Industrial control systems (ICS) are an essential part of modern infrastructure, such systems include the use of machines, software, and technology in industrial processes. Modern ICS can be divided into two key components: OT and IT, Operational Technologies (OT) covers sensors, mechanisms, and automation of industrial processes among others, Information Technology (IT) is the area that is responsible for the management of data, servers, and communication. Nowadays, the joint use of both forms a kind of symbiosis necessary to face the growing demand for products and services. ICSs are present in various critical processes, such as manufacturing, energy, mining, and many others.
ICS and its use in conjunction with networks have been around for years, often isolated from the internet giving them an air-gap that protects them from cyberattacks. In recent years it has become common to use technologies that employ the Internet, such as IoT (Internet of Things), remote management and monitoring, etc. With this, essential indicators for the continuous improvement of processes are obtained, also opening the industry to new risks.
ICS Security Challenges:
Lack of awareness and training: Lack of awareness and training focused on cybersecurity and not having an understanding of the risks could lead us to not take into account the threat of a cyberattack, ignoring the impact and consequences that these could have.
High availability: Many ICSs operate in real-time, so delays or interruptions cannot be allowed, thus limiting the type of security measures that can be used. Applying updates could mean stopping the ICS, and applying data encryption could delay the transmission of important data.
Old systems and compatibility: Within the ICS, the machines/equipment must have the necessary robustness to be able to continue operating for years, as a result, we could find systems that are not suitable to face modern cyber threats. Updating such systems while maintaining compatibility with the rest of the operation is a significant challenge.
Approach to detection: From what has already been mentioned, stopping industrial processes to apply the necessary patches can be a complicated task, within high availability systems it is necessary to work without interruptions, it becomes common to work on the detection of attacks before preventive measures.
Common Vulnerabilities:
Default credentials: If an attacker can identify the systems and versions used by industrial equipment/interfaces, they will most likely attempt to use the default credentials to gain unauthorized access to critical systems or networks. A quick search on the internet is enough to find the necessary credentials
Lateral Movement: A successful attack on an ICS's network could lead to unauthorized access, which could lead to lateral movement in the company's network, the attacker would be able to move between both networks.
Malware: With the widespread use of the internet comes the possibility of being infected by malware. Trojans, worms, ransomware, wipers as well as DDoS attacks and botnets are some examples of the latent risks
Case Study:
Petrochemical plant in Saudi Arabia: In 2017 a group of hackers was able to deploy the computer virus "Triton" on the premises of a petrochemical plant in Saudi Arabia. The cybercriminals targeted the network of operational technologies (OT) managing to access the plant's network and began to work on reconnaissance, lateral movements, and maintaining presence, after a year they accessed the security instrumented systems (SIS) that are responsible for the physical security of the processes that were carried out in the plant.
Once access to the SIS was achieved, the attackers focused on deploying the "Triton" malware, which focuses on disabling the physical security mechanisms that are responsible for stopping a process when safe conditions are not met, the malfunction of the SIS could lead to physical damage, injured personnel and even loss of life.
Fortunately, the SIS began the process of safe shutdown when it detected that the validation code failed, initiating an investigation that led to the discovery of this Malware.
Securing ICS and Best Practices:
Securing ICSs involves identifying the risk vectors of the company and making a specific plan for what could be needed, considering the limitations that the production rate may have, below is a list of best practices:
Network Segmentation: Isolating critical networks and equipment reduces the impact of potential security breaches by limiting their lateral movement.
Secure remote access: When remote access is necessary, it is recommended to implement secure mechanisms, such as using VPNs or MFA, it also includes the creation of zero-trust access and constant monitoring to identify suspicious actions.
Limited physical access: Limiting physical access to certain systems based on employees' work roles will reduce the risk of an attack. Before the internet became so common, one of the methods of affecting ICSs was to use infected USB devices such as the case of Stuxnet.
Updates and patch management: Stay on top of the updates that your teams require, always keep them on the latest versions.
Conclusion:
With the modernization of industrial processes comes the implementation of internet services, which not only help us maintain the remote management and administration of systems but also allow us to increase productivity. ICSs are found everywhere from air conditioning systems to energy supplies, they are part of our daily lives, so being such critical systems, it is important to carry out the necessary measures to ensure their proper functioning, it is this same importance that makes them targets of those criminals who find in IT a means to carry out their misdeeds.
Using a set of good practices, as well as constant awareness training, will greatly reduce risk vectors. Security is a constant path rather than an end, which is why it is necessary to maintain continuous monitoring, as well as keep the machines and interfaces updated.
References:
[1] ICS Security Best Practices. (n.d.). Retrieved from Check Point: https://www.checkpoint.com/cyber-hub/network-security/what-is-industrial-control-systems-ics-security/ics-security-best-practices/
[2] Industrial Control Systems. (n.d.). Retrieved from CISA: https://www.cisa.gov/topics/industrial-control-systems
[3] MITRE. (2022, October 13). Cyber Risk to Mission Case Study. Retrieved from Defense Technical Information Center: https://apps.dtic.mil/sti/trecms/pdf/AD1183008.pdf
[4] New Critical Infrastructure Facility Hit by Group Behind TRITON. (2019, April 11). Retrieved from trendmicro: https://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/new-critical-infrastructure-facility-hit-by-group-behind-triton
[5] Rebultan, M. A. (2023, June 12). Common Cybersecurity Risks to ICS/OT Systems. Retrieved from ISACA: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2023/common-cybersecurity-risks-to-ics-ot-systems#:~:text=Some%20of%20the%20most%20common,intellectual%20property%20and%20financial%20information.
[6] Wangsness, C. (2023, July). IT vs OT: How Information Technology and Operational Technology Differ. Retrieved from ONLOGIC: https://www.onlogic.com/company/io-hub/it-vs-ot-how-information-technology-and-operational-technology-differ/amp/?psafe_param=1&cq_src=google_ads&cq_cmp=20319707025&cq_con=150403687603&cq_plac=&cq_net=g&utm_term=&utm_campaign=US-+Search+-+Blog+DSA&utm_sou
[7] What is an Industrial Control System (ICS)? (n.d.). Retrieved from Check Point: https://www.checkpoint.com/cyber-hub/network-security/what-is-industrial-control-systems-ics-security/
[8] Zeifman, I. (2023, July 18). ICS Security: Critical Challenges and Security Best Practices. Retrieved from STERNUM: https://sternumiot.com/iot-blog/ics-security-critical-challenges-and-security-solutions/