Mitigate ICS Risks & Threats from Scratch

Industrial Automation and Control Systems – a Different Technology Turf

According to Krebs on Security, Infrastructure Security in Industrial Control Systems (ICS) quickly became the top attack vector for ideologically and financially motivated cyberattacks. And with the rampant rise of major ransomware attacks that gained a foothold by attacking ICS, it's more important than ever that engineers working on industrial systems become cyber aware in mitigating against the most prevalent ICS risks and threats by adopting functional cybersecurity.

In May 2021, Colonial Pipeline suffered a ransomware attack that infiltrated the digital systems of the pipeline and shut it down for several days. In addition, the hack affected several airlines and consumers along the East Coast as the pipeline is responsible for transporting oil from refineries to the industrial markets. Of course, such headlines’ making news is not surprising since a cyber-attack is a normal phenomenon of the Digital World. Still, it is an eye-opener to know what makes these Industrial Automation Controls Systems unique with the convergence of Operational and Information Technologies and the Industrial Internet of Things.

What is Operational Technology and why is it prone to attacks?

Modern Manufacturing, Industry IoT, and its transformation cannot be explained without technology convergence. A technical mechanism to track critical operational processes involving gauges, valves, hardware controlling pressure, precision, and deviations are terms as Operational Technology which in Industry 4.0 has an interface with software program [IT] and hence the convergence. According to Statista, about 21.5 billion devices are connected worldwide, including industrial machinery and automated systems. Based on the sheer number of IoT, threat actors now realize that "while the sporadic increase in connectivity of these OT devices and systems streamline daily business operations for companies, they also expose their critical data and infrastructures to cybersecurity risks." The more connected, the more the risk exposure.

Further, OT systems are not as secure as IT systems or household IoT devices, and OT systems don't have essential cybersecurity solutions. For example, some come with default passwords that may not be changed until they reach obsolescence. Similar OT Systems can adapt to varying operational settings in different Industrial environments, Energy, Utility, Water, Mining, and Transportation, with a large-scale regional economic dependency.

A well-known fact is that most of these systems run on legacy technology and have been in use for decades, neither built for connectivity nor easily upgradeable. For instance, SCADA systems still depend on Windows NT or the older Unix-based systems. Since the importance of having such a large-scale OT system dependency is known to everyone, including the cybercriminals makes the technology a luring target. For example, a ransomware threat on an Emergency Medical Services of a healthcare organization running on a legacy infrastructure with IoT interfaces would prove to be catastrophic and life-threatening. A careful evaluation of a critical infrastructure network with OT Devices from different manufacturers would reveal the following:

• Most of these OT devices come with weak default passwords and are not changed for ease of administration during and after the installation.
• You cannot update or patch the software requires an extended downtime causing a significant financial impact.
• Though connected, they do not appear on the IT radar.

The most crucial factor is that the personnel supporting IT and OT of an Industrial have different objectives, and neither have complete insight and oversight about different types of devices active within the network. As a result, once they are connected, the entire network becomes vulnerable with different security loopholes that put the organization's safety and security at risk. If and when a threat actor gets in through any existing vulnerabilities, they can hide within the OT network for long and traverse through the IT systems and other critical business infrastructures. From there, they can steal customer data, trade secrets or hijack critical business or manufacturing assets or leave a backdoor for the next more significant attack.

Top 3 Attacks on Industrial Control Systems

1. Malware Infiltration

The notoriety of Malware rose to fame with Struxnet damaging as much as one-fifth of the powerplant. Categories of Malware are capable of self-replicating, self-propagating, and in some cases, self-eliminate to spread across the networks and systems undetected. Usually occurs via removable media and external hardware. However, a possible scenario can be an executable file and an application infected with malicious code that can leak data and infect the entire computer system. Therefore, the security operation center should establish user access management policies and leverage encryption and endpoint security solutions to prevent this.

2. Insider threat caused by Human Error

An insider in the context can be someone

• With a badge and/or an access device
• Whom, an organization, provided access to a computer, network, or physical hardware
• Who develops, integrates, tests products and services
• Who knows and has access to the intellectual property of the organization

Employees or manufacturing workers in an operational environment can also pose threats to OT. Unauthorized access can compromise data. An insider threat actor can be unintentional or malicious. The indicators of compromise involving an insider can be one of the few below:

• Unusual activity at an unusual time
• The volume of throughput – data traffic, number of transactions, failed attempts, false alarms
• Ignoring too many incidents in a sequence or a process

3. IoT Botnets and DDoS attacks

The number of connected devices is increasing. And suppose we estimate all devices connected to an organization's network such as grid sensors, GPS tracking, security sensors, condition sensors, passive RFID, and real-time location tracking. In that case, we could imagine the impact or damage the network would have if one of these devices were compromised since each device comes with unique security challenges. In the case of botnet attacks such as the Mirai attack, hackers can control botnets via a command-and-control network and leverage this network to enforce a Distributed Denial of Service attack or DDoS.

Building Resilience in the ICS Infrastructure

FnCyber has an overview of the top risks and threats to ICS and provides best practices in the form of mitigations that strengthen your systems against these kinds of attacks. Devising an effective ICS security strategy is hard, but we can make it easier. First, let us go through the significant controls and how they can be mitigated and prevent specific attacks.

The inference of Resilience in an Industrial environment is so vast that it is better to fall back to the domain standards and, in this case, its NIST Guide to ICS Security and start building overall security by evaluating custom requirements. Of course, nothing should start without a Security Strategy and Policy that leads to Asset Identification, Classification, and assessment of impact value. Network Security Architecture evaluation is the next best thing, and a tested best practice is Dynamic Zero-Trust Network Segmentation and Micro-segmentation. Finally, use traffic analyzers to detect any deviations in the performance and availability.

Zero-Trust Authentication & Authorization

Broadly, Industrial systems (and IoT systems) suffer from an unfortunate tendency to have outdated mechanisms. The two main threats in this category are Authentication and Authorization.

IoT devices can be configured to be accessible via computer networks with or without authentication and authorization; of course, it depends on the contractor engaged in deploying the IoT infrastructure to comprehend the security by design. Unfortunately, an oversight at this stage makes the infrastructure accessible to anyone with default credentials. Even though many installations involve modern authentication and store salted passwords that must be unique to use, the tragic reality is that many more use default passwords or none at all. Exploiting such devices gives attackers a live, fly-on-the-wall view of the private activities within your organization. A Cyber Security Expert can design a resilient infrastructure with Zero-Trust policies meaning Authentication and Authorization are configured to take place as per a definition and prescription.

The best mitigation is a three-pronged strategy. First, device a comprehensive Enterprise Risk Management Strategy and Integrated Risk Management Policy and perform a complete network scan to identify all connected IoT Devices (Inventory) in the network. Then, check for password-less connectivity or default passwords. Finally, replace the non-compliant devices or update them to be compliant. Security Risk Management teams should be able to test for continuous compliance in the future periodically.

Routers and Network Devices

Many routers are installed with default passwords and operate without any device maintenance indefinitely, with none-aware of the woefully inadequate protection. These devices are forgotten until discovered by some enterprising ransomware gang, who could eagerly take advantage of this foothold into the network.

Just like IoT Devices, the best mitigation against poorly defended routers and random network devices (like printers or other IoT devices that might be operating in the network) is to periodically search for these types of connected devices and ensure they comply with Zero-Trust Policy. Additionally, an entire infrastructure and network landscape should be in place so the administrators can see what a device is supposed to be and more easily spot devices that aren't registered and likely shouldn't be on the network in the first place.

Network Segmentation and Firewalls

Perimeter Defense is a bedrock of any secure network, but often industrial contexts assume that an authenticated or otherwise protected service can be left open to the public internet. However, due to the threat of zero-day exploits and other unexpected attacks that may arise, internal services absolutely should not be exposed to the public internet. The best way to mitigate this risk is to segment ICS Network from Corporate Network and categorize networks as per their utilization; for example, All Remote Terminal Units are on a private Zero-Trust network managed via Firewalls. In addition, create another layer of security by implementing strict policies and controls to protect engineering endpoints connecting to SCADA or Automation systems that manage device programming and control adjustments.

Publicly exposed internal services

Attackers are constantly scanning and reviewing open ports, addresses, and services in target networks. Leaving these services that are only needed internally open to the public makes life much easier for an attacker who has an exploit against the service or has phished or otherwise exfiltrated credentials and only needs to authenticate with the target device or service within the network.

Therefore: review internal services and ensure access is adequately firewalled to be only accessed internally, and even then, only from within the correct department or employee machine, followed by the implementation of a DMZ architecture implemented by cyber security experts in an organization-wide coordinated effort.

Secure Operating Procedures

The now globally infamous Stuxnet malware first started when it infected an Iranian nuclear facility by starting in one engineer's laptop, brought to the workplace, where it proceeded to take control of the entire network and then surprised even its creators by spreading throughout the world. If that facility had stricter standards of employee conduct with computer systems in the network, this attack could have been thwarted.

Instead of focusing entirely on the negligence of individual engineers, security and risk managers must provide clear guidelines for separating work devices from home computers, consistently and effectively enforce these policies by preventing devices meant for work from being taken into various network settings and being used interchangeably for work as well as personal use.

Rigorous and Timely Maintenance and Patching

ICS is uniquely vulnerable to exploits against outdated software because many embedded industrial devices do not have mechanisms for automatically receiving security updates. And in ones that do have the potential to be updated, nothing is set up, so the system festers with outdated software with known vulnerabilities. Such a system only needs to catch the attacker's attention to be instantly exploitable by even a technically unsophisticated adversary. Therefore, security Patching in SCADA Networks requires heavy planning and scheduling with a detailed risk assessment and readiness. With a time-bound workaround for those un-patchable systems and reviewed periodically to assess the changes in the environment.

Mitigating any other risks is as simple as reviewing which devices can receive automatic updates and configuring them to do so, and then drafting a well thought out policy to periodically review the remaining category of devices for manual version updates, ideally with the help of a threat response consultant specialized in the device and software in question. One most important lesson from the ICS/SCADA History is to disable by policy all USB ports to prevent the usage of any device capable of connecting via USB.

Principle of least privilege

By only assigning the absolute minimum amount of authority to each employee that is strictly necessary to fulfill their role, you can more easily contain breaches when they occur while also minimizing the damage that internal threats can feasibly do by themselves. In addition, such a procedure protects the organization and keeps employees safer by reducing the overall threat landscape as privileged access is under strict control. Finally, periodic identity and access attestation exercises allow the business or process owner to evaluate all the identities active in the network and establish their legitimacy.

While this principle is clear to anyone with a security background, it's the hardest to implement because of its subjective nature regarding the human component. The best solution for organizations with a sufficient budget is to contract a Cybersecurity Consultant to evaluate the company's Identity and Access Management.

Continuous Security Monitoring

Any ICS/SCADA infrastructure should be equipped with tools and technology for intrusion detection and protection. The OT and IT have different network protocols in the play. The monitoring system should analyze both to provide valuable insights into behavior patterns, alert specific teams for known/unknown activities, and authorized/unauthorized users performing legitimate tasks in their designated environment. The Enterprise Risk Management team should be constantly appraised of these patterns and anomalies to understand 'The Functions of a Normal Business Day.'

Security Control Life-cycle Management

Every asset identified in the network has one or more associated risks and controls to mitigate the same. First, however, the answer to a question – "Who evaluates the relevancy of the control efficiency and effectiveness over a period of time" can be invaluable to the organization's Resilience as a whole. Period Control Life-cycle assessment defines the True or False Sense of the Security itself. Each type of control function; Preventive, Detective, Corrective, Compensative, can provide unique characteristics to the protection measures that require unique evaluation criteria to assess their effectiveness because many business and production variables might have changed over time. Therefore, a transparent life-cycle management approach must be available to the designated risk owners for a periodic and documented control evaluation. Based on such historical reports, controls might have to be updated or configured and re-calibrated to cater to the already changed environment.

Given the popularity of ICS as a foothold for attackers looking to infiltrate corporate and even military networks, any network, security, or system engineer should familiarize themselves with the concepts of Operation Technology and its convergence with IT Security. A skilled Cyber Security Expert can assimilate the required knowledge of ICS systems using OT and IT and build an ICS Infrastructure Design that empowers workers to focus on their respective core expertise. FnCyber has all the know-how to support the notoriously immense field of ICS security; provide a baseline of ideas to build policies and procedures to prevent breaches and protect industrial systems from the ever-increasing cyber threats of today's internet.