Intrusion Detection and Prevention for ICS/SCADA Environments
Although the target audience for this writing is information security professionals such as ICS & SCADA or automation managers and engineers, it may also be useful to other IT security enthusiasts as well. This is because securing industrial control systems (ICSes) and supervisory control and data acquisition (SCADA) environments is an area of increasing importance.
In terms of technology, our society has changed so much over the last decade or so that the aforementioned environments are now almost everywhere. They are an inseparable part of engineering fields, ranging from energy, automobile, aerospace, transportation, industrial process control, manufacturing and healthcare.
Unfortunately, these systems are gradually becoming a favorite target of hackers, especially those driven by political motivation. Unlike other cyberattacks, ICS/SCADA-oriented cyberattacks may affect critical infrastructure operations, inflict substantial economic losses, contaminate the ecological environment and even claim human lives.
The Stuxnet worm attack on the Iranian nuclear power plant Natanz, uncovered in 2010, is perhaps the most well-known instance of a security breach in cyberspace with physical consequences in the realm of ICS/SCADA security.
Prevention is the key
Bruce Schneier once said that “prevention is best combined with detection and response.” Consequences of a security breach in ICS/SCADA environments may vary, so security teams should perform a thorough assessment of ICS systems to identify all kinds and levels of risk in order to put in place the corresponding safeguards.
National bodies, such as Public Safety Canada, have designed manuals of recommended best practices for organizations to follow which will facilitate the entire process of securing their ICS environments. These manuals outline security best practices in the following areas:
- Network segmentation
- Remote access
- Wireless communications
- Patch management
- Access policies and control
- System hardening
- Intrusion detection
- Physical and environmental security
- Malware protection and detection
- Periodic assessment and audits
- Change control and configuration management
- Incident planning and response
Due to a transition in automation, power and industrial control industries from switched circuits to switched packet communications, ICS/SCADA networks are becoming more vulnerable to a growing number of threats, including (self-propagating) malware and nation-state-sponsored cyberattacks.
Another well-known cyberattack that caused confirmed physical damage to an ICS was a 2014 cyberattack against a steel plant in Germany. First, attackers used a spearphishing to obtain access to the steel plant’s office information technology (IT) network. Then the cybercriminals moved to the production network (that is the so-called “lateral movement”), which is the place where critical assets reside. Finally, they had full control over significant components in the plant, thus shutting down a blast furnace in an uncontrolled manner, which resulted in massive damage to vital electronics in the plant.
In fact, this cyberattack was a classic example of an advanced persistent threat (APT). If there are lessons to be learned from the cyberattack against the German steel plant, one of them should definitely be: separate the office IT network from the industrial or operations technology network.
Network segmentation and multilayer security
A 2015 report issued by the U.S. Department of Homeland Security states that only approximately one-third of electric utilities have integrated security systems with the “proper segmentation, monitoring and redundancies” necessary to ward off a cyberattack.
Multilayer security would protect ICS/SCADA systems by providing unique security controls at each layer. Critical assets are to be placed in the most secure layer. Consequently, if malicious actors want to reach the targeted asset, they must go first through the security controls of every other layer.
For SCADA and ICS environments typical security controls that allow for the implementation of a layered defense system are Ethernet switches and security gateways. Alternative attack vectors, such as USB drives, can circumvent all defense mechanisms and endanger the operations technology (OT) network.
An illustration of a multilayer security framework:
- Layer 1: The access zone with perimeter gateway security (e.g., firewalls and port servers) whose purpose is to manage access security through directing traffic flows and traffic encryption
- Layer 2: The aggregation zone where data concentration, switches and controllers reside. In addition, Ethernet port security, Media Access Control (MAC) filtering, virtual local-area networks (VLANs) and traffic policing occur at this level
- Layer 3: Critical assets are located here. Operators can interact with the human-machine interface (HMI), configure individual devices, obtain and forward time-critical data. Ethernet switches with port security are usually used
“Defense in depth,” a holistic approach advocated by the U.S. Industrial Control Systems Cyber Emergency Response Team, goes one step further. It includes layered security but also other aspects like emergency response, disaster recovery and forensic analysis.
Tools: Intrusion Detection System/IDS
Several members from the security community predicted the end of IDS in light of the fact that SIEM-like systems have good capabilities concerning collection, correlation and analysis of security events. However, the majority considers that IDSes can still yield excellent results, specifically for ICS, and that is mostly because the IDS is a promising and rich area for research.
An IDS can monitor different environments, everything from IT enterprises and ICSes to wireless networks. Unlike an IT firewall, an OT one is configured to inspect even internal traffic coming from inside another trusted zone. According to its characteristics, an intrusion detection system can be categorized as follows:
- Capture Mechanism – two types:
- Host log monitoring
- Promiscuous network monitoring
- Approach Technique
- Signature detection (dedicated language, pattern matching or state transition analysis)
- Anomaly Detection (probabilistic model, specification-based model or behavioral detection model)
- Response Mechanism
What is particularly valuable when it comes to IDSes is their ability to detect policy violations. An IDS also analyzes traffic between devices and internal traffic, which is useful in order to preemptively block distributed denial-of-service (DDoS) attacks or prevent buffer overflow.
In this context, the deployment of an IDS is an important component of ICS/SCADA security. Nevertheless, IDS technologies used in conventional IT infrastructure are not easily transferable to ICS/SCADA environment; thus, security and academic experts strive to build IDSes specifically for this IT infrastructure.
Deploying an IDS requires deep research and careful planning. Inside the firewall, at the perimeter of the network, is one of the most common spots of the IDS sensor’s deployment.
Intrusion detection and prevention for ICS-SCADA is not an easy task. Security teams must remain vigilant at all times and remember that the threat is real. To increase their chances for success, they should harness every best practice and efficient tool available.
Industrial control system (ICS), Supervisory control and data acquisition (SCADA), Intrusion detection system (IDS), Cybersecurity, Defense in Depth, Multilayer security, Network Segmentation, Advanced persistent threat (APT).
- Bartman, T. and Schweitzer, J., “An Introduction to Applying Network Intrusion Detection for Industrial Control Systems,” Sensible Cybersecurity for Power Systems: A Collection of Technical Papers Representing Modern Solutions
- Defensive Strategies for Industrial Control Systems, Trend Micro Incorporated
- Intrusion Detection Systems (IDS) in the Context of Smart Grids and Industrial Control Systems, Hitachi Systems Security Inc.
- Nicholson, A., Janicke, H., and Cau, A. “Position Paper: Safety and Security Monitoring in ICS/SCADA Systems”
- Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies, U.S. Cyber Emergency Response Team