Industrial control system (ICS) cybersecurity advice, best practices
Catastrophic disaster can be the result of insecure industrial cybersecurity practices. See six common entry points for attacks, eight cybersecurity precautions for attacks by type, and four steps to improve.
While cybersecurity has always been a major concern for any industry, a common perception was the threat pertained to losing proprietary data, falling victim to espionage, and facing shutdowns. However, the Triton (also called Trisis or HatMan) attack in 2018 has shown another side of that very serious threat: potentially catastrophic disaster. Learn common entry points of attack, precautions, and how to improve.
Traditionally, industrial control systems (ICSs) were designed to run in isolation on their own control networks, where few could have foreseen a threat from cybersecurity. However, with the evolution of other technology around industrial facilities – including smart sensors, wireless gateways, remotely managed systems, virtualization, cloud computing, smartphones, and various business intelligence needs – the chances of these industrial systems remaining free from external interference grow slimmer by the day.
The first instance of ICSs being manipulated externally was Stuxnet in 2010, which was a script deliberately designed to sabotage industrial controllers running centrifuges. This was followed by the Havex attack in 2013 that targeted electricity grids and power companies; a large amount of data was gathered through it for espionage and sabotage.
2015 saw two threats: BlackEnergy that destroyed data and files on workstations, causing significant power outages in Ukraine, and IronGate, which was discovered on public sources and performed the same function as Stuxnet. Industroyer also caused havoc in Ukraine in 2016 with malware that wiped data and performed distributed denial of service (DDoS) attacks on the network, causing a shutdown of Ukrainian electricity grids.
The Triton attack was found in 2017. Its discovery prevented what could have been a serious disaster. This malware could infect Triconex safety controllers, giving the hacker access to change safety parameters. A malicious attack could disable safety setpoints for industrial equipment, potentially causing an incident of the same magnitude as the Jiangsu Tianjiayi Chemical Plant explosion, which happened in China in March 2019.
Understand attack sources
The first step to tacking this threat to cybersecurity is understanding where attacks can come from as attackers use reconnaissance as first step to gauge and understand the targets weaknesses over a certain period. In the longer run an organization may use threat vector analysis to identify different methods the attacker may use, or the system might be prone to. All this needs to be based on the risk emerging from business impact analysis of company assets. Users might want to take some off the shelf assessment tools and use them to segregate and rationalize critical assets from non-critical and perform gap assessment on them to begin.
Six common entry points for attackers are:
- Inbound attacks from external networks, internet, and remote connections through enterprise resource planning (ERP) software, gateways, and data and document repositories and online historians
- Improperly configured firewalls and gateways
- User access through stolen or phished credentials into business workstations and control computers
- Physical attacks that target production systems, in most cases these are human-machine interfaces (HMIs), engineer and operator workstations, and actual process safety controllers
- Lateral network attacks that target control networks and use industrial communication protocols to discover other devices on the network and spread malicious code
- Social engineering attacks, which focus on using personally identifiable information to trick insiders into granting access, opening gateways and running scripts unintentionally.
Eight cybersecurity precautions
Each type of attack comes with its own set of precautions. These are:
1. Segregation and segmentation:
While it may sound obvious, a thorough gap assessment of the control network through tools and qualified personnel can often reveal many unmonitored access points that are ignored while following standard practices to protect the control network. These threats may stem from:
- Unrestricted access to engineering/operator workstations
- Outdated malware detection
- Third-party applications and connectors that haven’t been secured or audited
- Lack of demilitarized zones (DMZs) or data diodes when exporting data from control networks
- Critical assets connected on a common domain.
2. Manage user access control:
This task covers taking actions to restrict unauthorized access and tracking and halting any activity related to unauthorized access. This includes:
- Hardening access to unauthorized personnel
- Managing policies and updating them on a strict schedule
- Enabling multi-factor authentication across the organization
- Whitelisting, adding pre-approved address, location and port-based alarms to identify personnel accessing systems
- Changing defaults for all passwords and passcodes, and renewing user passwords periodically.
3. Patch frequently:
Patching all control and safety equipment to the newest firmware versions needs to be a periodic activity. While routine non-intrusive patches should be the way to go for all critical controllers, at the very least patching should be done during each annual maintenance cycle.
4. Run validation checks:
Program, logic and executable validation checks ensure changes to logic, codes and scripts are the changes made intentionally by the authorized person. Emulated validation environments help monitor any unwanted changes to logic and parameters in addition to helping operators train on the equipment without risking actual physical systems. Tools are available to automatically detect any change at logic level and any such changes are executed in a controlled environment with a backup copy maintained, ready to be restored in case a controller or system gets compromised.
5. Add physical security:
Considering recent cybersecurity threats, some control system vendors now include physical locks on their controllers which prevent any additional code from being executed on a controller without first passing the physical security layer.
6. Train on cybersecurity:
A critical part of the cybersecurity threat comes from attackers relying on mistakes made by the plant personnel. No cybersecurity measure can be implemented fully without having all stakeholders being on board and aware of their responsibilities. This includes training personnel how to identify attacks, how to protect their personally identifiable information, and how to secure themselves against attacks. This training should be provided at all levels of management, executives, operational technology (OT) system administrators and users.
7. Create an incident response plan:
On the off-chance an odd mistake or oversight leaves an opening for potential attackers, a cybersecurity implementation effort needs to include an actionable plan for personnel to follow if security is breached or a threat is identified. These plans, once designed, need to be practiced through regular workshops and made available for all responsible personnel to ensure quick action if security is breached.
8. Maintain an updated asset register:
To reduce risk, maintain an up-to-date record of all the listed inventory of OT assets including switches, routers, firewalls, various web services, supervisory control and data acquisition (SCADA) software, historian servers, controllers or any internet protocol (IP) addressable device, all of which can leave gaps for attackers to exploit an unmanaged system. Assets can be monitored over the network for latest version updates, while patches and any vulnerabilities can be monitored through various tools.
Four phases for a cybersecurity initiative
Starting a cybersecurity initiative for industrial systems isn’t as daunting a task or as big an investment as it might appear at first. The tradeoff in preventing the amount of possible damage makes it ridiculous for companies to not consider investing in cybersecurity.
Like any successful company-wide initiative, cybersecurity also requires in-house champions for its cause and who help the company adopt the necessary policies and procedures. In most cases, the best way forward is to define owners for business network cybersecurity and control network cybersecurity.
Cybersecurity needs to be a plant-wide initiative. It is implemented through four phases (see figure):
Phase 1: Design and framework
Designing a cybersecurity management system is the most comprehensive phase and requires the most investment in time and effort. Many cybersecurity consulting firms are out there focusing on helping companies design cybersecurity infrastructure, policies and procedures. This task includes identifying all systems and personnel linked to cybersecurity, defining their roles, defining their access and control rights, and building policies around these parameters to ensure safe operations. The cybersecurity design phase requires a significant internal push and buy-in from stakeholders to ensure its successful completion.
Phase 2: Gap assessment
The assessment phase primarily consists of reviewing the cybersecurity design, and identifying potential vulnerabilities and risks depending on business impact. Identified gaps are addressed and updated in the design. Assessments can be performed using experienced personnel and various tools that sniff the network level packets and identify anomalous behavior and gaps in system hardening.
Phase 3: Implementation
This part is the actual implementation of cybersecurity policies, procedures and practices. Often external help at this stage can help speed up the implementation process and ensure all checklists are marked. A key method of implementation is system hardening.
Phase 4: Audit
Auditing cybersecurity covers tasks like comprehensive penetration testing to ensure that the cybersecurity implementation is achieving desired results. Specialized audit companies usually tackle this job and help ensure solid cybersecurity. This part requires the largest amount of external expertise for a new implementation plan. However, if an internal cybersecurity audit team is trained during all phases, that team can use its learning and expertise to audit other plants and facilities within the company.
Osman Ahmed is business development lead; Asad Rehman is design and application engineer; and Ahmed Habib is marketing manager, Intech Process Automation, a system integrator and CFE Media content partner. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Industrial cybersecurity, cybersecurity tips
Industrial cybersecurity requires understanding attack vectors.
Eight cybersecurity precautions help understanding.
Advance cybersecurity by following four steps.
Have you taken the four steps to improve industrial cybersecurity?