Never has the need for strong cybersecurity on industrial control systems (ICS) been greater, or more urgent. These systems — vital to the chemical, electrical, water, oil and other industries — help companies control their field devices, collect data and detect problems. And they’re increasingly under attack.
Cybersecurity events affecting ICS have increased by 2,100 per cent over the past three years, according to data from the US Department of Homeland Security’s ICS Cyber Emergency Response Team. These include targeted attacks by well-funded organisations, including both nation-states and terrorist groups.
Yet today’s ICS environment is difficult to secure, mainly because older approaches no longer work. Historically, ICS environments had been protected from cyber-attacks by physically isolating them, a practice known as air gapping. ICS environments were also considered low-priority targets. After all, these systems controlled not money, but industrial processes.
Now all that has changed. The attacks are real, and they’re increasing.
“Anything that is digital, that has a computer in it or that talks on a network, can be manipulated by somebody with bad intent,” Eric Knapp, cybersecurity leader at Honeywell, explains. “In order to defend against that you have to look at it at a device level to make sure the devices are protected against somebody doing that to them. You also have to look at it from the system level because a control system isn’t a bunch of devices connected with wires. It’s a system. It’s control loops, it’s IO and everything is automated. If there is a weak link, if you will, that can be targeted you could cause damage to a much larger system.”
The exact approach can often depend on who you talk to. An anti-virus vendor is going to tell you that stopping viruses on a machine is the most important thing because that’s what they do. People who build strong network defences are going to tell you, you have to put a strong perimeter around your network, because that’s what they do. They are all right. The foundational tenet of cybersecurity is defence and depth. That basically means there is no one answer. You have to layer defences.
“I think what’s coming to the forefront now is the need to complement your defence in depth with the situational awareness,” Knapp adds. “It’s learning from the cyber defence signals intelligence arena and what they are doing on advanced threat detection. With that understanding you can build resilience into your networks and into your operations.”
It starts with defence in depth. Critical to that though is having continuous monitoring situational awareness that allows visibility in real-time into what’s happening. To adequately make that happen requires the use of advanced technology automation and analytics as there are far too many variables for any one person to try to tie together on a real-time basis.
But there can be problems in this drive for security. A senior control engineer at ExxonMobil recently said that if you are not careful, you end up with a giant security system that does a bit of control. Is it getting to that stage? “If security becomes an obstacle to the primary job, which in this case is operations, someone with normally good intent will find a way around it and make the entire system loop,” Knapp adds. “It’s one of the challenges of cybersecurity.
“There are technical controls and they have purpose and they work, but they have to be done in combination with people and process. You have to educate your people in why they are doing this. You have to have the policies and procedures in place to ensure that people are still able to do their job in a reasonable manner while also being protected or it will get circumvented. It’s just human nature.”
All the talk around industrial security creates the perception that there is a tremendous amount of security controls that have been deployed. According to Knapp there are not. “We work in industries around the world, oil and gas, petro-chemicals, chemicals, power generation with utilities, nuclear, pulp and paper and there is a lot of talk which is fabulous,” he explains. “We’re very happy that people are starting to adopt cybersecurity controls. Simple things such as application white listing, device control, USB protection, we aren’t seeing those being widely deployed. The industry is just starting to adopt some of those technology security controls to help complement what they are doing.
“The good news is that the majority of customers are on their way. Some of the leaders, like ExxonMobil, they are certainly out front. They are doing more. We have a long way to go as a broad industry to strengthen our defences.”
Built-in security
One of the buzz phrases around the industry from vendors is built-in security. According to Knapp that is more than a pipe dream, but there are huge challenges given the vast amount of legacy equipment within industry. “Honeywell, and most of the control vendors, are building new devices with security in mind. Honeywell has introduced features in the past few years, secure communications, encrypted traffic, that type of thing.
“But the industry doesn’t buy the newest technology and implement it as soon as it comes out. I think it’s safe to say that just about every customer out there is using technology that’s 20, 30, 40-years-old or even older. It’s designed to last a long, long time. You’ve got a massive installed base of legacy systems. You’ve got heterogeneous environments so you are going to have a mixed bag of devices and vendors.”
System structure
When it comes to devising a cybersecurity strategy the first thing is to understand what the different risks are; the vulnerabilities and threats. The best way to achieve this would be to profile the site with either an assessment or audit to understand what’s there. Armed with that information it is possible to look at system design and architecture overall across the process control network, the automation systems and safety systems. “Then we look to make design recommendations or changes, implementing network security controls, end point security controls, coupled then with monitoring and management capabilities,” Knapp explains. “Finally ending with means to ensure you have back-ups in place and can recover in the case of an incident.
“That’s our full holistic approach. That’s a step-wise approach where we would help a customer look at it. In most cases what’s happening is we are coming in somewhere along that continuum. Depending on the maturity of the customer we may be helping them solve a particular problem.”
It is a problem that will remain high on the agenda of control engineers driven by the growth of the Industrial Internet of Things. “I would say the great news is that the awareness is there and industrial customers are embracing the need to implement cybersecurity,” Knapp concludes. “They are working together, both the manufacturers and the vendors, everyone’s working together to help solve the problem. That’s a good sign.”
Counting the cost
Joseph Weiss, managing director, Applied Control Solutions, talks about the cost of cybersecurity breaches
There have been nearly 750 actual Industrial Control Systems cyber incidents, with impacts ranging from trivial to significant equipment damage; significant environmental damage; non-compliance with regulatory requirements; and deaths of people involved in the affected processes.
Remember, an ICS cyber incident does not need to be malicious to create a risk to the organisation with potentially catastrophic consequences.
The information from the incidents is not classified, but neither is it public. I have been studying these incidents for years, and I’ve created a database covering control system cyber incidents in Asia, Europe, North America, South America, and the Middle East. Following 9/11, there was supposed to be a focus on ‘connecting the dots’, but that certainly has not happened with ICS cybersecurity. ICS incidents keep occurring, many with common threads, across multiple industries with little guidance or training.
My goal in the analysis of the data is to identify previously unrecognisable single factor risks, unusual and previously unpredicted failures, or the as-yet-unsimulated combinations of factors causing unusual perturbations.
Three incidents in particular come to mind when considering the potential risk to the financial well-being of organisations whose systems are compromised:
• The 2010 non-malicious natural gas pipeline rupture of a major Investor Owned Utility resulting in more than a $1.5 Billion fine and possible criminal violations
• The 2014 sophisticated malicious ‘spear-phishing’ cyberattack at a German steel mill that caused physical damage to the furnace, and thirdly
• The on-going Volkswagen emissions scandal demonstrating that ICS cyber-issues can come from within an organisation and target business considerations with billion dollar ramifications.
These incidents showcase ICS cybersecurity vulnerabilities; in some cases, incidents led to the resignation of the CEO and several billion dollars of damage; many times, incidents are caused by intentional activities but not often considered malicious in the traditional sense; and in both cases, IT has no knowledge of the relevant issues. In the case of the gas and electric company, the public utility commission is now investigating a potential splitting up of the company’s assets because of the systemic safety issues stemming from the rupture. In Volkswagen’s case, the company may have lost their entire diesel car market, as well as taken a serious hit to their reputation as a manufacturer of well-designed vehicles.
Nature of the threat
Industrial-specific attacks use both the enterprise LAN and industrial control systems (ICS) to launch and propagate; Energetic Bear infected OPC server and ICS equipment software with a remote access Trojan, but also exploited known vulnerabilities in Adobe PDF software to launch spear-phishing attacks. The attack propagated from one system to another, stealing information from SCADA systems and damaging unhardened ICS by wiping PCs or overloading networks.
The Conficker worm, although not industrial-specific, has not only been found in critical medical equipment, but is suspected to have been a ‘door kicker’ for high-profile industrial attacks such as Stuxnet. Conficker is capable of completely overloading networks and bringing vital processes to a halt. Traditional industrial security techniques don’t address these threats very well: ‘air-gap’ or ‘security through obscurity’ strategy doesn’t address the reality that smart grid systems and web-based applications mean ‘Industrial Control Systems look more and more like consumer PCs2.’
Industrial security is different. There is an overlap in the threats, but the differences between industrial cybersecurity requirements and those of general business are significant. Many IT security strategies are focused on data protection and rely on the concept of C-I-A, confidentiality, integrity and availability of data.
Industrial systems prioritise continuity above all else; their protection is not about data, it’s about process availability, integrity and confidentiality, in that order. This is what distinguishes industrial security needs; even the highest quality security solution is effectively useless if it puts the continuity of process at risk. Everyday security techniques such as anti-malware protection, patch management/software updates, and security configuration management can’t be allowed to negatively impact on processes.