Even though the U.S. hasn’t suffered an attack to manufacturing, power production or public transit, the risk is growing. Indeed, the number of IC-related cybersecurity incidents reported to U.S. authorities rose 20 percent in the last year.
ICS solutions and protocols were originally designed to work within isolated environments. They monitor and control industrial processes in critical infrastructure sectors such as electric grids and water treatment facilities, as well as in heavy industry. As more organizations connect their infrastructures to the Internet, companies are retrofitting this older equipment to work in modern networked environments.
The concern is that many of these systems were designed and installed before the emergence of the commercial Internet. What often results is a hodgepodge of modern and legacy elements where cybersecurity falls through the cracks.
Indeed, a recent report on publicly accessible ICS hosts found that 91 percent of public-facing ICS components were vulnerable to being remotely exploitable. Cybercriminals would then be free to carry out attacks against control system protocols by modifying packets in transit — or even worse.
Something old, something new
ICS vulnerabilities were highlighted when cyberintruders manipulated the access systems at a German steel mill in late 2014 and prevented managers from shutting down a blast furnace. The breach resulted in what investigators would later describe as "massive" damage. It seems that the intruders launched the attack by sending a spear-phishing email that executed malicious code on an employee’s computer to gain access to the control systems.
Despite their spectacular nature, ICS attacks aren’t unique. They represent many of the familiar challenges that security executives now face as they navigate a sometimes fraught transition updating legacy infrastructure to join the Internet of Things.
As they get connected to the Internet, IT and ICS networks are going to become increasingly intermingled. Even if they can’t prevent cyberattacks, operators of critical infrastructures can still reduce their exposure by doing the basics out of a recognition that industrial control systems are challenged by many of the same cybersecurity threats that also target corporate networks. Recommendations for some of the basic risks follow.
Third parties. One of the blunt realities about the IoT era is the growing security risk posed by third parties. Partners can’t be automatically trusted any longer and system security often depends on the security hygiene of the weakest member connected to the supply chain network. That’s why the Cyber Emergency Response Team suggests that peer links be restricted behind firewalls to specific hosts and ports. Firewalls should also separate the business LAN from the control system LAN.
Patch management. Another weakness in ICS security should be easy to fix. Patch management of ICS software for critical infrastructure has paradoxically been found to be inconsistent at best and nonexistent at worst.
Secure networks. If industrial control systems can’t run in a physically isolated environment, organizations should at least surround them with controls and then monitor network security to search for any communications abnormalities. Organizations can further insulate their infrastructure by reducing the number of remote connections to employees.
Clearly, industrial control systems pose particular security challenges. But adopting these and other common sense risk-focused approaches can go a long way to managing the risks.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.