Industrial Control Systems (ICS) lie at the very heart of the industrial cybersecurity issue. As a preferred target of attackers striking the industrial sector, ICS control and pilot large infrastructures in areas such as energy, defense, transportation and other large-scale structures including road networks and next-generation stadiums.
The technology operating in ICS includes distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) and programmable logic controllers (PLC). All these systems falling under operational technology (OT) tend to be increasingly connected by information technology (IT). This transition, however, is not smooth sailing since existing equipment was not initially designed to operate in a network and sometimes does not even have any system resources.
Yesterday’s OT environments harbor certain weaknesses when it comes to cybersecurity, especially at a time when the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) are booming. Let’s take a look at these vulnerabilities so we can pinpoint the areas for improvement and overcome all cybersecurity problems.
ICS vulnerabilities in practice
Since 2000 and the spread of connected ICS, industrial protocols have been overwhelmingly carried over to IT standards (Ethernet, TCP/IP). Furthermore, under normal circumstances companies need to change computers every 3 to 4 years whereas OT installations need to be renewed only every 10 to 15 years. This situation leads to a real problem when it comes to updating computer equipment in industrial networks. Having become obsolete (from an IT versus “fucntional” perspective), these tools then become exposed to cyberthreats.
ICS lack openness via Internet
Many ICS end up being directly connected to the Internet. According to Freie Universität of Berlin, more than 500,000 PLCs are directly connected to the web. This holds true because their coordinators most often need remote connections, although PLC are not designed with VPN or secure and adapted identification programs, which is the case in IT.
Industries rely heavily on subcontractors to maintain their critical systems. At Sentryo, we have seen cases in which there are 3, 4 or even 5 levels of subcontractors between industry executives and the teams constructing and configuring the network. The first hands over a part of the work due to a lack of technical skills, the second due to the unavailability of a machine, the third due to the lack of a component of this machine and so on. These multiple layers of subcontractors inevitably lead to blurred visibility between industry executives and the different levels of subcontractors. This distorted visibility has repercussions on the network insofar that it is no longer possible to clearly see where and how the different connections have been set up.
The components of ICS have not been designed with the danger of cyberattacks in mind:
- These components contain many vulnerable areas which makes it very difficult to correct and improve OT equipment without reworking the entire system.
- Most ICS rely on devices that implement unsecured proprietary protocols and PLC that have not been equipped with cryptographic systems.
- ICS are way too often at risk of DoS (Denial of Service) attacks. The programs do not adequately control incoming data and the slightest irregularity in the network can collapse the whole service.
- Security approaches inherent to the OT world have masked the need to incorporate a cybersecurity approach. ICS are thus ill prepared to face malware intrusions.
Communication problems generally spring from a lack of trust among the different cybersecurity players in an organization: CISOs, industry executives and cybersecurity experts. The tendency is that while some focus on flaws, others deem these flaws trivial and vice versa. Thus, disagreements and misunderstandings ensue from a lack of collaboration. Insufficient knowledge of cybersecurity in the world of control systems makes the latter extremely vulnerable.
On the one hand, we have industry executives who have been following the same process for years. Confident with their measures, which usually include setting up simple firewalls, they rigorously maintain their programs over a long period of time. They thus feel comforted in the fact that they have never been the target of an attack. We must respect their point of view while building upon it and creating awareness around new potential problems.
On the other hand, we have the cybersecurity experts. They regularly see the imposition of new and complex certifications and standards:
- ISA 99 / IEC 62443
- NERC CIP
- NIST Cybersecurity Framework
- French & German CNI Law
All these new standards are often hard to apply to the world of OT with risk evaluation becoming thorny and documentation often outdated.
Finally, CISOs encounter a lack of visibility and because of their unfamiliarity with the OT environment, they do not fully understand the scope of industrial constraints. They, therefore, run into significant complications when it’s time to launch an ICS cybersecurity project.
Comparing cybersecurity of IT with that of OT, we see that the cyberthreats are the same: malware, network infiltration, DoS, etc. What differs are the approaches to be implemented.
In the world of IT, we constantly worry about data and information and thus seek to protect data in the virtual sphere by combatting fraud and extortion.
In the world of OT, we seek to safeguard the process of the physical world. The main risks involve the physical security of people, tools and the production chain, because the point of the matter is a digital process controls a world that is indeed physical and that engages the liability of industry executives.
To sum up, the vulnerabilities in OT environments from which ICS vulnerabilities spring forth are the following:
- They are increasingly more connected and not designed to deal with such a porous nature.
- Their long useful life does not coincide with the needs for updates in IT systems.
- The fact that multiple subcontractors are in charge of maintaining systems obscures visibility for industry executives.
- ICS components and devices are designed for OT and not for IT, and even less for IoT.
- The world of OT is not alert to the problems of cybersecurity and we can sense a lack of information: security and cybersecurity tend to oppose each other when they should complement each other. At a time when cyberattacks are leaving physical damage in their wake, the endangerment of one goes hand in hand with the endangerment of the other.