James Loureiro, Director
4 mins read
Many organizations and businesses require up to date information regarding their infrastructure, such as the number of cars rolling off the production line, meaning that these critical systems are connected to the corporate network to allow analysts, senior management and third parties such as regulators or business partners access to this critical information. However, due to the now well-documented security issues surrounding ICS with its enhanced connectivity and capabilities, such as Stuxnet and Aurora, this presents a number of issues such as the potential to disrupt operations or damage equipment.
Typically, information is collected from the industrial network via the use of Object Linking and Embedding for Process Control (OPC). One collection server will be located in the industrial Local Area Network (LAN) segment, with an OPC viewer located in the corporate network allowing pulled back analysis of statistics.
In between these network segments, traditional firewalling is used to only allow OPC traffic between the differing network segments. This should be configured to only allow OPC network traffic to flow between the industrial LAN and the corporate LAN, but this is not always the case – over time further access is typically added, allowing corporate users and engineers further improved access to the ICS LAN infrastructure. If not, the OPC server can be used as a pivot point into the industrial LAN from the corporate LAN.
Securing ICS systems is made more difficult as they are typically installed with a large lifespan of ten or more years and upgrading systems, even supporting systems, can lead to costly downtime and extended regulatory input to ensure safety cases are maintained. This can mean ICS systems are not updated during their lifespan, meaning that unpatched and insecure systems are controlling highly sensitive processes. This can be an ideal situation for aggressors wanting to cause potentially physical harm, disrupt operations or steal intellectual property.
There are, however, a number of security solutions and services that can help improve ICS security and mitigate potential security concerns and issues. There is a growing market for ICS specific firewalls that implement Deep Packet Inspection (DPI). As an example, if an ICS network is using the protocol Modbus over TCP/IP as its transmission medium, an engineer will know which Modbus commands are allowed, and which should be denied – this can be implemented in the firewall to block non-allowed Modbus commands from hitting the ICS network from illegitimate sources.
Furthermore, typical services such as security assessments and vulnerability research can be adapted for an ICS environment. This will show where security controls are effective or not, and provide researched vulnerabilities to both ICS operators so that mitigations can be put in place. It will also alert the vendor so issues can be fixed, usually through the issuing of patches. This leads to greater security and better understanding of risks in the ICS environment.
A concern though is that advanced aggressors are capable of bypassing these security restrictions and can have an effect. However, it is common that advanced aggressors will use typical attack methodologies to cause the effect. Having security controls and monitoring in place this can dramatically reduce the ability for advanced aggressors to have an effect. Vulnerability research can lead to discovered security flaws being patched by the vendor, and ICS operators being able to put in place mitigation before an aggressor can exploit these weaknesses.
These solutions therefore can be utilized to bring about a secure ICS environment that is less likely to be compromised by threat actors, ranging from collective organizations, such as anonymous or state level actors intent on causing damage, to a country’s CNI and should be considered throughout the lifespan of an ICS installation from design and planning, to day to day running, to ensure critical systems remain available.