Innovation in Industrial Control Systems (ICS) may well be helping businesses get the best from their data, but it’s also helping cyber attackers see new ways to attack these critical systems.
The attack surface is rapidly expanding as businesses bring IT and operational technology (OT) together, adopt the IoT, and digitalise their businesses. An attack could force prolonged downtime, crash whole economies, and put people in danger.
Cyber attackers know the power that targeting industries can give them. Whilst traditional attacks are motivated by lucrative data or money itself, with ICS, the intent is typically to cause widespread disruption and physical damage.
We’re in an evolving era of cyber risk
This isn’t fable or fiction – it’s our current reality. In early February, leaders of two U.S. House subcommittees called on the U.S. Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. For a more high-profile example, take the Russian state-sponsored CRASHOVERRIDE incident of 2016, which manipulated ICS equipment through the abuse of legitimate industrial control system protocols to disrupt the flow of electricity across Ukraine’s power grid at the transmission substation level. As a result, a portion of Ukraine’s capital city, Kyiv, experienced a one-hour outage overnight.
The incident served as a microcosm to an evolving era of cyber risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to the prepositing of attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety, and matters of national security.
Critical infrastructure organisations have an inherent responsibility to deploy a robust ICS/OT security framework that effectively protects their operational assets from sophisticated attacks. This isn’t a matter of merely meeting mandatory compliance minimums to avoid costly fines or steep regulatory penalties. It’s about leaving no stone unturned to protect people from the real-world impact of cybercrime – not only their own personnel, but those living and working in the surrounding communities from which they operate.
Here’s how to keep ICS and operational technology safe
A balance in prioritisation is essential to effective ICS/OT security, as made clear by a recent SANS Institute whitepaper on The Five ICS Cybersecurity Critical Controls. Prevention bias is a common theme across the cybersecurity community. Between 60-95% of the most well-known and utilised security frameworks are preventative in nature, but simultaneously fall behind in detection and response posture. As a result, many organisations invest as few as 5% of their resources to detecting, responding, operating through an attack, and recovering from compromises.
Considering both the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organisations must be prepared for not if, but when that happens — integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action. Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.
- ICS Incident Response: An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings.
- Defensible Architecture: An effective ICS defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarised zones, and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing as much risk as possible through system design and implementation while driving efficient security team processes.
- ICS Network Visibility Monitoring: Due to the “systems of systems” nature of ICS attacks, it’s vital to implement continuous network security monitoring of the ICS environment with protocol-aware toolsets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate.
- Remote Access Security: Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organisation’s IT network, but now threat actors can also leverage their entire supply chain ecosystem – capitalising on the IT network vulnerabilities of their vendors, maintenance personnel, integrators, and equipment manufacturers.
- Risk-Based Vulnerability Management: A risk-based vulnerability management programme empowers organisations to define and prioritise the ICS vulnerabilities that generate the highest level of risk.
A more secure future starts here
Implementing security across entire, complex systems can be a daunting challenge. However, these five tips are a great place to start for any business. They’ll adapt and change to fit your unique organization as you go.
Alongside, ensure you’re communicating the severity of cyber risk at every level in the business – not just to the C-suite, but to all those who engage with your systems. This will boost your security awareness maturity across the business.
Security for ICS and OT needs to follow a team sport approach. This means bringing together the strength of agile controls and well-defined processes, in order to keep up with cybercriminals’ increasing focus on ICS. Only this way can hungry attackers be kept at bay.
About the Author
Dean Parsons, B.Sc., CISSP, GICSP, GRID, GSLC, GCIA, is the CEO and Principal Consultant of ICS Defence Force and brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defence in critical infrastructure sectors such as telecommunications, and electricity generation, transmission, distribution, and oil & gas refineries, storage, and distribution. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defence is Do-able!” Over the course of his career, Dean’s accomplishments include establishing entire ICS security programmes for critical infrastructure sectors, successfully containing and eradicating malware and ransomware infections in electricity generation and manufacturing control networks, performing malware analysis triage and ICS digital forensics, building converged IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric substations, oil and gas refineries, manufacturing, and telecommunications networks. A SANS Certified Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response and is a co-author of the new SANS Course ICS418: ICS Security Essentials for Managers. Dean is a member of the SANS GIAC Advisory Board and holds many cybersecurity professional certifications including the GICSP, GRID, GSLC, and GCIA, as well as the CISSP®. He is a proud native of Newfoundland and holds a BS in computer science from Memorial University of Newfoundland.
Featured image: ©red150770