The growing need for ICS cybersecurity
We treat cybersecurity in our plants much like the way many treat their personal future health. Management and engineers usually realize that there are threats, but capital expenditure requests continue to be denied and delayed due to the fact that those requests are a low priority in the eyes of all involved.
Over time, these items become even more passive thoughts and the threats continue to grow right under everyone’s nose. Although most integrators are diligent and careful in their actions, the fact remains that using 3rd party integrators can increase a facility’s security risks more than internal resources. It is rare, in initial project conversations, that any company expresses concern or actively attempts to hold integrators accountable by monitoring their work. Although employees really do care about the product, cybersecurity threats are treated with less interest and probability than natural disasters. Then, it strikes. And no one knows where it came from or how long the repercussions will last. We in the industry have a responsibility to consider any new product or process that might reduce the risk of damage to our system. Not just for profits or reputation, but for the customers.
Threats are growing
Those who work in the industry, may have already been pressured to consider some type of security solution. Most solutions are basic and only partially address the hot topic issues that create easy and quick sales. They are sold as "complete" solutions while they tend to be platform and/or action specific and can often only stop one type of security threat or can interfere with the online operation of the control system.
Be wary of any one-stop solution to handle all threats because most of the time it requires a complete action plan. Security in any form takes active engagement by something and/or someone because the nature of the problem is highly variable. The growing rate of technology has an equally growing rate of security threats. Very few security products have advanced enough to create cost effective and efficient solutions.
ICS vulnerabilities are widely diversified
In 2015, new vulnerabilities were found in 55 different manufacturers which included all types of components: programmable logic controller/distributed control system (PLC/DCS), human-machine interface (HMI), electronic devices, supervisory control and data acquisition (SCADA), industrial network devices, and many others. The vulnerabilities in industrial control system (ICS) components are so different in nature from traditional information technology (IT) threats that they should be treated differently and with the control engineering team fully participating. Adding firewalls/DMZ, turning off ports, and creating air gaps are good practices, but are not enough and the control layer should always be monitored by equipment/processes designed for the entire control system infrastructure.
Many manufacturers have a solution for this; they sell a product to monitor the control system and help to mitigate the risk. The problem with this method is that they do not have dedicated staff to support the ever growing vulnerabilities and are usually last to the table to mitigate the threat via a patch. These manufacturers also do not play well with other brands. If a facility has multiple types of controllers for example, then they will not get security coverage to some and will have to create multiple solutions that all need to be monitored.
If a process facility relied on conventional security methods—and on security product manufacturers to create patches for security breaches—it would only be partially protected. Firewalls and air gaps are good security precautions but are only part of a complete security solution.
Most ICS components are susceptible
It is probably not surprising that the HMI, SCADA, and controller are the top components that are susceptible to intrusion as these are the main parts of a control system. They are also touched by many different people and systems, all of which bring an element of risk. Whether internal engineers, multiple networks, IT, 3rd party integrators, etc., the risk grows and most companies have no way to track who was on the system and what was done.
Hopefully, the 3rd party integrator doesn’t accidentally pass a security threat to the system because of a sketchy driver download. Unfortunately, most companies would have no way of knowing until the problem surfaces and with a growing number of vulnerabilities, the risk of catastrophic damage is ever increasing.
Although automation components are designed for critical infrastructures, industrial-sector devices are not secure by default. The capabilities, motivations, and number of threat actors focusing on ICS environments are increasing. From infected hard drives or USB sticks to unauthorized connections from ICS networks to the Internet through personal smart phones or modems, and from infected distributive kits obtained from vendors, to a hired insider.
With the Industrial Internet of Things (IIoT) growing, these security threats are not going to go away or even slow. Fortunately, this boom has created a movement in the software industry and dozens of startup cybersecurity companies have emerged. Most are trying to make a quick buck on the rising tide; others are inventing technology that our industry has never seen and are taking huge leaps forward in cybersecurity.
When doing research, look for platform diversity, comprehensive audits, a guarantee of seeing every logic/controller action (audit), real-time alerts, and a qualified, respected team at their foundation. This is uncharted territory and perhaps the internal engineer, vendor, or local integrator may not have necessary cybersecurity experience. Reach out to the community. Challenge cybersecurity companies to provide complete solutions, onsite proof of concepts, and a well-respected engineering/security foundation. No matter what company walks through the door, be sure to deep dive into their solution and ability to support the company for the foreseeable future.
Eli Jenkins is an account manager with Cross Company. He has a background in chemical manufacturing, control system integration, and consultant sales. This article originally appeared on Cross Company’s Innovative Controls blog. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, firstname.lastname@example.org.