The emergence of cyber threats is forcing the industrial sector to take a long, hard look at how industrial control systems (ICS), and specifically industrial controllers are protected.
The increase in the number of cyber incidents on ICS networks has become a reality we can no longer ignore. Yet, ICS networks pose unique challenges to security professionals, primarily because they are unlike traditional IT networks.
In order to protect them we first need to understand how they operate, the different technologies they employ and their discrete functions.
'Air Gaps' Can No Longer Protect Industrial Networks from Attacks
Until recently, industrial networks were separated from the rest of the world by ‘Air Gaps’. In theory, an ‘Air Gap’ is a great security measure - disconnecting the industrial network from the business network and the Internet puts an impassable barrier in place that prevents attackers from reaching it.
However, an ‘Air Gap’ is no longer an operationally feasible solution in today’s connected world. Trends like IIoT (Industrial Internet of Things) and Industrie 4.0, are driving organizations looking to improve existing processes and augment operational systems, to facilitate more connections between the physical process world and the Internet.
This connectivity exposes the previously isolated operational environments to cyber-threats.
Vulnerabilities in Industrial Processes Increase Exposure to Cyber Threats
Industrial processes are exposed to cyber risks through a range of vulnerabilities in software and hardware technologies as well as weaknesses inherited from the legacy design of ICS networks: Industrial controllers such as PLCs, RTUs and DCS controllers are specialized computers that manage the lifecycle of industrial equipment and processes.
Most of these controllers do not require authentication from those attempting to access them and alter their state. Most do not support encrypted communication. This means that anyone who has network access, a hacker, a malicious insider, or even a careless employee, has unfettered access to the industrial process and can become a threat to the business.
To learn more about the top internal and external threats to ICS networks, watch the video below:
There are many controller vulnerabilities that can be exploited to disrupt operations and cause damage. Yet most controllers are never patched since ICS engineers prioritize network stability at all costs. Patching industrial controllers is difficult, can cause disruptions or downtime, and can lead to reliability issues and other operational problems.
Unpatched Windows-based workstations still running legacy operating systems like Windows NT and XP are also common in operational environments and remain unpatched due to the same concerns regarding operational stability and reliability. Such unpatched systems further weaken the risk posture of ICS networks.
Lack of Visibility and Control in Industrial Control System Networks
Since ICS Networks were designed before the cyber threat existed, they were not implemented with security in mind. Today these networks still lack the visibility and security controls common in corporate IT networks. Even basic solutions for automated asset management or configuration control do not exist for ICS networks.
Without fully understanding which assets exist in your network, what firmware they are running, what code and logic are they executing, what’s their configuration, and which of them are vulnerable - how can you take measures to properly protect them?
Don’t forget that these environments use specialized Operational Technologies (OT) provided by vendors like GE, Siemens, Schneider Electric, Rockwell and others, which operate differently than IT technologies. They use different hardware, different software, and different network protocols. As a result, IT security solutions are not a good fit for these environments.
Control-Layer Protocols Are Difficult to Secure
One of the biggest technical challenges we face when looking to secure ICS networks is that several different communication protocols are used in ICS networks:
Standard protocols, like Modbus and DNP3 are used by HMI/SCADA/DCS applications to communicate physical measurements and process parameters (i.e. current temperature, current pressure, valve status, etc.).
Meanwhile, control-layer protocols, which are used to configure automation controllers, update their logic, make code changes or download firmware, are comprised of proprietary and vendor-specific protocols.
Each OT vendor uses it’s own proprietary implementation of the IEC-61131 standard for Programmable Controllers. Since these implementations are rarely documented, it is very difficult to monitor these critical activities.
Since the goal of most ICS cyber attacks is to cause operational disruptions or physical damage, the adversary will try to change the way the process executes.
While a predefined set of process parameters can be changed through HMI/SCADA applications, the logic maintained on the controller defines the process flow and its restrictions. Therefore changing the controller logic is both the easiest and most successful way to cause such changes.
Contrary to popular belief, this is not extremely difficult. Once inside the network, an attacker can easily download control logic to an industrial controller or change its configuration.
Since these actions are executed using proprietary vendor-specific protocols, there is no standard way to monitor these control-layer activities. As a result, changes made by an attacker (or even through human error) can go unnoticed until damage starts to occur.
How to Overcome the Challenges of Unsecured OT Networks
Due to the design of OT networks and the lack of basic security controls like authentication and encryption, most ICS attacks do not need to exploit software vulnerabilities. Once an attacker reaches the OT network, any compromised machine that can ping a PLC can be used to launch an attack on industrial processes.
The current lack of visibility and security controls in ICS networks is placing industrial processes and critical infrastructures at risk. In order to prevent unauthorized process changes and protect ICS from external attacks, specialized monitoring and control technologies are required.