Advertisement

Special Report: Security issues multiply exponentially as industrial control systems (ICS) go mainstream

When industrial control systems were custom-designed specialty appliances, hackers would have to invest heavily to develop exploits for just one device. Now that they’re based on industry-standard servers, all the hacking tools in the world become available. We examine the implications and suggested solutions.

By Howard M. Cohen, contributing editor

When it comes to classic information technologies (IT) systems, personal, financial, and other high-value information is at stake, so it is no wonder that companies take extensive measures to protect the security of the data involved.

When it comes to Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and related systems, what’s at stake are human lives and safety. 

Imagine what would happen were someone to hack into a building’s ICS in Atlanta or Phoenix in the middle of summer and shut down their air conditioning. All work in the building would have to cease as people streamed out to avoid heatstroke. This is just a small example. Any compromise of these systems could become potentially catastrophic. Examples:

  • A fertilizer plant blew up in Texas.
  • The entire northeastern United States experienced a massive blackout in 2003.
  • In 1982, there was an explosion along the Trans-Siberian Gas Pipeline.
  • In 2010, 20% of Iran’s nuclear centrifuges were suddenly destroyed.
  • In 2014, several critical process components of a German steel mill became unregulated, resulting in massive physical damage to the entire mill.
  • On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages to customers.

Each of these events has been attributed to a cyber-compromise of security systems protecting involved ICS and/or SCADA systems, allowing external malicious bad-actors to impact control of physical systems.

The Department of Homeland Security (DHS) reported a seven-fold increase in cyber-incidents between 2010 and 2015 on U.S. critical infrastructure. The introduction to a DHS National Cybersecurity and Communications Integration Center (NCCIC) on “Seven Strategies to Defend ICS” warns:

“Cyber-intrusions into U.S. Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICS), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber-incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSes against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in ‘as-built’ control systems.”

ICS_Security


Industrial control systems

ICS and SCADA systems are proliferating, providing automated control and cost-efficiency for various utility services around the world. Soon, major utilities, large industrial plants, and even whole cities will come to depend upon these systems to operate their basic infrastructure.  According to the National Institute for Standards in Technology (NIST) Special Publication 800-82:

ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing such as automotive, aerospace, and durable goods.

SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control.

These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90% of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling).

What makes it so difficult to protect them?

Early industrial control systems were purpose-designed and built using proprietary components, proprietary designs, and proprietary infrastructure created specifically for use in controlling various systems.  This development took place long before “the cloud” or “the internet” were part of the everyday vernacular.

Those early ICS designers couldn’t anticipate the security exposures that today’s microcomputer-based environments face, but their individualized, proprietary nature made them more difficult to compromise. Each exploit would have to be designed specifically for the exact ICS that it was going to be used to attack and really couldn’t be used for anything else. Very difficult, very expensive, and really not worth the bad-actor’s time, energy, or funds.

Today, however, many ICS and SCADA systems are being designed using standard architecture and standard microprocessor-based equipment. While this dramatically reduces the costs involved in the production and proliferation of standards-based ICS systems, it also exposes all of them to the same exploits and attacks that regular computer users face every day.

Everyday security software is designed to protect data, not human lives. This creates a need for a whole new level of security for the x86-based computers that we all use every day.

NIST points out that:

“The trend toward integrating ICS systems with IT networks provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats. Also, the increasing use of wireless networking places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, natural disasters, and malicious or accidental actions by insiders. ICS security objectives typically follow the priority of availability, integrity, and confidentiality, in that order.”

Potential threats

The NIST list of possible incidents that an ICS may face include the following:

  • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation
  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life
  • Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects
  • ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects
  • Interference with the operation of safety systems, which could endanger human life.

Solutions

Now that ICS and SCADA systems are being developed using industry standard x86 hardware, literally any security software may be a viable component of a total security strategy. Some of the premier providers are already promoting dedicated ICS/SCADA solutions, which make a great starting point for your research.

The articles and product announcements below can provide you with additional insights into ICS security issues.

Protect Industry Against Cyberattack with These 7 Steps
A report from the Department of Homeland Security recommends seven strategies for protecting industrial control networks against cyberattacks.

UL, MIPI Bolster IoT Security
UL and the MIPI Alliances are the latest groups to call for participation in efforts to define best practices and standards for security in the Internet of Things.

How smart is it to deploy smart meters on the smart grid?
Conventional power grids worldwide are beginning to strain against rising energy needs. How can we improve these systems in a sustainable way?

Industrial security: Check your flash drive at the door
Firewalls and air gaps cannot help when the malware rides into your plant in someone's pocket. So Honeywell is introducing a system that can help protect industrial networks against infected USB drives.

Radiflow Introduces New Security Assessment Service for Industrial Control Systems (ICS)
Radiflow, a pioneer developer of ICS network cybersecurity solutions, introduced a new security assessment service that provides users with a full network status report, including a detailed list of potential vulnerabilities that can cause disruption to automated processes.

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply