Industrial Control Systems and Cybersecurity

Let’s start with some definitions, to make sure we are all on the same page. An Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) system is an industrial computer system that monitors and controls a process. This can be everything from flood control pumps, the electric utilities power generation and distribution system, to building cars and making candy bars. Programmable Logic Controllers (PLC’s) is an industrial digital computer which has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis. Human Machine Interface (HMI) is a device or software that allows its user to communicate with machineries and production plants. Historian is a centralized database located in the control system LAN supporting data archival and data analysis using statistical process control techniques. Another set of terms I will be using are IT and OT, IT is your normal office Information Technology, where OT is Operational Technology, the sort of technology used in manufacturing or industrial environments.

Industrial controls systems have been around in one form or another since we started manufacturing things, centuries ago. In their current incarnation, they are electronic, computerized systems. It is important to note that ICS assets have a life cycle of at least 20 years and even as much as 30 years and possibly more. With the advent of the Internet and more recently the Industrial Internet of Things or IIot, Industrial Control Systems are being pushed into being connected to the Internet, this is a step that can only cause problems.

Connecting Industrial Control Systems to the Corporate network and/or the Internet has opened the floodgates to serious cybersecurity risks, threatening to cause billions of dollars in damage and possible death to people and livestock. Even though we are faced with this danger, cybersecurity spending by critical infrastructure companies and manufacturing companies is lagging.

These videos should help non-ICS people to understand the impacts of ICS when human error, disgruntled employees or nation states cause nefarious actions with ICS.

Maroochy Shire Council Water Breach – Queenland, Australia, Feb – Apr 2000

?      Target: ICS w/ radio control sewage equipment

?      Culprit – internal disgruntled ex-contractor

?      Method – took remote control disabled alarms at pumping stations

?      Access with old passwords

?      Video describing the event

https://www.youtube.com/watch?v=C_PRhTXp6VQ

Russian cyberattack targets Ukrainian power grid 2015 & 2017

?      Target: Direct Attack

?      Petya & WannaCry

?      Unpatched Windows OS

?      Encrypting data demanding payment

Video:

https://www.youtube.com/watch?v=6cwK9PZC23Y

https://www.youtube.com/watch?v=3is-AzwPoC8

The Perfect Storm – regarding ICS

1.)   Inherently Insecure

2.)   Increasingly interconnected

3.)   Limited to NO visibility

The first computer virus was created in 1981, then In March 2007, Idaho National Laboratory conducted an experiment in which physical damage was caused to a diesel generator through the exploitation of a security flaw in its control system by disabling the sync check element in the protective relay. Building on this, in 2010 the Stuxnet virus was released and viruses that were once confined to damaging computers could now affect the physical world. Stuxnet was a very sophisticated specifically targeted ICS attack. It was benign on mainstream computers and only woke up when it found itself on a specific ICS network with certain Siemens PLC’s (6ES7-315-2 & 6ES7-417). Once activated, it performed specific actions to fool operators into a false impression of the process. It told the operators that everything was running properly while it destroyed equipment. Stuxnet demonstrated how completely a virus could gain control of a PLC.

Now we are faced with viruses and hacking attacks that are intent on disrupting the physical world. Over the past years, we have allowed internet-borne cyberthreats to find their way into Industrial Control Systems and cause lots of problems and dangers for the people that work with and around them. A well placed cyberattack can cause human casualties, billions in infrastructure damage and even bring certain operations of our critical infrastructure to a screeching halt. Cyberattacks such as LockerGoga, WannaCry, notPetya, Triton, Sauron, CrashOverRide and many of their mutations, have proved that Industrial Control Systems are not only vulnerable, but very attractive targets.

Some Statistics:

·        According to the latest Threat Landscape for Industrial Automation Systems in H2 2018 data from security vendor Kaspersky:

o  Nearly 41% of all ICS endpoints were attacked

o  Trojan malware was found on 27% of ICS endpoints

o  26% of attacks come from the Internet

·        A survey commissioned by Tenable found that in industries using industrial control systems (ICS) and operational technology (OT) 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks.

·        37 percent report at least one significant disruption caused by malware and 23 percent report at least one nation-state attack. 23 percent report at least one instance of economic espionage and 21 percent reported an instance of cyber extortion, such as a ransomware attack.

So, now that I have scared you a little, let’s look at why these things are happening and what we can do to protect Industrial Control Systems. 

Many companies are pushing to combine their IT and OT departments, something they call IT/OT Convergence, and it is really not a good idea, since IT and OT have differing goals.

It is important to review the organizational structure. I typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the ICS networks and security. Mainly because IT owns support, maintenance & operational budget for network and security. Basically, letting OT off the hook.

IT’s primary goals are Confidentiality, Integrity and Availability, the CIA Triad. While doing this it also tries to make it possible for the users to access the network from any location that they are working from, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT’s primary goals are Availability, Integrity and Confidentiality, a complete reversal of the CIA Triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. In the case of an electric utility, in order to meet the required standards, it is a closed system without the open access provided by IT systems. However, back in January, the Wall Street Journal published an article detailing how some bad actors, they said Russians, hacked into the electric grid here in the United States. They were able to do this due to a lack of security on the Jump Servers at Low Impact facilities. This vulnerability has been closed, or should have been closed, based on the changes for Low Impact entities detailed in NERC CIP-003-6 Attachment 1 which went into enforcement September 1st, 2018 and NERC CIP-003-7 that goes into effect January 1st, 2020. Something else to realize about this hack is that it started on the IT side of the house. If IT and OT at the attacked facilities had understood each other better, it could have been stopped.

The primary goal of Operational Technology cybersecurity personnel is to make the control systems as secure as possible and this means controlling how users connect and what they use to connect with. This is accomplished by having very strict firewall rules and only opening secure ports or running services if they can be justified. OT systems, such as these, were never meant to be connected to the internet and never should be if the goal is to protect them.

Regarding firewalls – Because OT owns the ICS assets PLC’s, Servers, MCC’s, etc. OT is notorious to determine network requirements in levels 3 to 0 and because of that arrangement. OT will add networks as they see fit for activities regarding remote access or adding machines, cell, line zone, etc.… (internal & external – OEM’s, SI’s or 3rd parties. By implementing these networks OT can and will circumvent Firewall rules and other policies.

Here is where it is imperative to get visibility (passively) into these ICS networks owned and operated by OT.

When it comes to OT, it doesn’t matter what industry you run a cyber vulnerability or penetration test scan on, you will always find some out of date system, like a Windows XP computer, or a PLC that is pivotal to the operation that has an unpatched security flaw. Many times, systems are running the same software they were when they were installed, patches have not been loaded either because they were never tested by the vendor who supplied the equipment or thought to be un-needed since the equipment isn’t connected to the Internet. Remember, some of the OT equipment is 10 to 20 years old, it was never meant to be connected to the Internet. These devices often do not have built-in security capabilities, because no one ever figured they would be connected to the Internet.

Moving away from the traditional “Air-Gapped” (No external connections) Industrial Control System to a corporate network or internet connected system is dangerous. The security procedures, protocols and protections that make sense for Corporate IT cannot be applied to systems that were never created to be connected to the outside world.

Many industries, such as the electric power industry have put Compliance programs in place to help with cybersecurity issues. Unfortunately, static compliance programs do not allow the flexibility needed for proper cybersecurity protections. The bottom line is, you can be compliant and not secure or secure and not compliant.

• Compliance is about whether you’ve met the requirement, whereas security is about whether you’ve protected the environment.
• Compliance often does not reflect a proper balance towards security practices that stop attacks, breaches, etc.
• Compliance changes too slowly to have an impact on the shifting threat landscape.
• Compliance is mandatory and will always trump security, even if security is the better practice.
• Compliance reporting isn’t representative of whether an organization is secure.

When it comes to cyber security of Industrial Control Systems, the biggest issue is the lack of Operational Technology (OT) knowledge among cyber security professionals. Most everyone has the IT knowledge, but it cannot always be applied to an OT situation. For instance, when running a Nmap or OpenVas scan on an Industrial Control Network, do you know what equipment could lock up if you do too deep of a scan? There is a major difference between IT and OT, and it needs to be understood before any sort of scans are run. 

Many Universities and Colleges have amazing cybersecurity programs that teach the students how to protect and configure all the latest and greatest equipment. Those students graduate ready to stop the evil Bad Actors from attacking corporate networks all around the world. This is a great thing, we need them there, fighting the good fight, and providing us with those protections. However, when it comes to Industrial Control Systems like those at our utilities and manufacturing plants, there is a lack of cybersecurity knowledge and support.

So how do we solve these problems?

1.      You have potential OT cybersecurity gurus in your Maintenance Department. Take someone that knows the process and teach them cybersecurity.

2.      Resist merging IT and OT into one department - OT is going to have to get smarter about security and start working with an ECO system geared for ICS / OT. ICS (IoT / IIoT) will NOT be governed by IT. IT will NEVER be responsible for the machine centers responsible for production, process and plant floor operations. At the same time budgets need to change and OT will have to start getting their fair share.

3.      Forget traditional antivirus software and implement Application Whitelisting software

4.      Ensure Proper Configuration/Patch Management – OT needs a tool to help assess status and stay on top in real time (IDS – for Industrial assets)

5.      Reduce Your Attack Surface Area – Disconnect the production network from the office network and the Internet.

6.      Build a Defendable Environment – Segment the network

7.      Manage Authentication – Multi-Factor Authentication

8.      Implement Secure Remote Access

9.      Monitor and Respond

In IT the size and scope of the infrastructure, systems and applications being operated, managed, implemented and supported by IT, match the size of the IT organizations from a numbers perspective.  Meaning that the IT personnel’s only job is to support their specific core competency relating to IT. It is not a one to one ratio, but the scope of networking professionals’ job is primarily and only networking duties.  On the OT side personnel literally have a couple people responsible for thousands of ICS (IoT / IIoT) devices. Network, OS, applications many of which are 1 to 2 decades old, and inherently insecure with limited visibility.

For me the right answer is OT must build their technology industry and brand to deliver best in class solutions for the ICS environment. Cisco, Microsoft, HP, and others have tried to crack the code to the ICS environment, but they aren’t getting it right. This is because they are working with the wrong people. They are working with IT people and not the OT people. The problem won’t be solved until the right people are involved in finding the solution.