The threats facing Industrial Control Systems (ICS) network infrastructure are increasing and more complex than ever before. The increasing number and sophistication of these attacks make ICS an easy target for cybercriminals. This is primarily due to its aging infrastructure, lack of security planning and design, and a long-standing underestimation of the importance of protecting ICS networks. A detailed analysis of an enterprise's infrastructure and operations can provide insights into the level of risk and identify potential countermeasures to protect critical assets. This holistic approach should be adopted to ensure that all aspects are considered to fully understand the actual level of risk posed to production systems. This includes both cyber and physical security, as well as the state of the system's lifecycle. To help identify the exact level of risk, each factor should be thoroughly assessed to understand design, operational, and maintenance discrepancies and to keep production systems functioning properly.
Evolution of Industrial Control Systems
In the past, industrial control system providers used proprietary hardware and software that were physically isolated from external connections. Now, industrial control systems use commercial off-the-shelf (COTS) components, standard operating systems, and common communication protocols. This shift from proprietary systems to open technologies allows for the use of third-party hardware and software components, which helps drive down the overall lifecycle cost of ICS.
Furthermore, the use of standard, universal components and communication protocols facilitates connectivity with IT or business systems. Sharing data from production systems to business systems requires minimal effort to collect and analyze data, thereby providing valuable insights for the enterprise.
These features improve lifecycle and connectivity, but they also expose vulnerabilities in ICS applications because security is not a primary design priority. ICS providers typically publish recommended security practices that define specific methods for allowing connections to external systems, but the ultimate responsibility for deploying and maintaining ICS network security rests entirely with the end user. Protecting these networks to ensure production availability and security should be a holistic business objective developed and supported by management.
Managing IT and ICS infrastructure
Both IT and ICS infrastructures use common network components, but they differ significantly in terms of maintenance, operation, and security management. IT business networks and ICS network security objectives are different concepts, but they are based on the same principles of confidentiality, integrity, and availability.
For IT companies, the primary concern is the leakage of intellectual property; confidentiality has the highest priority. Next, data integrity is crucial, followed by network availability.
Due to the criticality of production system data, ICS networks have different priorities. The reliance on human-machine interfaces makes system availability a top priority for industrial sectors.
Data integrity and information accuracy are also crucial for industrial systems. Confidentiality is typically not a primary concern in industrial networks. These differences in system priorities lead to significant divergences between IT and ICS in network operation and security management.
While both IT and ICS networks use common components in their infrastructure, their operations differ significantly. IT network operations are typically user-triggered, largely irregular, or initiated on demand. Traffic generated on business networks can be sporadic and unpredictable. Therefore, network components (such as servers, network devices, and computers) need to be removed or added to support business requirements. Business system communication protocols are built around such operations and typically do not include any type of deterministic mechanism, primarily due to the fragmented nature of the data.
On the other hand, ICS networks require very high availability to support the demands of continuous and uninterrupted production systems. These systems are designed to deliver data at a deterministic rate to achieve predictability and repeatability. ICS communication protocols support deterministic activities that capture time-critical events. These systems are designed to provide highly available and time-sensitive critical data. Differences between IT and industrial control system network operations lead to significant differences in their approaches to achieving security.
A "fix" to standard IT may harm ICS
IT typically deploys extensive security measures to prevent cyberattacks. However, due to the need for highly available data, most common IT security practices can adversely affect ICS networks. Examples of standard IT security practices include patching operating systems, upgrading applications, and upgrading server systems. These are considered common practice in the IT world. However, on ICS networks, these operations can have very negative impacts on the system and related components.
Due to the critical nature of the related software, system components, and data delivery, other common IT practices, such as domain changes, virus scanner updates, anti-malware updates, router configuration changes, and port blocking policies, can adversely affect the ICS network. The implementation of any such changes to the ICS network or related components must be carefully considered and should first be performed on a test system to analyze its performance before actual deployment to the production system.
Furthermore, special attention must be paid to security to ensure that ICS network operations are not disrupted. Identifying the right approach and applying the most cost-effective risk mitigation solutions is crucial for businesses supporting their IT and ICS infrastructure. The availability requirements of ICS networks make them particularly sensitive to even minor changes in production systems.
Accurately assess the risk level
Due to a lack of awareness and understanding of all potential vulnerabilities, the actual risk level of an ICS network is often impossible to determine. Like IT systems, the effort required to make an ICS network ready must be a comprehensive effort endorsed by management to ensure the availability of production systems. Given the sophistication of modern hackers, simply placing a firewall between the ICS system and the IT network does not provide sufficient protection to eliminate risk.
"Risk" is defined as the potential to gain or lose some value. To fully understand the actual risk level of a production system, all aspects of exposed vulnerabilities must be assessed, such as production losses, environmental damage, equipment failure, and personal safety. This may include all threats posed by network, physical, and local interface vulnerabilities resulting from internal, external, malicious, and unintentional events. All aspects of the industrial control system's lifecycle must be defined to ensure that all potential risks are taken into account.
Many vulnerabilities in the ICS infrastructure can introduce risks, such as the use of legacy platforms, system architecture design, connections to external networks, wireless access points, and remote interface points. Typically, industrial control systems take much longer to deploy than standard IT systems, which can be attributed to cost, the desire to migrate to newer systems to avoid production disruptions, and a lack of knowledge about the risks associated with running older systems.
Another factor contributing to potential vulnerabilities is the failure to design and maintain a secure ICS network. This could be due to multiple engineers being responsible for the network for years without proper security plans or procedures, or it could be the result of rapidly deploying multiple projects, rushing to upgrade, or adding features that have already compromised security.
To successfully manage risk, businesses must fully define what needs to be in place, understand the different stages of the ICS system lifecycle, and ensure they have a plan to protect the production system from all possible vulnerabilities. These guidelines should be authorized by management to ensure that production system assets remain intact throughout the system's lifecycle.
Threats to ICS systems
Threats to IT and ICS infrastructure are constantly evolving and becoming increasingly difficult to prevent, monitor, and mitigate. Due to the critical nature of production requirements, ICS networks face growing security challenges. Therefore, technicians and engineers responsible for monitoring ICS networks must adopt a more rigorous, planned, and disciplined approach to deploying security measures.
Even completely disconnecting the ICS network from the internet does not eliminate all associated risks. While external threats may seem more obvious when connected to the internet, sometimes internal threats pose a greater potential danger. These include malicious internal operations and unintentional human errors that could damage the ICS network.
Threats to production systems include any impairment to the system's ability to continuously and accurately display operational data. This also includes operator access to desktop functions, local login privileges, and system port or interface functionality. Efforts to physically and procedurally protect automated systems can be extensive and time-consuming. However, the only way to prevent common system failures is to remove the ability of ordinary users to access these systems, including software, hardware, and physical access.
The lack of adequate planning and procedures for managing ICS security and its lifecycle is the greatest threat to ICS critical infrastructure. Security can be compromised through both digital networks and physical means. Operating on legacy platforms can also impair the lifespan of production systems. Outdated hardware, software, and support are often limited and expensive (if support is even available).
Typically, IT systems are upgraded every 3 to 5 years, while production systems may remain operational for even longer. Due to the high availability requirements of production systems, changes to new systems also carry risks. New systems may require reprogramming, and the logic may need to be deciphered or compiled into a new language. This can introduce human error and potentially adversely affect the production system.
The new user interface may differ in appearance and operation from the existing legacy system. Migrating from the legacy to the new system may involve many aspects of detailed logical specification to define safe operation, extensive testing, and operator training to fully assess the production system. A complete replacement can take time and involve multiple complex phases to minimize production disruption. Managing the ICS lifecycle should include a comprehensive roadmap, planning all replacement details to minimize risks to the production system.
Mitigating risks and protecting assets
Mitigating risk and developing a comprehensive plan to protect business assets requires a thorough assessment of risks across all production systems. Asset protection should include security layers and should not rely on individual software or hardware components to minimize risk. The consequences of damage to industrial control systems can include production losses, environmental damage, equipment failure, and even endanger personal safety.
Asset protection begins with directives from top management to identify proactive actions and ensure the ICS system is prepared to handle evolving threats. The overall plan documents security tasks and processes and outlines the hierarchy of protection, mitigation processes, and migration plans to cover the ICS system's lifecycle. Responses to incidents that threaten production systems should be planned in a way that is clearly understood by all personnel to minimize their impact.
Migration plans should include a systems roadmap to minimize production disruptions and ensure system security and reliability during the changeover period. As threats continue to become more complex, it is strongly recommended that protection layers be audited annually to ensure they are not compromised. Risk factors can never be completely eliminated, but asset owners can protect the normal operation of production systems by minimizing risk as much as possible.
