Industrial control systems (ICS) are now under constant threat of cyber-attacks. Most industrial control systems are now directly or indirectly connected to the Internet. It’s because of this connectivity and technology that ICS and OT are now at risk for attacks. Even isolated or air-gapped systems are vulnerable to attacks. The breach could come from a vendor or integrator who has remote access to the system to perform maintenance. Or unknowingly connecting an infected laptop or USB drive to the system could be the threat source.
Threats to control systems can come from numerous sources. We’ve listed some of the common sources and the steps you can take to mitigate the risks.
Insider Threats
The biggest threat to network security comes from within the organization: employees, trusted insiders, suppliers, vendors, contractors, or anyone with access to an organization’s assets.
Internal threats can be unintentional, for example, an engineer unknowingly connects a compromised tablet or laptop to the system for maintenance purposes. Threats can also come from malicious sources, such as a disgruntled employee who attacks the network or disrupts production.
Solutions:
- Employees are a major risk to OT network security so education awareness is paramount. Conduct cybersecurity awareness training to all employees, and role-based training to ICS operators and administrators. Cyber-criminals count on employee carelessness, ignorance, risky browsing behavior, etc., to gain access to IT, OT or each network via lateral movement. They are an easy target for:
-
- Phishing: Manipulating individuals into disclosing sensitive personal information by claiming to be a trustworthy source in an electronic communication (e.g., email, internet web sites).
- Social engineering: Tricking individuals into giving away private information, such as passwords.
- Perform industrial control systems (ICS) risk assessments to identify vulnerabilities, like unnecessary access to accounts or inactive orphan accounts.
- Provide IT security team with education and training in OT technologies.
- Require multifactor authentication to mitigate breaches caused by lack of security knowledge, policy violations, or human error.
- Follow the “principle of least privilege” and restrict user privileges to only those that are necessary to perform their job.
Lack of Security Controls
Many industrial environments don’t have basic controls for managing ICS assets – something the carpeted space has had for years. Information necessary to uncover threats and their root causes isn’t collected or analyzed. And network security hygiene is not a high priority.
Unpatched software represents one of the greatest vulnerabilities to a system (NIST). Patches, that address security flaws or bugs, can help to prevent attacks. In the OT environment, patching is considered risky, as well as difficult and time-consuming to deploy. It’s hard to justify patching a system that is performing flawlessly.
Solutions:
- Implement controls for managing ICS assets, like patch levels, configurations, software, etc. This is especially important for devices like controllers or PLCs that are responsible for managing physical processes.
- Patching can make systems safer from attacks but you’ll need to weigh the risks and benefits first. If patching isn’t an option, there are steps you can take to mitigate attacks beginning with monitoring and reporting. (Contact a network engineer)
- Tight monitoring of can help mitigate these threats.
- Monitor network traffic and OT attack vectors, like direct access to switches and serial ports. Using a network activity anomaly detection tool like Cisco Cyber Vision gives you full visibility into your ICS and makes it easy to conduct routine device integrity checks and find malicious activity before it’s too late. Products like Cisco DNA Center can help manage IT and OT assets with better visibility and help defend against attacks that originate on one network and migrate to the other.
- Reduce threats by monitoring OT attack routes, like switches and serial ports.
Poor Network Configuration
Weak network configuration can lead to a devastating cyber attack. Improper configuration can leave ports or protocols open or expose an ICS device, like a PLC, to the internet. That opens the door to cyber-criminals gaining unauthorized access to your network or tampering with devices.
Solutions:
- ICS devices should be air gapped from the internet.
- Strict network segmentation should be enforced and therefore the integrity of the network should never be sacrificed for the sake of convenience.
Lack of logging and auditing
Basic record-keeping is crucial for incident response. Proper and accurate logs provide insight in to the OT network and help to identify attacks. But in many OT environments, there isn’t a procedure or a program for to maintain logs and document incidents.
Security teams need specific knowledge of industrial control systems and security to properly monitor OT networks. Without that experience, security teams struggle to locate and collect logs.
Solutions:
- Companies need to know what is being monitored and collected to protect the control system from being compromised. Create policies that require control systems to be routinely inventoried, equipment configurations and patches recorded, and changes logged. Designate a central location where these assets are kept.
- Strive for 100 % visibility. Make monitoring and log management a top priority, along with the gathering and aggregation of all logs.
- Train and educate the safety team on ICS fundamentals and how to recognize and mitigate cybersecurity risks in the OT space.
- Log and report all cyber security incidents to the safety incident response team
Resources:
Cisco IoT eBook: INDUSTRIAL CYBERSECURITY: Monitoring & Anomaly Detection
Moxa White Paper: Securing Network Devices with the IEC 62443-4-2 Standard—What You Should Know