Saving lives with ICS and critical infrastructure security
Introduction
Digital transformation has revolutionized critical infrastructure industries like manufacturing, enabling them to harness new technologies such as the cloud and the Internet of Things to do things better, faster and smarter. And like with any newly blazed trails, this transformation has come with new risks.
Learn ICS/SCADA Security
Industrial control systems (ICS) — used in sectors such as manufacturing and energy — traditionally relied on architecture segmentation, “air-gapping” and other passive defenses. But with the number of internet-facing embedded devices and control systems growing in the last decade, those passive defenses no longer work. At the same time, the attacks targeting those systems are on the rise. Under these circumstances, a major attack could result in severe damage, including loss of human life.
An expanded view of critical infrastructure
In a 2019 ICS (industrial control systems) survey, 51 percent of more than 300 respondents perceived the level of operational technology (OT) and ICS risk to be severe, critical or high. The top threat identified was devices and “things” that are being added to the network and can’t protect themselves.
Not only are industrial control systems being connected to the internet and the cloud for the first time, but every new device creates an entry point for a bad actor to exploit. And with this new ecosystem now being interconnected and interdependent, supply-chain security and infrastructure security are new priorities that these sectors haven’t had to grapple with in the past.
Emily Miller, direction of national security and critical infrastructure programs at software-security company Mocana, recently told Infosec on its Cyber Work podcast that securing industrial control systems is a matter of saving lives. But she takes a broader view of the definition of critical infrastructure, including agriculture.
“What happens if your food sources are potentially impacted … not only from the cascading consequences of water and power [being affected], but also the cascading consequences of component elements that no one at the national level has even recognized as a critical infrastructure,” she says.
Yet like other critical infrastructure industries, she points out that agriculture has been innovating — using many embedded devices and other technologies that create not only physical risks but also data tampering risks for components that end up in the food manufacturing process.
You can have “a physical introduction of a contaminant — but what if you’re having somebody introducing a data element that is telling you something is true, when something is actually not true,” she says.
New technology, new security concerns
Many critical infrastructure businesses are using cloud-based and mobile technology that have data going through a long communication chain before it gets used for decision-making by a human. A device may first collect the data in the field, then talk to another device in the cloud and then the data will get filtered back to another platform and so forth. A threat actor thus has many opportunities to manipulate the results, from tampering with the device itself to intercepting the data in transit.
“Where in the data chain have you validated that the data from the original data point and data source is accurate, that the originating device was not in some way corrupted or manipulated, or that the data in transit was not somehow corrupted or manipulated,” says Emily Miller, who previously worked with the Department of Homeland Security, Department of Health and Human Services and ICS-CERT.
Embedded devices are only one source of security challenges for ICS. Many companies are using so-called legacy technology that has vulnerabilities easily exploited by hackers. For example, CyberX Labs analyzed more than 850 industrial control networks across multiple industries and found that 53 percent had outdated systems like Windows XP.
“Retrofitting legacy devices are a huge thing the industry has to deal with,” Miller says.
As the critical infrastructure sector is dealing with these issues, it’s also increasingly the target of attacks. A 2018 Forrester study commissioned by Fortinet found that of more than 400 organizations using ICS or SCADA, 56 percent had a breach in the previous year.
And increasingly, more attacks on critical infrastructure are being attributed to nation states. In the 2019 SANS survey, 28 percent of organizations believed they were attacked by nation-states or state-sponsored actors, compared to zero two years before.
Taking a systematic approach to infrastructure security
Miller noted that different industries have different risk priorities. At the end of the day, though, many of those risks are interconnected.
Take an embedded healthcare device like a pacemaker, which may have a security vulnerability. That device is connected to a monitoring system, which is connected to the internet, which may be connected to a nursing home network. Even while a compromised device puts a patient at risk, there’s also an additional risk picture to consider.
“When you go up the stream, it broadens the attack surface. Sure, the pacemaker’s scary [as a security risk] but there’s a whole lot more impact that you can have [because of the interconnection],” Miller says.
She noted that interdependency also impacts risk mitigation. In the case of a pacemaker, for example, it’s riskier to update the device that’s implanted in a patient versus updating the monitoring system that’s turned on only part of the time.
What’s next
Miller sees the industry continuing to grapple with the issue of legacy devices in the next five years. She also believes there’ll be continuing conflict between IT and OT, driven by digital transformation, especially as technology like artificial intelligence and cloud-driven big data analytics continue to move to the mainstream.
“We’re really gonna have to deal with how we create trusted systems,” she says. “The devices and the whole ecosystem, the network, the government — how does all that work together and how do we enable business and continue to make money, but also make sure we’re doing it in a safe and secure way.”
Learn ICS/SCADA Security
Sources
- SANS 2019 State of OT/ICS Cybersecurity Survey, SANS
- 2019 Global ICS & IIoT Risk Report, CyberX Labs
- Savings Lives with ICS and Critical Infrastructure Systems, Cyber Work with Infosec
- Independent Study Pinpoints Significant SCADA/ICS Security Risks, Fortinet
Learn ICS/SCADA Security
Build your critical infrastructure security skills with hands-on training in Infosec Skills. Train how you learn best:- Practice realistic scenarios
- Build hands-on skills
- Learn live or on-demand
- Get certified
In this Series
- Saving lives with ICS and critical infrastructure security
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- Operational technology compromises: Low sophistication, high-frequency
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Social Engineering Attacks
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- SIEM for ICS/SCADA environments
- Intrusion Detection and Prevention for ICS/SCADA Environments
- Firewalls for ICS/SCADA environments
- ICS/SCADA Security Technologies and Tools
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure
Operational technology compromises: Low sophistication, high-frequency