The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently published five advisories concerning industrial control systems (ICS). These provide vital ICS security information particularly when it comes to vulnerabilities and exploits. CISA seeks to help ICS users and administrators avoid security issues and ensure timely mitigation.
With government agencies actively addressing security concerns in the field of industrial control systems, there’s no doubt that ICS security is of paramount importance. ICS has evolved from being standalone systems to becoming complexly connected networks to support automation and more efficient industrial operations. The problem is that ICS is generally unseen and many organizations tend to lose security visibility over them.
Expanding attack surfaces
ICS has been extremely useful, especially in critical infrastructure, where machines are orchestrated, automated, and remotely controlled. However, this widespread use of ICS has also broadened the possible attack surfaces of organizations. They create new opportunities for threat actors to spot and exploit weaknesses, making cybersecurity more challenging than ever.
Together with the prominent use of the Internet of Industrial Things (IIoT), actuators, smart sensors, and various interconnected devices, ICS makes cybersecurity more difficult for IT departments. Each connected endpoint device can become an entry point for adversarial actions. Notably, the growing complexity of IT infrastructure and technologies is matched by the increasing sophistication of cyber attacks, which makes it necessary to pay attention to and implement ICS security solutions.
Industrial control systems used to operate in siloed environments, which means they were inherently isolated from threats. However, as they are employed in automated systems and as they converge with IT and operational technology, they are now exposed to the same aggressive threats that affect IT systems. They operate discreetly and remain mostly unseen, but they are now targets of persistent attacks. They have become
What makes ICS vulnerabilities distinct
The risks and vulnerabilities associated with industrial control systems are not that different from those that affect most other IT systems. These include the lack of hardware and software security features and updates, the use of insecure networks and protocols, supply chain attacks, and insider threats. However, the relative newness of ICS in organizations makes these vulnerabilities more difficult to address.
For one, ICS is commonly developed with legacy systems. They were created usually without paying attention to cybersecurity risks because they used to operate in settings that were traditionally not targets of cyber attacks. Their hardware and software usually lack security functions. In some cases, they are no longer being maintained or supported by their respective vendors.
Implementing bespoke security updates on legacy ICS is possible, but it is going to be a risky and complex process. Such an update or upgrade may result in dysfunctions or downtimes, which have serious repercussions, especially for ICS used in critical infrastructure. Also, many ICS in critical infrastructure and industrial settings are designed to not accept OTA or remote patching. Updating them would be a very difficult task, that’s why many organizations that use ICS prefer to tolerate the risks and continue using their un-updated systems.
Another ICS vulnerability is the use of insecure data transmission protocols and networks. Since any of them were designed at a time when cyber attacks were not a major concern, they usually lack even the most basic security features such as authentication, encryption, and access controls. This makes them predisposed to various kinds of attacks, from data collection to DDoS. As ICS is interconnected to business IT systems and the World Wide Web, the risks inevitably become more difficult to address.
Moreover, ICS is prone to supply chain vulnerabilities. The ICS infrastructure of many organizations relies on hardware, software, and services that include those supplied by third parties. As such, there is a big possibility that these third-party components can become attack vectors, which is a big concern given the lack of security functions of many industrial control systems.
Insider threats are also a serious risk for ICS. From careless employees who unwittingly open up system vulnerabilities to disgruntled employees who intentionally expose ICS to risks or attack it themselves, the likelihood of an attack from the inside should not be downplayed or dismissed. Organizations need to implement reliable access control systems, user activity monitoring, and adequate cybersecurity awareness orientation or training given the unfamiliarity of ICS and the threats aimed at it.
ICS security best practices
To ensure robust ICS security, it is important to understand how ICS works and the different security challenges surrounding it. The following list of best practices is a good summary of how organizations can more effectively secure their industrial control systems.
Ensuring full security visibility – It is difficult to protect something that is not easily visible. It is advisable to undertake ICS asset discovery to have a thorough understanding of the potential threats and to know what to protect and how to protect these assets. The discovery process includes the identification of all ICS devices, applications, connections, and the systems they are connecting to. Their configurations and vulnerabilities should also be examined. Also, given the nature of the modern cyber threat landscape, it is recommended that ICS asset discovery should be a continuing process.
Implementing all applicable security controls – After identifying all possible attack surfaces and vulnerabilities, organizations need to liberally deploy security solutions and mechanisms. These include the installation and proper configuration of firewalls, anti-malware software, and intrusion detection systems. Security controls should address threat prevention, detection, mitigation, and remediation.
Network segmentation – Another useful ICS defense practice is the segmentation or division of an organization’s network. This means analyzing the network to group common systems and devices so they can be functionally isolated through security measures and tools such as firewalls and user access controls. This is done to quickly contain and remediate attacks or malware spread.
Securing remote access – Most organizations that use ICS also employ remote access to enable remote monitoring and control over equipment, services, and resources. This is a major potential attack surface and should be robustly secured with multi-factor authentication, stringent user access controls, and VPNs.
Addressing organizational and jurisdictional issues and providing adequate cybersecurity training – It is also important to acknowledge the confusion that comes with the deployment of ICS. It may not be clear whose responsibility it is to ensure ICS security, especially for large organizations operating in different locations. This should be clarified and included as part of the cybersecurity awareness and training program of an organization.
Incident response planning – There is no foolproof security solution or system, so organizations need to know what to do in case they encounter a security incident or an attack penetrates defenses. They should know how to contain the problem, mitigate the impact, fix the problem, and ensure that a similar incident will not happen again.
Securing the invisible
ICS is often unseen literally and cybersecurity-wise. That’s why it is often neglected and not as protected as other IT assets. This should not be the case, though. Threat actors see ICS as an attractive and easy attack point, as demonstrated by several ICS attacks like the one pulled off by hacktivists in 2022. Organizations need to see the sensitive cybersecurity situation that comes with the use of ICS.