If we go back a few decades, most of the industrial components such as machines and engineering equipment that were used in manufacturing, operations of power and water plants, petrol refineries, and other critical infrastructures were dumb, and those that were computerized were not capable enough to carry out complex tasks without human interventions. However, with the evolution in technology, much improvement was seen in this field. Thus came ICS in the picture.
ICS – The Industrial Control Systems, which can be described as integrating hardware and software with network connectivity to support critical infrastructure. ICS technologies include supervisory control and data acquisition (SCADA) and industrial automation and control systems (IACS), distributed control systems (DCS), remote terminal units (RTUs), programmable automation controllers (PACs), programmable logic controllers (PLCs), intelligent electronic devices (IEDs), control servers, and sensors.
The integration of ICSs positively impacted various industries with increased speed, better responsiveness to conditions, automation of certain critical functions, and improved reliability. But as we know, there are always two sides to a coin, and there were essential security drawbacks. And there are now IoT with a greater possibility of exploitation from external and internal threats. Hundreds of reports state a tremendous increase in the number of cyber-attacks conducted on the ICSs since the pandemic. The most disruptive cyber-attack on ICS happened on May 6th of this year; the Colonial Pipeline Company – a US fuel transport company was shut down for several days, which supplies almost half of the East Coast’s fuel, causing prices to rise at gasoline pumps across the country. The company was hit by ransomware. The Pipeline officials were forced to pay the hackers the Ransome, an affiliate of the notorious Russian-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. The hackers could also steal over 100 GBs of data from the company and threaten to leak it to the internet if the ransom demanded wasn’t paid. After a thorough examination, forensic teams reported hackers accessed systems via a stolen password. The stolen password was already available on the dark web because of a hack on a third-party application. The user used the same password as in Colonial Pipeline Company. We have understood what ICS is and its respective attack pattern ever since and before. So let’s now understand the common ICS vulnerabilities.
Common ICS Vulnerabilities One of the most significant differences in securing ICS and a typical computer system is that the ICS components do not use standard information technology (IT) hardware or software. Custom ICS software and hardware don’t seem to be scrutinized like traditional computer products, and replacing rates are typically much lower.
Another difference is the prioritization of security objectives. When implementing security measures to ICS components, it is crucial to consider functional requirements. Unlike typical Information Technology systems, ICS security objectives are typically prioritized as under:
While implementing security features in ICS, violation of operational requirements can cause more damage than a cyber attack. To understand the ICS vulnerabilities, let’s divide them into three segments:
1. Increase Security for Industrial Network: Industrial organizations that want to implement security measures should first ensure a good network design with well-secured boundaries. Then, the ISA IEC 62443 standard should be enforced to the enterprise’s networks, secure all wireless applications, and deploy secure remote access solutions to help with fast troubleshooting and problem-solving. Companies should also watch their networks, including their industrial network infrastructure equipment.
2. Increase Security for Controllers: Each industrial environment has its fair share of physical systems – mechanical devices such as valves, calibration devices, actuators, and a series of sensors for temperature, the pressure that interact with the physical world. These are called controllers, specialized computers that bridge controlling biological systems and receiving programming or instructions from a network. Unfortunately, in the past, malicious actors have gained access to those devices in many cases, causing these systems to malfunction for the sole purpose of causing physical destruction or disrupting an organization. Organizations can protect industrial controllers against digital attacks by improving their detection capabilities and visibility into ICS changes and threats, implementing security measures for vulnerable controllers, monitoring for suspicious access and altering control, and detecting/containing threats promptly.
3. Increase Security of End-Points: The security team would feel confident that their organization is protected against digital attacks by perimeter firewalls, proprietary software, specialized protocols, and airgaps. But all this can be breached when the employees bring their devices into the perimeter network. Therefore, it is crucial to ensure all End-Points are secure and prohibit staff from connecting their devices to the network. A key place for organizations to start with improving security measures is to invest in asset discovery or the process of carrying out an inventory of End-Points on the network. Next, controls and automation must be defined to assure that the protection is there. Finally, the organizations must ensure secure configurations and continuous monitoring for unauthorized changes at each End-Point.
4. Increase Awareness among the Employees: You can have all the security measures implemented in your organization, but if the employees are unaware of the security practices, the organization is still on the verge of exploitation. Therefore, the organization’s employees should be provided with regular security awareness training so that the employees don’t fall prey to phishing or similar attacks that can compromise the organization’s security.
5. Update and Replace End-of-Life Software/Hardware: The software should always have a maintenance schedule with the latest versions and patches. There is a possibility that the software would have bugs during deployment, so the vendor would have released the patch for the software in the updated versions. Thus, we always need to update the software to its latest versions. Furthermore, as hardware is required for the smother function of industrial components, we should always try to keep the newest hardware for improved efficiency and security purposes.