Security in an Industrial Control System (ICS)

A major concern to many industries currently is how to effectively provide security management in an Industrial Control System (ICS) environments.  In this post I intend to discuss the challenges that IT professionals face, and how this closely mirrors what must be done in the process and operational side of networks.  There has never been any real strategies or guidance in place for this, but the technology has changed how the Industrial Control Systems (ICS) are vulnerable to the very same threats that IT faces.  When there is a critical patch or firmware release that addresses an immediate threat, great care has to be taken before it is rolled out to the OT network. 

This isn’t just something that will hold up the productivity of an office employee if there is a bad patch, this can create an unsafe condition in a production plant that can get someone hurt or killed, or at least shut down production on critical equipment that makes a business profitable.  As this aspect of Information Security Management matures, we realize there is a tremendous amount of work that must be done to protect these critical systems and processes.

 What is an Industrial Control System and Operational Technology

The concept of Operational Technology (OT) has been around for many years.  It has evolved from utilizing relay logic to control a process or piece of machinery, to an ethernet network utilizing the same type of infrastructure that a company’s information technology backbone resides on.  There are virtual machines that have an operator interface application running on them that reside on a VMWare or Microsoft Hyper-V host server.  These systems are just as complex as any IT environment, and in many cases, they are much more important.  In many manufacturing plants, these are the systems that makes the company money.  There is a critical need to make the OT environment as robust and secure as possible. 

            The Operational Technology (OT) networks (such as industrial control and supervisory     control and data acquisition systems (ICS/SCADA) that run today’s modern society are a   collection of devices designed to work together as an integrated and homogenous system.        If one of these systems fails, it can have a catastrophic domino effect. (Herbert, R.J, 2017)

            The nature of the OT networks makes them a prime target for bad actors that want to cause major catastrophes, lost production or even worse.  It is for this reason that the management of the security environment is critical to the success of the organization or business.  This can be the power infrastructure for a country or state, or a production line for a private business.  If the ICS environment for a power distribution system is compromised from a cyber security event, this can have a detrimental effect on businesses and people downstream of this. 

ICS (Operation Technolocgy) Cybersecurity Concerns

            There are many security concerns regarding an ICS environment.  The most obvious concern is that the software an operator is using is typically an HMI software package, and this software is known to have significant vulnerabilities.  These vulnerabilities include weak authentication or the authentication may even be bypassed.  The underlying operating system also more times than not is not patched regularly.  Another major concern is that the communication protocols that a lot of these ICS systems use is not robust.  They use protocols such as Modbus/TCP, DNP3, Ether/IP and Profibus.  These protocols support backward compatibility with older serial port protocols and were simply not designed with cybersecurity requirements.  They also do not include digital signatures to ensure packet integrity or any encryption.  These modern ICS protocols sometimes support application layer commands, and this can result in an exploitation to create a denial of service attack. (Aughn & Morris, 2016, pg.2)

            The supply chain associated with ICS hardware and software companies is very complex as well.  This complexity offers many opportunities for bad actors to alter the ICS hardware and software system components to inject malicious code for later exploitation.   (Aughn & Morris, 2016, pg.2)

Risk Management

            The security concerns discussed in the previous section brings about one of the many topics that are of great importance to proper security management, and that is risk management.  Organizations manage risk every day to meet their business objectives.  Some of the risks that they deal with include personnel safety risk or an environmental incident, equipment failure and financial risk.  Typically, organizations that utilize ICS have historically managed their risk through safety practices and engineering controls.  Information security risk management is an added function of this that when leveraged properly can be complementary to the risk management of the organization.  There are three tiers of the risk management process that businesses use.  They are 1) Organizational level, 2) Mission\Business process level, and 3) Information system level which includes IT and ICS.  (Stouffer, Pillitteri , Lightman, Abrams, & Hahn, 2015)        

            One of the major differences as far as managing risk when it comes to an ICS environment is that it isn’t just business, revenue, or data loss.  There are major issues from a safety perspective that must be taken into consideration.  The Guide to Industrial Control System (ICS) Security defines safety as “freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.” (Stouffer, Pillitteri , Lightman, Abrams, & Hahn, 2015)  If there is a contradiction between a risk of safety or ICS security practice, the organization will most likely choose to mitigate the safety risk.  The risk management of information security in the ICS environment is very complex and critical to the processes that can truly get someone hurt or killed.

            There are also some other important considerations that need to be thought about while developing a risk management plan.  An organization can simply not attempt to manage their ICS environment the same way that the IT environment is managed.  The age of the systems that are installed on the OT network must be considered.  A lot of systems are purchased for a specific process or plant and after the initial installation are not touched anymore.  They are vulnerable to many cyber security threats that equipment on the business network have already been patched or upgraded. 

The availability of these systems is also a major factor that determines whether they can be taken down for maintenance.  If shutting a process control computer down for maintenance is going to cause downtime to a piece of production equipment, there is a good chance this will not happen.  A company doesn’t want to have an adverse effect on their bottom line just to upgrade firmware on a system that is currently working.  On the contrary, if a control system is not isolated from a cyber security threat it cannot be regarded as safe.  This should also be a determining factor that businesses and organizations use to justify the importance of developing a cyber security plan to support their OT environments.  (Turner, 2017)

            According to the IEC standard 62433, a business rationale captures the business concerns of senior management while being founded in the experience of those already dealing with many of the same risks.  A business rationale may have as its scope the justification of a high-level or detailed risk assessment, or just specific aspects of a full cyber security full management system.  One of the most important aspects to be considered is that organizations must select the right risk assessment methodology that is a good fit for them.  There are many methodologies that are commercially available, and some are free and some require appropriate licensing. 

Methodologies of Risk Management

Most of these methodologies contain the premise that risk is the combination of the likelihood of an event occurring and consequences of this event.  A very difficult task in selecting the correct methodology is how to assign a quantitative number to the likelihood of the chances that an event will happen.  Industries have significant experience with process safety and accidents and have the quantitative numbers to support those historical values.  The task of trying to identify the appropriate numbers for the probability of a cyber security incident happening isn’t easy because of the lack of historical data, but also because past events do not necessarily allow you to predict future events.  (ANSIISA-62443-3-3, 2013)

            For an organization to help minimize their risks, they need to look at a security program that focuses on four main areas.  First, they need to perform and maintain an asset inventory and understand the attack surface or vulnerabilities associated with the assets.  Then the organization needs to have a plan to manage the vulnerabilities, patches, and configuration of the equipment.  This needs to include a program for change management when making a configuration change, perform regular patching and a program to address the vulnerabilities. 

The organization will need to have backup and recovery systems in place for all their critical assets and make sure they can get a restore from a known good backup.  Finally, the organization needs to complete regular risk assessments to measure their risk and manage it.  These assessments can be used to show the leadership in the organization the type of risks that they are exposed to and hopefully obtain the funding to invest in solutions to prevent and recover from a cyber-attack.  (Masud, 2018)

ICS Security Standards

            There are numerous standards associated with Industrial Control Systems, but the one that I am most familiar with is IEC 62443.  It provides a great baseline and standards for managing and maintaining security for the ICS environment.  If a company is going to truly manage their OT systems, they must start adhering to some set of standards. 

            The standard IEC 62443, which was ISA 99, is the global standard for ICS networks and helps reduce the exposure of cyber security threats and lessen the risk of failures.  This framework helps guide businesses through the requirements, controls and best practices needed to successfully secure an industrial network.  The standard consists of 13 documents that are organized into the following four groups:  General, Policies and Procedures, System and Component.  The two groups System and Component consist of the technical requirements for the network and system components.  The requirements of the System and Component groups identify four steps that businesses or organizations can use to enhance the security of their ICS environment and have a successful deployment of the IEC 62443 standard.  The four steps are:  

  1. Data Gathering
  2. Network Security Assessment
  3. Solution Build
  4. Solution Deployment

            These steps must be completed thoroughly and accurately and with well thought out policies and procedures implemented to adequately protect the business’ ICS environment from threats. (Edbrooke, 2017) This standard is what ties the management of cyber security and OT networks together. 

            Industrial automation and control systems (IACS) security goals and standards focus on control system availability, plant protection, plant operations and time-critical system response.  IT security goals typically are not focused on these areas and are more concerned with protecting a company’s information rather than the physical assets.  (ANSIISA-62443-3-3, 2013)

ICS Threat Protection and Mitigation

            Just like the IT environment, there are many methods to protect the ICS in an organization from threats.  Utilizing a defense in depth approach is one of the most effective strategies in accomplishing this.  The first step in mitigating threats is through physical and environmental security.  The physical and environmental security relates to creating a secure environment for the protection of tangible or physical assets from damage, loss, unauthorized access, or misuse.  T

he cyber security policies that an organization utilizes should be complemented by an appropriate level of physical security.  One major issue in an ICS environment is although they are an asset such as a computer that must be protected by physical security, there are certain instances where safety and\or production is threatened if they are behind a locked door.  It is for this reason that organizations must use practical judgement to balance all the risks when addressing threats.  (ANSIISA-62443-3-3, 2013)

            While physical and environmental security is very important to mitigate local threats, one of the most important things that can be done to mitigate and isolate these types of things is network segmentation.   Network segmentation is a well-known IT concept, and its usefulness is growing in the industrial world.  An open or unsegmented network is something that a malicious person loves to see.  Once an attacker finds the vulnerable point in a network, they may pivot to more easily to larger parts of the network from things such as machine control to a company’s finances.  It’s also not just an external threat, it can also help from internal threats such as a disgruntled employee or someone who makes an accidental change that can bring down a network when there is no segmentation in place.  (Kass, 2018)

            My organization utilizes not only network segmentation, but also a DMZ, firewall and ACL’s to separate our OT networks from our enterprise business network.  This has proven to be very effective even if there is a defective piece of equipment that becomes very chatty and has the potential to flood the network with traffic. 

Five Functions of Cyber Security Framework           

Many companies, particularly the food and beverage industry, have had a substantial maturing in how they manage cyber security in their industrial environment.  They are not only using strategies such as defense in depth, they are adopting practices that will allow them to address threats across different areas that are susceptible to attack.  They are accomplishing this by focusing on five functions:

  • Identify what they have and the associated risks
  • Put protection mechanisms in place to protect what they have
  • Detect when threats bypass those protection mechanisms
  • Implement capabilities to respond to incidents quickly
  • Develop a system to support rapid recovery

            These five functions are addressed in the NIST cybersecurity framework, and it serves as a great baseline for an organization to start at.  (Masud, 2018)

            Asset management is a crucial part of many IT systems.  I use some sort of asset management product almost daily in my job.  This is something that proves to be very challenging in an ICS environment.  Most industrial control systems were designed and put in place years ago.  Because of this these systems lack basic asset discovery and management capabilities that are very common in IT networks.  (Perelman, 2016)

            Unlike the IT networks that have had automated discovery tools and asset management practices in place for many years, industrial networks more times than not rely on a patchwork of manual processes, notes, and spreadsheets.  (Perelman, 2016) In my organization, we have an engineering vault where prints and drawings are stored after a project is completed.  If there are any changes to these systems, there is a change management process in place to get the necessary approval for the change.  But one thing in this process is lacking, and that is to make sure someone updates the prints for future reference. 

            ICS asset management is deficient in three main areas.  They are discovery, maintaining an accurate and updated asset inventory and tracking changes to assets over time.  The automated asset discovery is probably one of the most important functions of these three areas.  The ability to identify new assets that have been deployed, or equipment that has been removed from service or retired, provides the visibility needed to protect them and helps an organization prioritize the security efforts if there is an event.  (Perelman, 2016)

            Anti-virus and/or anti-malware software is another critical component or layer of protection in securing an industrial control system from external threats. (Henshell, 2018) It is also one of the more difficult solutions to implement because if you are not extremely careful when pushing out .dat updates, you run the risk of locking up and crashing your entire ICS environment.  There are ICS vendors such as Rockwell automation and Honeywell, that have specific requirements for the type of anti-virus product that can be used.  They also must certify the .dat files or updates from the anti-virus vendor before it can be deployed.  There are also many exclusions to anti-virus policies that must be put into place for the ICS system to function correctly and not be seen as a threat. 

            The management of the anti-virus software is another challenge that people face when trying to simplify the process of protecting their industrial systems.  Our organization typically follows the Purdue model, and we have an anti-virus server in the DMZ and it gets its updates from an anti-virus server on the business network.  There are firewall rules in place to allow these systems to communicate over specific ports in a specific direction.  By utilizing this method, an OT technician can manage the policies and exclusions as needed for the OT environment.  This will provide them with a centralized place to push out updates once they are certified, tested and approved.  The other option is to use the “sneaker-net” method, where a person must walk around to each endpoint and update the .dat file on whatever AV product they are using. 

            There are also other options that an organization can use to help secure their systems, and they can be complementary to anti-virus or anti-malware or be the only product they use.  There is whitelisting software that only allows specific programs to run on a system.  You also must take great care when utilizing this method to make sure that you whitelist everything that needs to work to allow the ICS system to function.  Typically, you would allow the system to run anywhere from days to weeks before you consider the whitelisting application as working properly. 

Summary

            In this post, I discussed what I consider the most critical components that are a good start to managing security in and industrial environment.  An organization first must identify the risks that they are willing to accept for their ICS systems, and work from there.  I truly believe that in several years this concept will be embraced more, because this isn’t just protecting a user’s data or something that will prevent an end user from working.  A security threat in the OT environment can cause serious safety, environmental and production issues that can either get someone hurt or killed.  This doesn’t count the lost production and revenue that the company will not make back because they didn’t take into consideration properly securing their industrial control system. 

            After the organization has established the acceptable level of risk and created a plan for this, they need to identify the assets that they would like to protect.  This can be either an automated method or a manual method, but it is something that must be done.  You cannot adequately protect your assets if you don’t know what you even have. 

            Once the assets have been identified, the organization must develop their strategy on how they are going to protect their assets and mitigate any issues if they arise.  This is an evolving process because the threats never stay constant.  Hackers are looking for vulnerabilities every day and the old systems that many organizations have in place are an easy target. 

Please find more tips and information here.

References Cited

  1. Herbert, R. J., Jr. (n.d.). The Importance of Operational Technology (OT) Systems to Maintain a Secure Standard of Living in Today’s Modern Society. Retrieved from https://www.fortinet.com/blog/business-and-technology/the-importance-of-operational-technology-ot-systems-for-a-standard-of-living-in-today-s-modern-society.html
  • Aughn, Jr., R. B., Jr., & Morris, T. (2016). Addressing Critical Industrial Control System Cyber Security Concerns via High Fidelity Simulation. CISRC ’16 Proceedings of the 11th Annual Cyber and Information Security Research Conference. Retrieved July 2, 2018, from https://www.cisr.ornl.gov/cisrc16/. ****
  • Security for Industrial Automation and Control Systems (3rd ed., Vol. 3, ANSIISA-62443-3-3 (99.03.03)-2013). (2013). Research Triangle Park, NC: ISA.  ********
  1.  Henshell, J. (2018, April 27). Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment. Retrieved from https://resources.infosecinstitute.com/configuration-anti-virus-anti-malware-software-within-ics-environment/#gref