Industrial Control System & Cybersecurity
We have heard this term quite often now, so what is cyber security exactly? Let's keep it straight, and simple "Cyber security is a practice of protecting systems, networks, programs, organizational data, and personal information from digital attacks to ensure Confidentiality, Integrity & Availability at its best."
Cybersecurity has become a high severity concern globally and fast-moving towards Industrials. A survey reported that 70% of the companies consider an attack on their critical infrastructure imminent, yet they are to define their security approach. With ever-changing technology comes risks and challenges of securing an individual's privacy as well as enterprise businesses. The Industrial Control System - ICS is more vulnerable and sensitive than any other sector. Attackers can easily target it and demand a hefty ransom. Industrial facilities, manufacturing outlets, oil & gas corporations have critical infrastructures. Attacks on these sectors having a necessary ICS environment can bring catastrophic damage and can cause massive financial losses and disasters, and human lives at stake.
Implementing cyber security measures has become more complex because hackers gain intelligence from internet resources and employ innovative techniques, using new tools and technology for vulnerability scanning and executing zero-day attacks very effectively.
What is an Industrial Control System?
Industrial Control System (ICS) identifies, represents, and controls the manufacturing, production, and plant operations. It is also responsible for the distribution of resources and services to improve the production rate of the process. The ICS is known to be a critical infrastructure with the presence of instruments, manufacturing machines, production control, automated systems, and processes. Industrial control systems consist of distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) to manage the other smaller control systems in an industry using Programmable Logical Controllers (PLC) to control and monitor localized processes and services. The best example for an ICS infrastructure can be seen in industrial manufacturing and production sectors like oil & gas corporations, water filtering plants, steel and gas plants.
The Need for Cybersecurity
Cybersecurity is no more a concern only for IT professionals. In today's connected world, the number of devices and internet users is increasing so rapidly. That's why the term "cybersecurity" has become one of the most critical and common challenges globally. Everybody has the right to privacy, whether online or offline. But from individuals to giant corporations, everybody needs system, network, and data security. So the lack of cybersecurity awareness and skills and dearth of professionals in the industry can also have its national security at stake somehow. To protect our online privacy, personal data, and information, we all need cybersecurity in one way or another.
Should ICS Security be a concern for organizations with Critical Infrastructure?
Organizations with critical industrial control system infrastructure should consider the potential risks and damages caused by a cyber attack and the catastrophic post-attack impacts. A successful cyberattack on any industry with ICS infrastructure can bring human lives at stake, cause disastrous events, financial losses, loss of productivity, and the list goes on.
Risk Factors & Challenges In Maintaining ICS Security
- Old legacy systems
Traditional legacy systems possess high-level threats for critical ICS infrastructure. As a result, they are among the top challenges and risk factors for maintaining ICS security in large organizations. Here, legacy system means typical pretty old, outdated systems or technology with no active support from the vendor. In addition, these legacy systems were built using ancient technology, methods, and processes with no proper security and access control features compared to the latest ones. As a result, these systems pose a high risk of being easily targeted by cyberattacks. Besides, these legacy systems can cause issues in the performance and production environment and pose a high risk of damaging the company's reputation by putting the information and data at the risk of breach.
- Known vulnerabilities in system & network
Another high-risk factor that can lead to data breaches and allow intruders and hackers to get into the ICS network infrastructure is the presence of "known vulnerabilities" in the system and network. Hackers use various tools and technology to penetrate and scan the network to find one single loophole or vulnerability in the system so they can exploit it. When hackers discover vulnerabilities, an attack is very likely since patch management in ICS is a very lengthy or tricky process owing to losses due to downtime, even if the vendor releases any security patches to mitigate them.
- Loopholes & flaws in network infrastructure design
Even if the systems are up to date with the latest security patches, any flaws or loopholes in the network infrastructure configurations can allow an attacker to penetrate and gain unauthorized access into our network. Once they get in, an attacker can internally collect all the information required by communicating with other systems and resources and cause data leak, service disruption, and asking for a ransom amount. So designing a secure, resilient network is very important.
Flat network architecture
When you're using the same network for ICS infra and other departments/units like IT, Sales, or finance, the chances of getting a cyberattack or data breach become higher. The attacker will need to get access to any unit, and from there, they can launch distributed attacks. In addition, being in the same network will allow the hacker to communicate with ease and access other devices and sensitive data.
Lack of knowledge and training on cybersecurity
It is said that "security is as weak as the weakest link in the system," and all employees can potentially form the weakest links in an organization. Therefore, it is crucial to organize and provide basic training on cybersecurity to all workforce on internet and data safely, basic security measures to adapt, not to download files from malicious sites, and not to open unknown links and email attachments without consulting with the IT team.
Common Threats To ICS Security Infrastructure
- Spear Phishing
Hackers use the spear-phishing technique to target a specific individual or organization. Hackers craft detailed, attractive emails and links to convince the victims to open malicious email attachments and click on malicious links. These emails have subject lines intended to convince unsuspecting recipients that the sender is from a legitimate source. Spear phishing is considered one of the most common threat factors causing significant damages to industrial control systems.
- Missing Security Updates & Fixes
ICS Operating Infrastructure maintenance is one of the complex processes of any Industrial and requires extreme care and due diligence. Unfortunately, the legacy systems existing in the Operational Environment are long ordained due to various risks involved and are left to operate with minimal downtime, with no changes in the system settings. A severe threat in this context is missing security patches and updates in operating systems, system software, manufacturing machines, and operations technology devices. With these known vulnerabilities and lack of security updates, an attacker can easily exploit the ICS system and devices.
- Insecure Remote Access
Industries with ICS infrastructure genuinely run and operate the manufacturing outlets 24*7. Employees need to work even after office hours and may require connecting from home and needed. Working from home and accessing an organization's ICS systems and other resources over an insecure public network connection can result in data breaches and compromise in confidential data and resources. Hackers can capture and trace the unencrypted traffic sent from users' systems destined for the organization's ICS systems. Hackers can then inject malicious payloads and malware into the traffic to gain unauthorized access and control over the desired networks and system.
- BYOD policy and less compliant security policies
Lack of endpoint security control and workplace policies, with the current trend of BYOD, allows end-users and employees to use their own devices and peripherals at the workplace. Unfortunately, this opens multiple doors for hackers because employees can use USB drives, download malicious files, and visit insecure links.
- Insider Threats
One of the most common and critical threat factors to ICS security is an insider attack. Internal staff, employees have sensitive information and access to critical systems and networks. For example, they know the filesystems, records, location whereabouts, and have physical access to the ICS OT & IT devices. Therefore, an insider can easily surpass the security and provide the necessary details to hackers for various purposes.
There can be numerous security controls and solutions; prioritizing them for holistic security significantly impacts resilience. Outlined below are the Top 7 security measures to help create resilience in the long run for ICS Security.
Given the vastness of ICS Infrastructure, an attack is just a matter of time. We could only adapt to Defensive and Preventive Security Measures to protect from sophisticated cyber-attacks and minimize the impact. According to best security practices and research was done by information security analysts, an organization should adopt the following solutions.
- Next-Generation Firewall
In a network system, we use firewalls to prevent unauthorized access and IT Security. It also allows and denies the traffic based on the firewall rules and policies based on packet filtering procedures. Firewalls can be implemented as hardware or software. For example, we use network firewalls to prevent an unauthorized internet user from accessing a private network connected to the internet. All the operations technology OT are part of the network, and its data goes through the gateway. Securing the gateway perimeter with a next-generation firewall will help prevent attacks and implement better access control policies, web control, and application controls. Next-generation firewalls come with IPS, DPI, and SSL decryption capabilities to proactively inspect the overall traffic.
- Implementing layered security
An organization with ICS should adopt Defense-in-Depth with Integrated Risk Management Strategy and implement multiple security solutions and technology layers. These include next-gen firewalls, antivirus solutions, and multi-factor authentication systems. Even if one layer of security is exploited and penetrated by hackers, the next layer will prevent unauthorized access to the network. For instance, let's say a user's credentials are compromised. Still, the user must log in using an OTP provided by a third-party multi-factor authentication system, so the hacker will only have the user's credentials and not the OTP platform.
- Setup ICS/Network infrastructure monitoring solution
ICS systems generally consist of many devices, nodes, control systems, and production units. As a result, the complexity gets high and very hectic for an individual or a small team to monitor all the infrastructure for malicious logs, activities, and resource failures. The latest advanced monitoring solutions offer a centralized view and management of all the IT/OT infrastructure under a single dashboard console. In addition, these solutions further provide capabilities to customize the dashboard settings needed. The real-time monitoring of the IT/OT environment helps improve stability, business continuity, and uptime. Monitoring tools also offer alerts for suspicious activities. For example, you can set service threshold trigger rates and get alerts when the threshold is violated. There are open-source and commercial monitoring solutions available in the market. These solutions can be best chosen based on the organization's requirements. Log monitoring, SNMP traps monitoring, TCP/UDP sessions monitoring, alerts for system and service failures, high severity alerts are some of the similar features offered by these solutions.
- Network Segmentation
Network segmentation plays a vital role in preventing and defeating cyber-attacks. As we already know, an organization with a critical ICS environment functions in a department-wise manner. This includes product manufacturing units, Quality control, assembly units, and many more. Therefore, a company should always segregate its networks physically or logically with proper security and legitimate access controls. For example, if you use a 10.0.0.1/24 network for the IT department, you should use another network for other units. For instance, let's say one of the systems in the IT unit is compromised, and now hackers have control over all the systems. All the systems in that unit can communicate with each other but not with other systems due to hardened security rules and access control rules. So even if the hackers want to gain access to other units, they won't do so.
- VAPT & Patch Management
Threat Modelling Consultants have an Ace up their sleeve; A VAPT (Vulnerability Assessment and Penetration Testing), a technique used to test and identify vulnerabilities of network configuration, software, and web applications. VAPT is performed to evaluate security risks, loopholes, zero-day exploits across an organization's IT infrastructure. VAPT provides visibility into an organization's potential security risks and threats and provides a workaround to address and solve them. Technology is evolving every day and so do cybercriminals; it's essential to know and understand the current security trends around the globe. Implementing a VAPT Program in an Organization with sensitive ICS infrastructure will provide transparency and visibility about the security weaknesses in their network and systems. Enable devices to download patches or update software automatically. Automating key aspects of your ICS vulnerability management will identify new vulnerabilities passively. However, it's worth noting that many IoT vulnerabilities may not be instantly fixable. So, combining IoT data with a tool that compares it to a known CVE database can instantly uncover vulnerable assets and whether there's a patch available. This information could also be used to prioritize patching efforts. Applying untested patches can cause drastic effects, hence adopt best practices in Testing and Release, follow a stringent risk-based change management. This will ensure them to take necessary steps to mitigate those risk and threat factors to prevent any sudden, unprecedented future cyber attacks.
- Risk Management Program
A risk assessment program is a process used to help organizations analyze potential risks and events which can lead to catastrophic damages, including financial losses, data breaches, and loss in business productivity. Periodic Risk Assessment can help the organization take necessary steps to mitigate and minimize the impact associated with the risks. This helps them increase business productivity, performance, greater return, and profit at a reduced operational cost. In the ICS domain, a risk management program is used to develop strategic plans to acknowledge, identify, prioritize and estimate the organizational assets and operations. The primary goal of cyber risk assessments is to inform the higher-level executives on known risk components. The program also helps executives make informed decisions for better control of investment and business plans.
- Create Cybersecurity Awareness across the Industrial Workforce
Cybersecurity is something we all should be concerned about. Unfortunately, even if you're working in the IT domain, you don't always know everything from a security perspective. Software developers, support technicians, and helpdesk engineers are genuinely not aware of cybersecurity, its importance, and attack vectors in depth. They have a minimal idea on the same due to which they are also exploitable. Leveraging the FnCyber expertise in Cybersecurity Security Consulting Services can bring in best-of-the-breed practices, certified skills that can address the awareness in various employee and working profiles, cater to customized needs of the distinct work environments.
First, it is essential to train the IT team; whether they are part of support or development, they should understand and know basic types of cyberattacks and prevent them. Then, in case of an attack, the IT team will be the first responders to prevent and defeat the attacks. Non-IT staff can form the weakest security links and are quite vulnerable to attacks in an organization. They are easy to exploit and target. They should be taught how to identify viruses, malicious links, and websites, recognize the change in program or service behavior, and report it to the concerned team/unit.