If we go back a few decades, most of the industrial components such as machines and engineering equipment that were used in manufacturing, operations of power and water plants, petrol refineries, and other critical infrastructures were dumb, and those that were computerized were not capable enough to carry out complex tasks without human interventions. However, with the evolution in technology, much improvement was seen in this field. Thus came ICS in the picture.
ICS – The Industrial Control Systems, which can be described as integrating hardware and software with network connectivity to support critical infrastructure. ICS technologies include supervisory control and data acquisition (SCADA) and industrial automation and control systems (IACS), distributed control systems (DCS), remote terminal units (RTUs), programmable automation controllers (PACs), programmable logic controllers (PLCs), intelligent electronic devices (IEDs), control servers, and sensors.
The integration of ICSs positively impacted various industries with increased speed, better responsiveness to conditions, automation of certain critical functions, and improved reliability. But as we know, there are always two sides to a coin, and there were essential security drawbacks. And there are now IoT with a greater possibility of exploitation from external and internal threats. Hundreds of reports state a tremendous increase in the number of cyber-attacks conducted on the ICSs since the pandemic. The most disruptive cyber-attack on ICS happened on May 6th of this year; the Colonial Pipeline Company – a US fuel transport company was shut down for several days, which supplies almost half of the East Coast's fuel, causing prices to rise at gasoline pumps across the country. The company was hit by ransomware. The Pipeline officials were forced to pay the hackers the Ransome, an affiliate of the notorious Russian-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. The hackers could also steal over 100 GBs of data from the company and threaten to leak it to the internet if the ransom demanded wasn't paid. After a thorough examination, forensic teams reported hackers accessed systems via a stolen password. The stolen password was already available on the dark web because of a hack on a third-party application. The user used the same password as in Colonial Pipeline Company. We have understood what ICS is and its respective attack pattern ever since and before. So let's now understand the common ICS vulnerabilities.
Common ICS Vulnerabilities One of the most significant differences in securing ICS and a typical computer system is that the ICS components do not use standard information technology (IT) hardware or software. Custom ICS software and hardware don't seem to be scrutinized like traditional computer products, and replacing rates are typically much lower.
Another difference is the prioritization of security objectives. When implementing security measures to ICS components, it is crucial to consider functional requirements. Unlike typical Information Technology systems, ICS security objectives are typically prioritized as under: 1. Availability 2. Integrity 3. Confidentiality.
While implementing security features in ICS, violation of operational requirements can cause more damage than a cyber-attack. To understand the ICS vulnerabilities, let's divide them into three segments:
ICS Software/Product Vulnerabilities: The primary reason ICS software is more prone to vulnerabilities is the lack of secure software design and coding practices. ICS network protocols and the associated server applications are considerably susceptible to Man-in-the-middle data viewing alteration and compromise through invalid input. This insufficiency contributes to poor code quality, network protocol implementations that rely on weak authentication and allow information disclosure, and vulnerable custom ICS Web services.
Third-party applications such as standard web servers, remote access services (RASs), and encryption services are used by the ICS software. Unfortunately, many outdated and vulnerable third-party software applications and services have been identified to be used in new ICS versions, which indicates that the ICS vendor is not supporting third-party patch management for their software. The below table displays the different ICS software vulnerabilities based on various categories:
ICS Configuration Vulnerabilities: Configuration vulnerabilities are introduced based on how the ICS is installed and maintained. ICS product vendors offer an exclusive combination of components and functionality for each installation. When purchasing ICSs, only a few systems from each ICS product line are delivered before all required features are added and a new and updated version is released. Few installations of the same ICS product version and features contribute to a scarcity of or insufficient standard procedures for securely configuring each ICS product. All vendors follow traditional techniques for creating/building, testing, and installing an ICS. Some vendors have integrators that work closely with customers to develop and install the system. Other vendors have just a product model. Most of the time, integration consultants with specific ICS product training are available for installation and configuration. Every system is unique in its way; generally, with the introduction of new features, the level of security in each ICS installation depends on those liable for installing and configuring the operating systems, ICS applications, and third-party applications.
Common security problems that can arise from ICS configuration are unpatched operating system, application, and service vulnerabilities; failure to configure and implement applications and services securely (i.e., selecting security options and protecting credentials); changing all default passwords; setting password policies to require strong passwords; limiting user accounts, applications, and services to only the required permissions; installing or enabling security measures correctly; and restricting unnecessary connections. Improvements via automated security configuration are assured and are supported by the ICS vendor. For example, automated disabling of unnecessary services applications with associated permissions are included in the instructions manual. In addition, there should be a proper definition of the essential parts and components that are allowed to connect. Owners should require this information during the procurement process to ensure the ability to configure their systems securely.
Although some vulnerabilities are inherited in ICS products, many ICS component vulnerabilities are dependent on how an ICS product was implemented. Therefore, even though security configuration can have limitations based on the ICS design, ICS owners can control their risk of cyber-attack by securely configuring their systems.
The table below shows the ICS evaluation findings that are caused due to configuration and installation errors. We can also say that these issues also apply to the maintenance of the operational ICS.
ICS Network Security Vulnerabilities: The network architecture used by the ICSs should be securely designed and implemented so that it allows remote control and monitoring of processes and provides data for business functions while preventing any other illegitimate traffic over the network. Security zones with access control rules (ACLs), limiting the traffic allowed in and out of the zone, will reduce the risk of attacks from sources outside of the site to allowed IP addresses. The security features built into the protocols used to transfer data in and out of the control network must be cautious enough to prevent attacks that pass access control requirements. Critical security features, such as authentication and integrity checks, should be implemented onto the insecure protocols that must be used for communication with the ICS to provide a smoother functioning of the processes.
A good understanding of the limitations of protection provided by a security product is vital for proper implementation. Therefore, an effective cybersecurity program for an ICS should apply a strategy known as "Defense-in-depth," i.e., layering security mechanisms or features such that if one layer of security fails, the next layer is up and ready to provide protection.
1. Increase Security for Industrial Network: Industrial organizations that want to implement security measures should first ensure a good network design with well-secured boundaries. Then, the ISA IEC 62443 standard should be enforced to the enterprise's networks, secure all wireless applications, and deploy secure remote access solutions to help with fast troubleshooting and problem-solving. Companies should also watch their networks, including their industrial network infrastructure equipment.
2. Increase Security for Controllers: Each industrial environment has its fair share of physical systems – mechanical devices such as valves, calibration devices, actuators, and a series of sensors for temperature, the pressure that interact with the physical world. These are called controllers, specialized computers that bridge controlling biological systems and receiving programming or instructions from a network. Unfortunately, in the past, malicious actors have gained access to those devices in many cases, causing these systems to malfunction for the sole purpose of causing physical destruction or disrupting an organization. Organizations can protect industrial controllers against digital attacks by improving their detection capabilities and visibility into ICS changes and threats, implementing security measures for vulnerable controllers, monitoring for suspicious access and altering control, and detecting/containing threats promptly.
3. Increase Security of End-Points: The security team would feel confident that their organization is protected against digital attacks by perimeter firewalls, proprietary software, specialized protocols, and airgaps. But all this can be breached when the employees bring their devices into the perimeter network. Therefore, it is crucial to ensure all End-Points are secure and prohibit staff from connecting their devices to the network. A key place for organizations to start with improving security measures is to invest in asset discovery or the process of carrying out an inventory of End-Points on the network. Next, controls and automation must be defined to assure that the protection is there. Finally, the organizations must ensure secure configurations and continuous monitoring for unauthorized changes at each End-Point.
4. Increase Awareness among the Employees: You can have all the security measures implemented in your organization, but if the employees are unaware of the security practices, the organization is still on the verge of exploitation. Therefore, the organization's employees should be provided with regular security awareness training so that the employees don't fall prey to phishing or similar attacks that can compromise the organization's security.
5. Update and Replace End-of-Life Software/Hardware: The software should always have a maintenance schedule with the latest versions and patches. There is a possibility that the software would have bugs during deployment, so the vendor would have released the patch for the software in the updated versions. Thus, we always need to update the software to its latest versions. Furthermore, as hardware is required for the smother function of industrial components, we should always try to keep the newest hardware for improved efficiency and security purposes.