The first part of this article discusses some of the reasons why they operate so smoothly, almost always without interruption. The second part debunks the myth of an ostensible perfect situation by showing some of the security issues related to an ICS environment.
ICS strengths
High degree of availability
High availability means systems are always on, always available no matter what happens. High availability relies on redundancy — that is, having backup components in a system to substitute for the main ones in case of any contingency. The idea behind redundancy and fault tolerance is simple: keep things running and maintain uptime. To achieve that, an ICS must have redundant servers, with each server having a redundant power supply (i.e., the so-called uninterruptible power supply or UPS), software and hardware components. Clustering a number of servers together is also a good idea. Furthermore, redundant routers and redundant firewalls are advisable. Coupling processes, such as storing the system status and controlling actuators, could be risky as far as redundancy is concerned. Independent data storage servers known as historians are needed to preserve the historical record of a particular control system; again, eliminating control computers that present a single point of failure. One way to minimize the risk of a historian going down is through adding an external, highly-reliable network-connected storage device, which will increase the overall resilience of the system. It is not uncommon for industries to adopt redundant control centers to support quick recovery and duplication of data resources in the event of an accident. In addition, redundant transport is implemented (for example, via dual LAN connections with failover). To connect remote terminal units (RTUs) to master stations, both local area networks (LANs) and wide area networks (WANs) can and should employ multiple linking technologies (e.g., satellite, telephone, wireless, power line carrier, fiber optics or microwave). Under normal circumstances, the edge/cloud-to-field network is across the WAN. Therefore, diverse communication paths based on deterministic IP or deterministic networking technologies should be applied there to support industrial communication. One specific purpose related to WAN links is to back up the link (should it fail) by providing a path. However, that can be done with backup strategies, such as using a floating static route to restore a backup link if a frame relay link unexpectedly stops passing information. A back control center mirrors the primary control center and is ready to assume the complete control of the whole system if it is necessary in order to provide redundant communications to remote IO areas, without sacrificing monitoring capabilities and emergency operational control.
High degree of authorization
For some ICSes, requiring password authentication on an HMI (for example) must not slow down or interrupt the continuous information flow within the system. Because of that, operators often decide to configure components to accept commands from almost everywhere, including those issued remotely. Additionally, commands can be automated for emergencies. Technologies like intelligent security gateways and trusted execution environments allow for enforcing a high level of trust. Another good strategy to mitigate authorization risk is implementing destination authorization, where users are permitted to access only the nodes on the control network that are needed to execute their job duties. Joe Weiss, managing director of Applied Control Solutions, considered that stringent security measures should nevertheless not be executed on the ICS without control system personnel supervision because it may cause some unwanted effects. “As a hacker, all I need to do is send the wrong password five times to lock you out,” he said.
ICS weaknesses
Total authorization and total trust
The other side of the coin is that total authorization may come at a high cost security-wise. A 2018 report by Kaspersky revealed that 46% of all vulnerabilities discovered may cause remote code execution, provide unauthorized access to compromised ICS devices or assist potential cybercriminals in triggering a denial-of-service (DoS) attack, rendering the equipment unusable. Bill Diotte, CEO of industrial security vendor Mocana, reported that ICS components cannot ensure proper authentication, encryption, trust chaining and secure boot. He also stated: “Often PLCs [programmable logic controllers], sensors and industrial gateways do not have a secure credential [such as a] digital certificate or private key hidden in silicon as a basis of trust.” PLCs, as well as other components, are not equipped with a VPN connection and do not possess adapted identification programs. At the same time, more than 500,000 PLCs have direct access to the internet, according to Freie Universität of Berlin. To illustrate with a real-life example: Back in 2014, a leading industrial automation system provider had to patch several vulnerabilities in its RTU controllers that operate in oil and gas pipelines. The vulnerabilities included an authentication bypass and compromised hardcoded credentials. Unfortunately, ICS components are not secure by design, as many vendors have admitted. To be protected, these components must work all the time in a protected environment; otherwise, they do not have mitigation measures (such as, proper authentication and input validation) to withstand any surprises that may lurk in an untrusted environment. In this context, establishing a perpetual chain of trust is critical.
Legacy vulnerable to cyberattacks
In fact, most ICS controllers do not have authentication features and do not support encrypted communication, and they are rarely or never patched. Why is that? All these aspects may impair the high availability, and we know that is a priority number one when it comes to ICSes. Most components in ICS networks are not designed with security in mind, and even nowadays they lack the security controls and visibility ubiquitous in corporate IT networks. Organizations are increasingly merging business and industrial systems. Since the advent of the new millennium, industrial protocols have been predominantly carried out over IT standards, such as Ethernet and TCP/IP. PLCs sometimes rely on Microsoft Windows. A historian’s data is typically stored in databases like Oracle or MSSQL. Unsecured proprietary protocols constantly endanger some devices in the ICS environments. Therefore, the proprietary technology can be a problem, but relying on multiple subcontractors to maintain your critical systems will lead to blurred visibility. Air gaps are simply not viable in a connected world. Smart technologies push the utilities industry to evolve, and predictions show that it will spend a total of $84 billion in the period 2018–2023 to modernize its infrastructure. Unfortunately, cybersecurity is often left behind in this process. The convergence of ICS and the industrial Internet of Things (IIoT), on the one hand, deepens the problem of increased attack surface; on the other hand, some of the equipment in ICS environments is as old as the hills in tech terms (10-15 years). ICSes are ill-prepared to cope with malware attacks, since they count on security approaches inherent to the operational technology (OT) world, thus ignoring to embrace a cybersecurity approach. For example: because an ICS does not adequately vet incoming data, it is susceptible to DoS attacks. There is no periodic technical security testing of ICS infrastructure that is so common for other industries. Each test may, more or less, jeopardize the targeted system by inadvertently causing downtime. Nevertheless, companies risk being exposed to all kinds of threats if they do not perform testing. These following testing methods can be applied to ICS security:
Systems and devices configuration checks Network traffic analyses Offline vulnerability research Penetration tests Without repairing the entire system, it is almost impossible to improve OT equipment
Conclusion
Each system has strengths and weaknesses. If we want to have a workable system, then strengths must outweigh weaknesses by far. If we talk about ICS security, however, in principle, strengths should outweigh weaknesses at all times.
Sources
Backup Control Center Definition, CISA Configuring ISDN Backup for WAN Links Using Floating Static Routes, Cisco Alexander Kott and Igor Linkov, “Cyber Resilience of Systems and Networks,” Springer International Publishing AG Demonstration of hacking a protective relay and taking control of a motor – the grid is at risk, Control Global Demystifying Redundancy in Automation, Software Toolbox Designing a Control System for High Availability, Control Global. Global Intelligent Electronic Devices Market Will Reach to USD 18.4 Billion By 2025: Zion Market Research, GlobeNewswire, Inc. Great need to ‘improve’ the cyber security in industrial control systems, Information Age Guide to Industrial Control Systems (ICS) Security, NIST ICS Security: 2017 in review, Positive Technologies Industrial automation systems cybersecurity, Schneider Electric Industrial Control Systems Security: To Test or Not to Test?, Security Intelligence Industrial Control Systems Storm the Internet, Increase Corporate Risk, Security Intelligence Industrial “things,” connectivity, and operational technologies, Packt Redundant Control Centers and Transport for Power Utilities using Circuit Emulation, Engage Communication Redundancy, Fault Tolerance, and High Availability – CompTIA Security+ SY0-401: 2.8, Professor Messer The Challenges of Securing Industrial Control Systems from Cyber Attacks, Indegy Utility industrial control systems: the top six utility ICS security weaknesses, i-SCOOP Why are ICS vulnerable?, Sentryo 5 Common Vulnerabilities in Industrial Control Systems, Lanner 8 questions to ask about your industrial control systems security, CSO