ICS Security: How Cyberattacks Cause Physical Damage

ICS security and how cyberattacks cause physical damage are key topics that teams should be familiar with in 2023 and beyond.

Our ethical hackers dive into its nuances in today's blog:

What is ICS Security?

Industrial Control Systems (ICS) are automated systems that supply multiple essential services to North Americans. An industrial control system is an ‘umbrella term’ that refers to the supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLC), and distributed control systems (DCS).

These systems are accountable for everything from the electricity that powers our homes, the water that flows through our pipes, and the traffic lights that direct travel on our local roads and highways. Industrial control systems aim to simplify various business workflows related to industrial production and reduce the human error rate with automation.  

ICS security plays an integral role in bolstering the resilience of these essential services. Unfortunately, despite the risks of cyberattacks on industrial control systems and the users of these systems, many organizations display great hesitation to adopt ICS security measures out of fear of the impact it may have on system performance.

Why is ICS Security a Challenge?

The history of industrial control systems exists well before the Internet and other, more current, technological advancements. As a direct result, industry control systems were designed to operate in a highly isolated and controlled capacity. Industrial control systems were only connected to the other systems within the same factory or warehouse.

Today, communication protocols and mechanisms do not meet today’s business requirements and often do not communicate ideally with more current technologies – making ICS security somewhat more challenging and nuanced, depending on the particular industry. Any downtime within an ICS network may result in colossal outages, hundreds of thousands of impacted users, and even national disaster.

Though enterprise networks introduce many significant advantages for an industrial business, they also bring new threat exposure and vulnerabilities– that is why ICS security is essential to business continuity. ICS security is a framework that protects these organizations from external interference, uninvited intrusions and data breaches.

ICS Security Threats

ICS security is no small task. Most industrial control systems were developed before the first cyber vulnerability was recognized and had absolutely no external security controls built into their design.

Understanding some of the most common industrial control system threats is the first step that any industrial organization can take to protect their network. To optimize ICS security protocol, practices and policies, it helps to understand the threats they are subject to.

• Internal Threats: Many ICS networks have insignificant or nonexistent authentication or encryption to restrict user activity. As a result, an employee may have boundless access to any device on the network, including SCADA applications and other critical mechanisms. In addition, systems that have been updated to connect to a computer interface are often easily compromised by malware or malicious USB devices

• Human Error:  To err is human; however, errors on an ICS network can have a devastating impact on operations and an organization's reputation. As is the case with all technology, human error is the single greatest threat to ICS security. Mistakes range from incorrect configurations to programming errors to forgetting to monitor alerts

• External Threats: Understanding that industrial control systems are found in electrical distribution, water supply, chemical manufacturing, distribution and healthcare, it is no surprise that threat actors heavily target these systems. The usual aim of state-sponsored attacks is typically centered around causing operational disruption, damage, or conducting espionage

Case Study: Florida Water Treatment System Hack

Despite the daily bombardment in the news about the latest data breach, until a few short years ago, it’s been relatively uncommon that we are painted an example of just how critical ICS security is on a national level.

On February 5, 2021, using the remote access software, TeamViewer, a threat actor attempted to poison a water treatment plant in Oldsmar, Florida – population 15,000. During the ICS security event, the threat actor temporarily increased the release of sodium hydroxide, or lye, which is used to increase acidity.

According to reports, the threat actor gained entry to the system through the remote access software TeamViewer, which the city no longer uses. However, it was apparently still connected to their system. Luckily, a City of Oldsmar supervisor was working remotely and saw the lye concentrations being adjusted, recognized the threat and immediately reversed it. The changes themselves did not engage immediately, due to the time required to adjust, however, had the supervisor not been aware of the intrusion, this ICS security event could have been much different.

Though the City of Oldsmar dodged a proverbial bullet, there remains a significant ICS security concern that is not unique to Florida. The Oldsmar water treatment plant still uses a Windows 7 operating system – a legacy, or end-of-life (EOL), software that Microsoft stopped offering support for over a year ago. The frightening reality is that many vulnerabilities such as these are prevalent across the globe.

Emerging ICS Security Cyber Threats

Whereas the above scenario has been classified as an unsophisticated attack, by experts including Chris Krebs, the former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, he acknowledges that the Florida water treatment plant could happen at any number of sites, and smaller communities are particularly vulnerable.

“To impact industrial systems, you don’t need exploits. You just need to know how to use the system — in this case a human machine interface that operated the plant.”  

Chris Krebs, Former Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency

A recent report, conducted as a collaboration between Lloyds, Cybercube and Guy Carpenter, however, presents some particularly humbling facts surrounding ICS security:

• The risk of cyber-physical ICS security incidents is increasing, especially for individual entities

• Only a nation-state or nation-state-affiliated actor is likely to possess the resources and level of technical sophistication necessary for a malicious ICS-oriented attack

• Three plausible scenarios consider (1) a targeted supply-chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution; (2) a targeted Internet of Things (IoT) vulnerability attack, in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings; and (3) the infiltration of industrial IT networks to cross the Operational Technology (OT) “air-gap”

• An ICS Security event could conceivably trigger a loss that leads to property damage and loss of life in one entity and lead to extensive forensics, remediation, and product recall as necessary to limit further damage. However, an event leading to widespread property damage, business interruption, and human costs across multiple sites is currently less likely to occur

• A targeted attack against an industrial site in an industry with outsized strategic, economic or societal importance (or any combination of those factors) would be hugely significant. The key industries considered include manufacturing, energy, transportation and shipping

Continued trends of increased cloud adoption in industrial operations, the convergence of IT and OT, and the proliferation of IoT and “smart manufacturing” can exacerbate security concerns and increase exposure profiles.

ICS Security Best Practices in 2023 and Beyond

• Early Detection: When it comes to ICS Security, early detection is extremely valuable. It provides operators with more time to deter hackers before significant damage is done – truthfully, it is one of the most efficient means of defending and mitigating cyberattack. A great option for this purpose is the Thinkst Canary. A Thinkst Canary is a physical or virtual device, created by the cybersecurity company Thinkst. This clever device can imitate a variety of devices across a wide variety of configurations. Canaries can “pretend” to be anything from a workstation to a mainframe, a Windows file server, or even a Cisco switch. This quality is precious to ICS security because if an intruder is on your network, as the attacker interacts with the Canary, it immediately generates alerts through email, text messages, slack notifications, or integration through other systems

• Proactive Penetration Testing: Penetration testing is equally important to ICS security. Penetration testing utilizes automated tools, manual techniques, and procedures that real-world hackers would use if their goal were to attack your organization. Penetration testers are highly specialized individuals who will look to exploit any level of a security vulnerability in your business’s defences to gain a foothold in your company network. This service is invaluable, as it allows your organization to learn from the perspective of an attacker – and close off all identified vulnerabilities

Conclusion

Industrial control systems are often seen as sitting targets by threat actors. Most of these systems monitor complex industrial processes and critical infrastructures that deliver power, water, transportation, manufacturing and other essential services. Without adequate ICS security, vulnerabilities within industrial control systems may result in consequences that threaten far more than the organization under attack.

If you're reading this, you're already in the market for a pentest. Contact our team today for your free, zero-obligation quote or download our Buyer's Guide below to take the next step.