As the backbone of industrial automation, the security of Industrial Control Systems (ICS) is paramount. This article will delve into sophisticated strategies for protecting ICS from emerging cyber threats, focusing on real-time monitoring, anomaly detection, and rapid response mechanisms.
We’ll explore case studies where robust cybersecurity frameworks have successfully mitigated risks, providing actionable insights for organizations aiming to fortify their industrial automation processes against cyber-attacks, and ensuring the seamless integration of security and functionality in ICS environments.
The size of industrial networks has increased considerably, both in terms of their scale and the complexity of the networks. Because of this, more advanced control systems are required to effectively manage them, with Internet of Things (IoT) networking devices and industrial-grade IP-based smart sensors creating new challenges in terms of security.
Operational Technology (OT) networks need to be resilient and provide high-speed communication and data transfer links, just like that of a standard IT network. The best way to achieve this is by creating dual control systems that combine OT and IT networks using IoT and IP-based communications. However, doing so can increase the attack surface of a system, offsetting the benefits such as improved flexibility, better scalability, and an increase in production.
A common security issue that has resulted from dual OT/ IT networks is a need for in-house knowledge regarding advanced security configurations to provide the necessary protection for IoT/ IP-based devices. Failing to implement the correct security settings leaves ICS environments open to a range of cyberattacks that can have significant consequences.
Network vulnerabilities present opportunities for cybercriminals to target critical infrastructure, with many recent examples of such attacks across the world, including attacks on electrical grids, power plants, public transport, and large-scale manufacturing facilities. This cybercrime trend has resulted in many hours of downtime and hundreds of millions of dollars of lost revenue.
The 2021 Colonial Pipeline attack is perhaps the best examples of this, as the hacker group DarkSide managed to access the network, steal over 100 GB of data and extort Colonial Pipeline Inc. for $4.4 million.
Another example was a sophisticated 2019 ransomware attack on US chemical companies, Hexion and Momntive, and the global aluminum auto part manufacturer, Norsk Hydro. This attack resulted in hundreds of employees being locked out of critical systems, costing these companies over $80m, combined.
However, the most frightening attack was the 2015 takedown of the Ukrainian power company Prykarpattyaoblenergo, when a trojan resulted in an entire region for several hours. It goes goes to show that ICS attacks can be used for nefarious, geopolitical purposes.
Although modern industrial control systems present a cybersecurity challenge, the vulnerabilities can be mitigated with an effective and comprehensive security strategy. From protecting individual applications to implementing ongoing monitoring, this 6-step strategy considers all aspects when establishing an impregnable defense for ICS environments.
Application Whitelisting (AWL) involves restricting the usage of any applications or network-connected tools until they have been verified from a security point of view. A system administrator or third-party service assesses installed applications and sets the necessary permissions/ approval based on the associated security risk.
This helps to prevent any uploaded malware files from being executed and installed on the system, with database servers and human-machine interfaces (HMI) presenting the highest level of risk.
Unpatched systems present significant risk which is why implementing a configuration/ patch management program is an essential step for any cybersecurity strategy. Such a program ensures only trusted patches are imported and installed following an initial asset inventory to determine what patches are required. A successful management program will also scan for malware before any updates are installed on a system.
Data servers, HMIs, and engineering workstations remain a priority regarding patch and configuration management and are a common target of malware attacks via connected IoT devices, mobile devices, and laptops.
Reducing the attack surface of an ICS network is vital in creating a more manageable environment so it can be adequately protected.
Necessary steps when reducing the attack surface of a network include:
Once the attack surface has been assessed and measures have been taken to reduce any risks, further actions can be taken to optimally secure the ICS environment. For example, networks can be segmented to restrict an attacker should a perimeter breach occur. Doing so limits unauthorized access to minimize the damage that can be caused or the amount of data that can be accessed.
In addition, one-way data transfers between secure zones and non-secure zones are advised. This could be achieved by using verified removable media rather than an internet connection.
A common tactic of threat actors is to steal the login credentials of accounts that possess a high level of privileges, granting them access to deeper areas of a network while posing as legitimate users. This allows them to execute malware undetected which can have disastrous effects.
Multi-factor authentication is the best defense against such tactics, especially when combined with methodology such as the Principle of Least Privilege (PoLP), Zero Trust, or both. In addition, strict password policies should be introduced to ensure strong and regularly updated credentials.
Threat actors gaining remote access to a control system is a key concern, with skilled cybercriminals able to locate ‘hidden backdoors’ to a network. In some cases, these backdoors are created by administrators for legitimate purposes, however, this is a risky practice and this type of access should be removed.
Other considerations for access to industrial control systems include:
Real-time monitoring is essential to effectively protect ICS environments, utilizing artificial intelligence (AI) and machine learning (ML) technology, this software can identify a data breach and provide instant alerts.
Monitoring software can effectively:
Likewise, the imperviousness of a digital ICS protection system is only as valid as the quality of its integration with on-site monitoring. In certain circumstances, threat actors only use digital attack points to gain access to manufacturing facilities in a physical sense.
Therefore, investing in proper video surveillance, biometric access controls, and perimeter intrusion detection systems are critical layers of security that mustn't be overlooked when protecting industrial automation systems.
In the ICS landscape, having a rapid response mechanism can be a lifesaver in the event of a cyber attack. The sooner a threat is neutralized, the less damage it will inflict. Here, we can draw on lessons from other industries that have successfully implemented such mechanisms.
For instance, one of the things we can learn from HIPAA compliance is the value of predefined response protocols that can be activated immediately upon detecting a threat. And since both ICS and healthcare have the same sensitive nature, this only further reinforces the need for ICS cybersecurity to involve best practices from other sectors, too.
Likewise, cybersecurity experts can apply GDPR concepts to ensure security systems are integrated from the outset, as well as NIST concepts for quick detection and recovery.
Industrial control systems and their connected users, devices, and networks face considerable threats in terms of cybersecurity. To safeguard these systems and avoid the risk of a breach, a strict security strategy must be put in place that considers all areas of the system, ranging from strong user login credentials to advanced system monitoring.
Only with a comprehensive cybersecurity strategy in place can organizations within the industrial sector avoid becoming the victim of an attack, potentially resulting in millions of dollars in lost revenue and significant damage inflicted on critical infrastructure.