped" Production OT network is now accessible from the Internet. All those outdated systems with their vulnerabilities become prey for every Bad Actor on the Internet. Some Hacker finds your equipment via Shodan.io and launches an attack and the next thing you know, production grinds to a halt.

Stated this way, it is easy for you to see what the problem is, and what the solution should be. Don't allow bi-directional communications between the IT and OT network. You also may be saying, "My people would never do something like that!" When was the last time that you had someone review the Access Control List (ACL) in your firewalls? When is the last time you ran a vulnerability scan on both your IT and OT networks? Remember that in most cases, the IT people don't know how to scan the OT assets. The tools used on an IT network can wreak havoc on an OT network. So planning, care and knowledge need to be applied to the situation. You want the person scanning your OT network to have experience with these sorts of networks.

If you would like to discuss Cybersecurity as it relates to ICS, please contact me. I am more than happy to answer any of your questions and to even discuss helping you to test and secure your OT network.

Craig Reeds, CISSP, CRISC

J29:11 Cybersecurity Services

[email protected]

(636) 459-9331