Three reasons to perform an industrial control system assessment
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems and users can prevent these attacks with an assessment that takes stock of what a company has, who has access, and what changes have been made.
How often does an information technology (IT) group inform your company about the latest hacking trends affecting company email and systems? The hackers, or "bad actors" in the corporate and industrial world, have moved beyond poorly-worded email guaranteeing millions of dollars you inherited from an unknown and deceased relative. They’re moving beyond the corporate level and taking aim at a company’s control systems.
Industrial control systems (ICSs) are under attack as frequently as corporate administration systems. The problem, however, is that many industrial operational technology (OT) departments have lagged behind their IT counterparts in managing new threats. This is often for valid reasons, such as:
- Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
- The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
- OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
- Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.
While those reasons still characterize some the realities in today’s OT system, other factors have changed, providing the OT departments with more options than previously available to them. With technology developing faster than ever and more areas of the plant improving with smart devices, the plant is more capable than ever to increase production from its ICS and, concurrently, more vulnerable to unauthorized users. If movies, headlines, and personal experiences can teach us anything, it is that the bad actors will target OT systems for any motive and by all means necessary.
Responsible ICS management
The proper reaction to the risk of improved technology is not to stay in the dark ages and think, "If we maintain this 20-plus-year-old stand-alone system, then at least we’ll be safer than connecting everything together." Rather, forward-thinking OT decision-makers should embrace the often quoted Spider-Man line, "With great power, comes great responsibility."
If the responsibility in an industrial facility is being shirked by everyone as "someone else’s job,’ then think of this bit of cliché wisdom, "Friends don’t let friends have unsecured, undocumented, and unplanned industrial control systems." Now, speaking as a friend, if you know your ICS is at risk, it becomes your responsibility to explore ways to protect and educate the company on these issues, because eventually, it will affect your job.
The task to communicate this vulnerability, while potentially daunting, does not have to be entirely doom-and-gloom. After all, if the benefits of a well-designed OT infrastructure can improve quality, production, health and safety, and overall system security, the benefits of such a system to the company will far outweigh the potential inherent risks.
To prepare for the objections from the status-quo peanut gallery, remember: older systems are not impenetrable from outsiders. There’s often a false sense of security that may be present because newer industrial control systems and complementary systems can identify risks that were not previously visible to plant engineers. In overly vulnerable systems, bad actors, disgruntled employees, or errant programmers can do a lot of damage to the ICS without being detected or under the guise of alternate explanations.
Advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:
- Unexpected and unexplainable shutdowns
- Loss of production time
- Loss of raw materials
- Missed deadlines
- Poor quality resulting from unidentified changes to the process
- Safety breaches and injuries from machines being started at the wrong times.
Lack of accurate insight into the ICS’s users, networks, processes, and changes may account for part of the misdiagnosis. For example, a batch system that often experiences unplanned shutdowns on weekends may be attributed to old hardware or operator error. In reality, it could be a bit of bad-actor programming that causes a process shutdown at defined intervals, but no one in the plant is aware of the malicious code buried in an obscure controller by an unknown entity.
How to assess an ICS
An ICS assessment may start with an industrial-cybersecurity focus, but it is more than just cybersecurity. It documents the system, creates a roadmap for secure growth and navigation, provides action items when breaches or errors occur, and educates and trains a culture of industry best-practices.
1. Know what you have
An ICS assessment allows the user to know what they have in your plant so they can manage the risk. Each controller could be a vulnerability depending on the overall network architecture and system settings for the devices. In some facilities, everything is all on one network. While that’s probably less of a reality today than 1-2 years ago, that network layout means that someone downloading a simple file via email could shut down the whole production process.
While most industrial facilities probably have at least some separation between administration and operation networks, there can be plenty of vulnerabilities if the network has grown by sprawling switches and routers opposed to a well-defined architecture with demilitarized zones (DMZ) between IT and OT domains. Creating a DMZ allows teams on both sides of the zone share important data without jeopardizing production or sensitive information.
2. Know who has access
An ICS assessment can also identify who should have access to the various systems. If you know who should have access, then it is easier to identify who shouldn’t have access. By using tools available for ICS systems now, bad actors can be identified by:
- Unknown IP addresses showing up on a network scan.
- Changes made by a smart device or human-machine interface (HMI) connected to a controller.
- Changes made by bypassing the control network and using a USB port to upload changes.
3. Know what’s been changed
Once you know what you have, and who should have access, it is much easier to know what has been changed. By watching the well-documented network, you can find out where the changes are made, who has been performing them, and what has changed. Not every change to a system is malicious or done by the faceless villains. Sometimes it is an honest mistake. Regardless of the source, any change that is not intended for the optimal production process can cause untold losses in labor, production, dollars, and sometimes life or limb.
Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see. You may not be able to stop every risk, but you can improve the time it takes to correct any unwanted activity. Each step forward in securing and monitoring your system is better than taking none at all.
Brendan Quigley graduated from Millsaps College in 2003 and joined Cross Company in early 2012 as an inside sales representative. This article originally appeared on Cross Company’s Innovative Controls’ blog. Cross Company Integrated Systems Group is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.