Industrial Control Systems (ICS) is the automated system used to supply multiple essential services to Canadians. An industrial control system is actually an ‘umbrella term’ that refers to the supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLC), and distributed control systems (DCS). These systems are accountable for everything from the electricity that powers our homes, the water that flows through our pipes, and the traffic lights that direct travel on our local roads and highways. Industrial control systems aim to simplify various business workflows related to industrial production and reduce the human error rate with automation. ICS Security plays an integral role in bolstering the resilience of these essential services. Unfortunately, despite the risks of cyberattack on industrial control systems and the users of these systems, many organizations display great hesitation to adopt ICS security measures out of fear of the impact it may have on system performance.
Why is ICS Security a Challenge?
The history of industrial control systems exists well before the Internet and other, more current, technological advancements. As a direct result, industry control systems were essentially designed to operate in an extremely isolated and controlled capacity. Actually, industrial control systems were really only connected to the other systems within the same factory or warehouse. Today communication protocols and mechanisms do not meet the requirements of today’s business requirements and they often do not communicate ideally with more current technologies – making ICS security somewhat more challenging and nuanced, depending on the particular industry. Any downtime within an ICS network may result in colossal outages, hundreds of thousands of impacted users and even national disaster.
Though enterprise networks introduce many great advantages for an industrial business, they also bring with them new threat exposure and vulnerabilities – that is why ICS security is absolutely essential to business continuity. ICS security is a framework that protects these organizations from external interference, uninvited intrusions and data breaches.
ICS Security Threats
ICS security is no small task. The majority of industrial control systems were developed before the first cyber vulnerability was recognized, and had absolutely no external security controls built into their design. Understanding some of the most common industrial control system threats is the first step that any industrial organization can take to protect their network. In order optimize ICS security protocol, practices and policies, it helps to understand the threats they are subject to.
Internal Threats: Many ICS networks have insignificant or nonexistent authentication or encryption to restrict user activity. As result, an employee may have boundless access to any device that exists on the network, and that includes SCADA applications and other critical mechanisms. In addition, systems that have been updated to connect to a computer interface are often easily compromised by malware or malicious USB device.
Human Error: To err is human, however, when errors are made on an ICS network, they can have a devastating impact on operations and an organizations reputation. As is the case with all technology, human error is the single greatest threat to ICS security. Mistakes range from incorrect configurations to programming errors to forgetting to monitor alerts.
External Threats: Understanding that industrial control systems are found in electrical distribution, water supply, chemical manufacturing, distribution and healthcare, it is no surprise that these systems are heavily targeted by threat actors. The usual aim of state-sponsored attacks is typically centered around causing operational disruption, damage, or conducting espionage.
Case Study: Florida Water Treatment System Hack
Despite the daily bombardment in the news about the latest data breach, until a few short years ago, it’s been relatively uncommon that we are painted an example of just how critical ICS security is on a national level.
On February 5, 2021, using the remote access software, TeamViewer, a threat actor attempted to poison a water treatment plant in Oldsmar, Florida – population 15,000. During the ICS security event, the threat actor temporarily increased the release of sodium hydroxide, or lye, which is used to increase acidity.
According to reports, the threat actor gained entry to the system through the remote access software, TeamViewer, which the city no longer uses, however, it was apparently still connected to their system. Luckily, a City of Oldsmar supervisor was working remotely and saw the lye concentrations being adjusted, recognized the threat and immediately reversed it. The changes themselves did not engage immediately, due to the time required to adjust, however, had the supervisor not been aware of the intrusion, this ICS security event could have been much different.
Though the City of Oldsmar dodged a proverbial bullet, there remains a significant ICS security concern which is not unique to the Florida city. The Oldsmar water treatment plant is still using a Windows 7 operating system – a legacy, or end-of-life (EOL), software that Microsoft stopped offering support for over a year ago. The frightening reality is that many vulnerabilities such as these are extremely common across the globe.
Whereas the above scenario has been classified as an unsophisticated attack, by experts including Chris Krebs, the former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, he acknowledges that the Florida water treatment plant could happen at any number of sites, and smaller communities are particularly vulnerable.
“To impact industrial systems, you don’t need exploits. You just need to know how to use the system — in this case a human machine interface that operated the plant.”
Chris Krebs, Former Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency
A recent report, conducted as a collaboration between Lloyds, Cybercube and Guy Carpenter, however, presents some particularly humbling facts surrounding ICS security:
The risk of cyber-physical ICS security incidents is increasing, especially for individual entities.
Only a nation-state or nation-state affiliated actor is likely to possess the resources and level of technical sophistication necessary for a malicious ICS-oriented attack.
Three plausible scenarios consider: (1) a targeted supply-chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution; (2) a targeted Internet of Things (IoT) vulnerability attack, in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings; and (3) the infiltration of industrial IT networks to cross the Operational Technology (OT) “air-gap”.
An ICS Security event could conceivably trigger a loss that leads to property damage and loss of life in one entity and lead to extensive forensics, remediation, and product recall as necessary to limit further damage. However, an event leading to widespread property damage, business interruption, and human costs across multiple sites is currently less likely to occur.
A targeted attack against an industrial site in an industry with outsized strategic, economic or societal importance (or any combination of those factors) would be hugely significant. The key industries considered include manufacturing, energy, transportation and shipping.
Continued trends of increased cloud adoption in industrial operations, the convergence of IT and OT, and the proliferation of IoT and “smart manufacturing” can exacerbate security concerns and increase exposure profiles.
ICS Security – How We Can Help
Early Detection: When it comes to ICS Security, early detection is extremely valuable. It provides operators with more time to deter hackers before significant damage is done – truthfully, it is one of the most efficient means of defending and mitigating cyberattack. A great option for this purpose is the Thinkst Canary. A Thinkst Canary is a physical or virtual device, created by the cybersecurity company Thinkst. This clever device has the ability to imitate a variety of devices across a wide variety of configurations. Canaries can “pretend” to be anything from a workstation to a mainframe to a Windows file server or even a Cisco switch. This quality is extremely valuable to ICS security because if an intruder is on your network, as the attacker interacts with the Canary, it immediately generates alerts through email, text messages, slack notifications, or integration through other systems.
Pro-active Penetration Testing: Of equal or greater importance to ICS security is penetration testing. Penetration testing is a type of security testing that utilizes automated tools, manual techniques and procedures that real-world hackers would use if their goal was to attack your organization. Penetration testers are highly specialized individuals who will look to exploit any level of a security vulnerability in your business’s defences in order to gain a foothold into your company network. This service is extremely valuable as it allows your organization to learn from the perspective of an attacker – and close off all identified vulnerabilities.
Industrial control systems are often seen as sitting targets by threat actors. The majority of these systems monitor complex industrial processes and critical infrastructures that deliver power, water, transportation, manufacturing and other essential services. Without adequate ICS security, vulnerabilities within industrial control systems may result in consequences that threaten far more than the organization under attack. If you would like to learn more about ICS Security, Penetration Testing or Thinkst Canaries, please contact us for more information! We’re here to help.