Industrial control systems (ICS) are ubiquitous, from automated machines that manufacture goods to cooling systems in office buildings.
Previously, ICS was based on specific operating systems and communication protocols and was standardized. However, in recent years, by implementing network connectivity based on general-purpose operating systems and standard communication protocols, system development costs have been reduced and productivity has been improved.
To compete in today's market-driven economy, businesses and organizations are opting for highly efficient control systems that can automate process management. ICS (Integrated Control Systems), found in manufacturing, processing facilities, and even power plants, play a vital role in the operation of any nation. However, the efficiency gains introduced by ICS also bring new security challenges. In fact, threat actors reap significant benefits when attacking these companies. A successful attack on an ICS can have serious consequences for any organization. These consequences include operational downtime, equipment damage, financial losses, intellectual property theft, and serious health and safety risks.
Motivation for attacking ICS
Threat actors have different motivations when choosing corporate targets. They are often driven by economic interests, political reasons, or even military objectives when launching attacks. Attacks may be state-sponsored, originate from competitors, malicious insiders, or even hackers.
One of the earliest examples of an ICS attack occurred in 2005 when 13 DaimlerChrystler U.S. auto manufacturing plants were offline for nearly an hour. The primary cause was a ZotobPnP worm infection that exploited Windows Plug and Play services. The total downtime resulted in production backlogs, costing the company thousands of dollars. While attacks may not be directly linked to individuals or cybercrime groups, cybercriminals can also be hired by competitors who may profit significantly from the damage caused.
How was ICS attacked?
The first phase of an ICS attack typically involves reconnaissance, allowing attackers to investigate the environment. The next step employs different strategies to help attackers gain a foothold in the target network. At this stage, the strategies and tactics are highly similar to those used in the target attack. To release malware, attackers will exploit all possible vulnerabilities and specific configurations of ICS. Once these vulnerabilities are identified and exploited, the impact of the attack may lead to changes in certain operations and functions or adjustments to existing control configurations.
The complexity of launching an attack on an ICS depends on various factors, ranging from the security of the system to the intended impact (for example, a denial-of-service attack that compromises a target ICS is easier to achieve than manipulating the service and hiding it immediately, thus achieving an effect from the controller). While attackers already have many methods to compromise ICS, new tactics will continue to emerge as more and more devices are introduced into each ICS environment.
What vulnerabilities were exploited in ICS?
Since all ICS involve information technology (IT) and operational technology (OT), grouping vulnerabilities by category helps identify and implement mitigation strategies. The National Institute of Standards and Technology (NIST) ICS Security Guidelines categorize these into issues related to policy and procedures, and vulnerabilities found in various platforms (e.g., hardware, operating systems, and ICS applications) and networks.
1. Policy and procedural loopholes
2. Platform configuration vulnerability
Inadequate security architecture and design; little or no security auditing of the ICS environment; inadequate ICS security policy; lack of ICS-specific configuration change management; lack of formal ICS security training and awareness programs; lack of administrative mechanisms for security enforcement; lack of ICS-specific operational continuity programs; lack of specific or documented security procedures developed for the ICS environment's security policy.
3. Platform hardware vulnerabilities
Data is not protected on portable devices; default system configurations are used; critical configurations are not stored or backed up; operating system and application security patches are not maintained; operating system and application security patches are implemented without thorough testing; access control policies such as ICS users are inadequate and have too many privileges; after security vulnerabilities are discovered, it may be impossible to develop operating system and vendor software patches; there is a lack of sufficient password policies, accidental password leaks, no passwords are used, default passwords are used, or weak passwords are used.
4. Platform software vulnerabilities
Insufficient safety change testing; lack of redundancy in critical components; unsafe remote access to ICS components; lack of backup power for generators or uninterruptible power supplies (UPS); dual network interface cards connected to the network; inadequate physical protection of critical systems; unconnected assets connected to the ICS network; unauthorized personnel having physical access to equipment; loss of environmental control may lead to hardware overheating; radio frequency and electromagnetic pulse (EMP) may cause circuit interruption and damage.
5. Malware protection vulnerabilities
Denial-of-service (DoS) attacks targeting ICS software; lack of intrusion detection/prevention software; installed security features not enabled by default; ICS software may be vulnerable to buffer overflow attacks; undefined, poorly defined, or "illegal" network packets in error handling; unnecessary services not disabled in the operating system that can be exploited; lack of proper log management, making it difficult to track security incidents; the OLE for Process Control (OPC) communication protocol is vulnerable to Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) vulnerabilities; use of insecure industry-wide ICS protocols such as DNP3, Modbus, and Profibus; inadequate authentication and access control in configuration and programming software; many ICS communication protocols transmit messages in plaintext over the transmission medium; readily available technical documentation for ICS software and protocols can help attackers plan successful attacks; lack of real-time monitoring of logs and endpoint sensors, and failure to quickly identify security vulnerabilities.
6. Network configuration vulnerabilities
No antivirus software is installed; the antivirus signature is not updated; the antivirus software installed in the ICS environment has not undergone thorough testing.
7. Network hardware vulnerabilities
Weak network security architecture; passwords are not encrypted during transmission; network device configurations are not stored or backed up correctly; passwords are not changed regularly on network devices; flow control, such as access control lists (ACLs), is not used; improperly configured network security devices, such as firewalls, routers, etc., have incorrect rule configurations.
8. Network perimeter vulnerabilities
Critical networks lack redundancy; network equipment lacks adequate physical protection; loss of environmental control may lead to hardware overheating; non-critical personnel can use equipment and network connections; insecure USB and PS/2 ports can be used to connect unauthorized thumb drives, keyloggers, etc.
9. Communication gaps
No network security boundary is defined; firewalls are absent or misconfigured; ICS control networks are used for non-control traffic, such as web browsing and email; control network services are not within the ICS control network, such as DNS and DHCP, which are used by the control network but are typically installed on the corporate network.
10. Wireless connectivity vulnerability
Critical monitoring and control paths were not identified; user, data, or device authentication was non-standard or nonexistent; many ICS communication protocols lack built-in integrity checks, allowing attackers to easily manipulate undetected communications; standard, well-documented protocols used for plaintext, such as sniffing Telnet, can be analyzed and decoded using protocol analyzers for FTP traffic.
11. Network monitoring and logging vulnerabilities
Insufficient authentication between the client and the access point; insufficient data protection between the client and the access point.
Without security monitoring of the ICS network; insufficient firewall and router logs make it difficult to track security incidents.
Every ICS environment can potentially contain vulnerabilities, depending on its configuration and purpose. The size of the ICS environment can also be a factor; the larger the environment, the greater the likelihood of errors. ICS environments that replace legacy systems with modern ones and introduce tools such as Industrial Internet of Things (IIoT) devices may also create more vulnerabilities for threat actors.
Industrial Internet of Things and How It Affects ICS
As ICS (Integrated Circuits) continues to modernize, an increasing number of Internet of Things (IoT) devices are being introduced to improve productivity and enhance system control. Using relevant IoT devices, process control, data monitoring, and communication with other systems become much simpler. However, risks exist when smart devices are used for such tasks.
IIoT encompasses machine learning and big data analytics. It also leverages sensor data, machine-to-machine (M2M) communication, and automation technologies previously present in industrial environments. IIoT can perform tasks such as data aggregation, predictive analytics, prescriptive analytics, data value-added processing, and even the creation of new business models.
Similar to the rise of platform-related vulnerabilities and malware following the introduction of smartphones, integrating Human Internet of Things (HIoT) and Individual Internet of Things (IIoT) devices may present similar problems. In fact, managing IoT devices in an ICS environment can pose significant security challenges, as each device must be properly defended and protected. Without adequate security measures, the entire ICS ecosystem will be highly vulnerable to attack.
Using IIoT also requires overcoming some unique challenges:
Technological fragmentation complicates network processes. When devices use different independent operating systems, it can be difficult to manage the scheduling of patching changes. An example of this is the use of a mix of legacy systems and new software in ICS. Not only can the two not communicate properly, but threat actors can also exploit vulnerabilities found in unpatched legacy systems to gain access to the ICS network. Machine-to-machine (M2M) and IoT application development is challenging. Unlike large-scale manufacturing HIoT, developing M2M and IoT applications for ICS requires specialized skills in hardware and software development, IT, and communications. Legacy systems and traditional communication protocols are still widely used in industrial environments. An example of a legacy system is Windows 3.1, which still runs the DECOR program. Furthermore, traditional communication protocols, including PROFIBUS, are still widely used. These systems must be integrated through standards-based protocol gateways to facilitate the sending and receiving of data and commands. While hacking IoT devices can be challenging, targeted attacks by knowledgeable and persistent threat actors can lead to successful attacks on the target network. In addition, device loss is a major cause of data breaches. A misplaced device can give cybercriminals the necessary access to penetrate a target network.
Potential impact of cyberattacks on ICS components
The impact of cyberattacks on industries using ICS depends on the nature of the target's operations or the cybercriminals' motivations for pursuing the attack. Each of the effects listed below can be felt by both the target company's internal and external customers.
Changes to system, operating system, or application configurations. When a system is tampered with, it can produce unwanted or unpredictable results. This can be done to mask malware activity or any malicious activity. It can also affect the output of a threat actor's target. Changes to programmable logic controllers (PLCs), remote terminal units (RTUs), and other controllers. Similar to system changes, changes to controller modules and other devices can damage equipment or facilities. This can also cause process failures and disable control over processes. Error messages reported to operations. This scenario can lead to unwanted or unnecessary actions being performed due to error messages. Such events can lead to changes in programmable logic. This can also help hide malicious activity, including the event itself or injected code. Tampering with security controls. Preventing the proper functioning of fail-safes and other protective measures puts the lives of employees, and even external customers, at risk.
