Security Technologies for ICS/SCADA environments
Introduction: Security Challenges
Generally speaking, security is not a priority in the context of industrial control systems (ICSs) and Supervisory Control And Data Acquisition (SCADA) environments. Unlike IT professionals, their OT (operations technology) colleagues are generally not that concerned about security matters in their environments.
While IT security puts confidentiality above the other two elements that build the CIA Тriad, availability first and then integrity are the priorities when it comes to ICS/SCADA security.
In the past, ICS/SCADA components were air-gapped from the outside world. With the convergence of IT and OT and the emergence of the Internet of Things (IoT), ICS/SCADA systems no longer operate in isolation. They are increasingly connected to other components and systems and have the capability to send and receive data to both IT and OT systems across the corporate network. These two access points are practically equal to two sources of potential vulnerabilities in the industrial infrastructure.
Unfortunately, there are inherent design flaws of ICS/SCADA components that endanger their security posture. They have numerous vulnerabilities: including a lack of basic security controls for authentication, no encryption for communications, and a lack of visibility that could identify potential threats across the network.
Many ICS/SCADA devices run outdated operating systems, such as Windows NT 4.0, which Microsoft no longer provides security updates or support. A lack of patching leads to a degradation of security procedures, including a lack of ongoing system hardening and outdated and unused security tools.
Here are three prominent consequences when ICS/SCADA systems are hacked:
- Unauthorized access to industrial control systems – A remote-control OT system could be hijacked by cybercriminals. Alleged Iranian hackers used simple Google dorking to gain unauthorized access to the New York dam’s control system.
- Data alteration or interference – Important data emitted from an OT system regarding safety may be blocked or tampered with. In 2018, Tesla fell victim to an insider attack that caused real damages. By changing the source code of the Manufacturing Operating System, a Tesla employee managed to sabotage the company’s OP systems.
- Unavailability – if the target system is required to be constantly operating – like 24/7 – in order to support essential control of physical operations, then any interruptions may have a negative impact. A cyberattack on a Ukrainian power plant’s SCADA system led to a six-hour power outage, cutting power to 80,000 people. Actually, most DDoS attacks may have a devastating effect on the industrial infrastructure under such circumstances.
Layered Defense Approach
A layered defense is the recommended security method for providing ICS and SCADA systems with an overlapping set of controls that can protect against a wide array of risks. It consists of several components:
- Security frameworks
- Security technology solutions
- Security services
A security framework is a set of best practices that can offer guidance for organizations that want to devise and implement efficient security controls. One such important document on cybersecurity was issued by the National Institute of Standards and Technology (NIST), and it includes five main activities:
- Risk identification and assessment – “Be Proactive—Start Assessing Your Risk” is the advice that a company called Positive Technologies gives with respect to the cybersecurity of ICS/SCADA systems
- Secure data and systems to prevent, mitigate or contain cybersecurity threats
- ICS security audits and compliance checks – they are to be relevant to standards (e.g., CIS, NERC CIP, ISA99) in a particular industry.
- Spot cybersecurity events – threat intelligence monitoring, including zero-day vulnerability alerts, and anomaly detection
- Respond to the observed events in a timely manner
- Remediate the effects of cybersecurity events – incident management and forensics in ICS environments
“NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security” may particularly provide more details about threats, vulnerabilities and security controls related to ICS and SCADA environments.
According to US ICS CERT reports, approximately 55% of all ICS-based cybersecurity incidents are Advanced Persistent Threats (APTs), but, perhaps not surprisingly, 40% of all incidents in the ICS/SCADA sector are due to improper human actions, for instance, a spear-phishing attack. In 2012, a cyberattack took down a large part of the Saudi Aramco’s oil IT system, which, in fact, forced its administration to complete all operations on paper. The attack began from an infected scam email.
USB devices are often used in ICS networks to copy files or install software updates. Employers bring them sometimes to different unprotected locations. By way of illustration, an employer whose home IT system is compromised may inadvertently transfer malware to the ICS/SCADA environment through a USB stick if he/she decides to use it at home. On the other hand, planted USB flash drives in the immediate vicinity of an organization is another method to dupe unsuspecting workers into letting the enemy inside the protected area.
We must not forget that humans operate OT environments, and the human attack vector is one of the largest. A cultural shift towards security is the effect organizations should seek, and they must do so through the implementation of comprehensive and consistent employee training that focuses on company security policies. Training programs for ICS companies regarding social engineering, security assessment and general cybersecurity are necessary.
Security policies, in turn, should always follow the latest security best practices. IT and OT staff, along with policy makers and engineering experts, should work together to create effective policies (e.g., both physical security and cybersecurity policies and a business continuity plan).
Security Technology Solutions
There are a number of solutions and controls that can be utilized to meet the requirements associated with the CIA Triad. Multifactor authentication fortifies security to access control systems. Firewalls not only restrict traffic flows but can also be used to segment sensitive ICS and SCADA networks from general productivity networks. Virtual private networks (VPNs) give authorized users the option to access the SCADA network, for example, via a secure, encrypted connection.
Mobile device management (MDM) or enterprise mobility management (EMM) solutions are the answer to proper administration, configuration, updating concerning devices (e.g., mobile devices, smartphones, tablets, laptops, etc.) that can be used by authorized personnel to access ICS/SCADA networks. Anti-malware software usually run on almost every enterprise system, including those in the ICS/SCADA environments. It is dependent, however, on receiving automatic signature updates on a regular basis and performing scheduled scans, and such a kind of protection may not be appropriate for all endpoints. Security information and event management (SIEM) solutions can be useful once a security incident occurs because of their ability to act as a monitoring dashboard that records log and event data from every technology deployed.
In all likelihood, artificial intelligence (AI) and machine learning would provide great assistance in real-time analytics to identify anomalies in the production line, among other things.
Vendors with specific expertise in SCADA and ICS technology offer various security services such as implementation and management of security controls, as well as testing of security controls (i.e., vulnerability scanning and penetration testing).
One innovative company suggests a new approach called Security Instrumentation, which is having sensors placed in ICS environments to attack each other (not the ICS devices) in order to safely simulate real cyberattacks. The company claims that this approach is safer than traditional penetration testing and vulnerability scans.
Up until recently, a prerequisite for proper industrial security has been the strategic placement of on-premise devices in all critical locations. A cloud service called Industrial Cyber Security as a Service (ICSaaS) provides crowdsourced data analytics, live threat intelligence and proactive cybersecurity all rolled into one, eliminating at the same time the need for physical deployment of any equipment on-site.
The menace to ICS & SCADA is real. This article barely scratches the surface by mentioning only several instances of such cyberattacks. Despite the fact that protecting ICS & SCADA environments is not an easy task, there are plenty of security technologies that can help to mitigate many threats. Every organization should simply identify its needs, and tailor its cybersecurity measures accordingly.
- Comment: Cyber security culture in an ICS/SCADA environment, OilandGasMiddleEast.com
- ICS/SCADA, Positive Technologies
- ICS/SCADA Security Assessment, Positive Technologies
- ICS Environments: Insecure by Design, SecurityWeek
- Industrial Defense In The Cloud, SecurityWeek
- How IoT Opens the Door for Insider Attacks Against Industrial Infrastructure, SecurityWeek
- OT Security Management, Skybox Security, Inc.
- SCADA vulnerabilities in ICS architectures, Help Net Security
- Securing ICS Environments in a Connected World, Trend Micro
- Security Instrumentation for Industrial Control Systems (ICS) Environments, Verodin Inc.
- What It Takes to Defend Against Growing Threats to ICS and SCADA Systems, BizTech
- Why Is Endpoint Protection a Big Deal in ICS Environments, Tripwire