Securing Industrial Control Systems: The what, why and how
Industrial control systems (ICS) are the backbone of some of the world’s most critical industries like healthcare, chemicals, power, communications, food and agriculture, transportation, and waste and water systems. (Some?16 ?sectors in the U.S. are designated as critical infrastructure.) Historically, these environments were not designed to be internet-facing. But with rising demand for better connectivity, faster maintenance, and greater insight into utilisation and performance, an organic convergence of information technologies and operations technologies (OT) is happening—giving birth to ICS environments that are internet-enabled, cloud-managed and increasingly vulnerable to cyber attack. Between 2013 and 2020, cyber attacks on critical infrastructure grew by?3,900% . In 2021 alone,?80% ?of OT/ICS organisations reportedly experienced ransomware attacks.
Why is ICS security needed?
Security incidents in the ICS environment can inflict significant operational, reputational and financial damage. Norwegian aluminum producer Norsk Hydro spent?nearly $75 million ?as a result of a cyber attack. Data breaches can expose?sensitive OT information ?like network and engineering diagrams, images of operator panels, and information on third-party services, employees, processes and ongoing projects. Disruption poses risks to critical public services, opening operators up to significant fines and censure. Prolonged disruptions can lead to a?credit risk ?for the business and even threaten its operational viability.?Cyber risk can even transcend to physical risk. A hacker group named?Predatory Sparrow ?claimed responsibility for an attack that caused a fire at an Iranian steel factory. By 2025,?Gartner ?predicts that threat actors will weaponize OT or ICS infrastructure to successfully harm or kill humans.
Why are ICS systems vulnerable to cyber attacks?
Most OT or ICS systems were built decades ago without regard for cyber security. Per?Microsoft , 71% of ICS devices have outdated operating systems, 64% have unencrypted passwords and 66% have no automatic updates. Since ICS systems operate round the clock, they cannot risk applying untested patches, which is why most ICS systems are left unpatched even when?65% ?of vulnerabilities have a patch available. In fact, roughly?a third ?of OT organisations admit to shutting down security systems because current security tools lack compatibility with their automation systems.
How organisations can assess threats to ICS
Assessing threats is a crucial step to building an effective plan for deciding what controls and policies are appropriate to protect an ICS environment. Here are some best practices that can help:
Know what assets and devices make up the environment
A first step in understanding the threats to a converged IT/ICS environment starts with a sound knowledge of what devices and systems make up the environment. Even though it may seem overwhelming, complex and time-consuming, without an up-to-date, accurate asset inventory, it would be too difficult to assess how a threat event may proliferate and the damage it could cause.
Catalogue and prioritise threats based on profiles
By cataloging and prioritising threats, security and ICS teams will understand the range of dangers the converged environment may face. Common threat scenarios include cyber attacks (external or malicious insiders), security misconfigurations (firewall rules that are too restrictive, access management rule changes, anti-malware sensitivity that is too great), software misconfiguration, and supply chain compromise (supplier is hacked or breached by malware).
Use collective knowledge of both IT and ICS teams
Identifying and assessing threats requires the combined effort of both IT and ICS teams. The IT security team can benefit from ICS engineering experience in designing, building and maintaining such an environment, while ICS engineers can benefit greatly from the expertise of the security team when building threat profiles. When everyone shares expertise and garners relevant insights about potential impacts, they can create an enriched understanding of which assets need to be protected. Information gathered as part of the collective process can also help secure stakeholder buy-in and additional funding that may be required to mitigate the identified risks.
Articulate threats in language the business understands
To help senior stakeholders understand the critical nature of various threats, it is advisable to perform a cyber security exercise to visualise those threats in the real world. This could be a?tabletop?exercise that re-creates a?ransomware ?scenario.
I also recommend articulating goals using business metrics—such as recovery time objective (how quickly the organisation needs to get the ICS environment back to its full working state)?and maximum acceptable outage (the maximum allowable time that ICS services can be unavailable). Such metrics can help senior stakeholders understand the gravity of the situation and decide whether they should commit time and resources to the mitigation plan or accept the risks of inaction.
As more ICS systems become interconnected, the volume and severity of cyber attacks will likely only intensify. One of the most critical components of cyber security planning is the understanding and articulation of threats. Only after security teams gain better visibility on potential attack surfaces, the controls that exist (or don’t) and the evolving threat landscape will they be able to design a strategy that will mitigate the risks associated with an ICS environment.