ICS as a cloud service is coming: Will the benefits outweigh the risks?

Industrial control system (ICS) equipment benefits from security by obscurity and complexity. The protocols are so unique and require so much effort to master that nobody but a motivated nation-state is going to spend the time and money figuring out how to attack them.

Plug these systems into a modern IT cloud infrastructure and all of a sudden the gamut of “traditional” attacks can now affect ICS/operational technology (OT) systems, including taking advantage of wormable, unpatched IT vulnerabilities.

Some ICS security vendors now offer what they call ICS as a service (ICSaaS); those CSO spoke with say it’s what the market demands. If the market is bent in that direction, they say, we might as well try to do it as securely as possible.

If done well, remote monitoring can help improve security by giving security analysts access to real-time data from those systems. This can be especially useful to smaller organizations that want to share remote telemetry with an outsourced security contractor.

Remote management of ICS/OT systems via a cloud interface is a dangerous proposition, though, that will “require a fundamental rethink of the way in which entities operate in order to make this trend the best it can be,” Joe Slowik, adversary hunter at ICS security vendor Dragos, tells CSO.

ICSaaS offerings

Of the half-dozen players in the ICS security space, at least two offer a cloud-based option. Indegy’s new CIRRUS cloud platform was the first to market, offering a view of OT systems through an “IT lens” that enables policy and configuration management from afar, as well as threat hunting and reporting.

When asked about the concerns posed by cloud-connected critical infrastructure systems, Indegy’s PR person, Marc Gendron, tells CSO, “We don’t add any additional risk to an environment that is already cloud connected. The reason we did this is our customers are asking for this capability.” Indeed, Indegy is responding to the demands of the free market economy in which they operate, and they are not the only ones with this kind of offering.

Competitor Dragos was critical of the trend toward greater cloud integration, but Slowik argues that the move to ICSaaS is likely an unstoppable trend, and the industry is better off building in security from day one rather than trying to bolt it on after the fact.

“There is an increasing push from major systems providers towards remote telemetry and cloud-based links for diagnostic and monitoring purposes from an operational level,” Slowik tells CSO. “Given that this is a trend, the question then becomes how do we do this smartly, and what this might offer from an operations / stability / security perspective, while minimizing the potential downsides.”

“‘Hook up ICS to the cloud and things will be great’ is a ridiculous proposition,” Slowik adds. “But doing things intelligently…”

ICS security company Claroty has its eye on the market as well and is considering an ICaaS offering. “The advantages cloud-based architectures have delivered in other security categories tend to include improving centralized management of broadly distributed environments, increased speed, decreased cost of deployment, and improved response time to unknown threats,” Patrick Kennedy, senior director, global marketing at Claroty, tells CSO. “The benefits can also make enterprise-class security technologies more accessible to smaller organizations. We see the potential for similar benefits in ICSaaS.”

This trend is not without pushback from industry, however. “Acceptance of the cloud in OT/ICS is growing, but most industrial organizations still consider it a non-starter,” Phil Neray, vice president of industrial cybersecurity at ICS security vendor CyberX, tells CSO. “Remember that this sector only recently accepted that it’s unrealistic and inefficient for OT networks to be completely air-gapped from corporate IT networks, let alone the internet. Of course, cloud-based services bring many benefits, including ease-of-use, rapid provisioning, and virtually unlimited scalability, but most industrial organizations aren’t ready to send their sensitive OT network traffic data to the cloud — yet.”

Nozomi Networks, another ICS security vendor, glossed over all potential downsides to ICSaaS. “In the field we’re seeing more and more ICS organizations connecting their OT security tools with their IT security tools to achieve security visibility across their network,” Nozomi co-founder Andrea Carcano tells CSO.

Remote telemetry vs. remote management

Many smaller to medium-sized industrial concerns and utilities lack a deep bench of security talent, so automation and outsourcing become critical tactics to stay ahead of the curve. A remote, one-way data feed from inside ICS/OT networks can be a useful way to get real-time alerts of possible issues and for remote analysts to examine security incidents.

It’s easy to punch a one-way hole through a firewall to the outside world to get such a data feed. It’s also easy for a one-way firewall to become a two-way firewall during a hectic troubleshooting session, and then everyone forgets to close it again. Busy, harried sysadmins make honest mistakes.

Worse, feature creep is a thing. How long before well-intentioned but badly informed management decide they really want remote incident response?

“Keeping tabs on that over time is not an easy task,” Slowik says. “Continuous auditing of things like firewall rules and network access…. That’s where organizations really need to think about how to implement those solutions to minimize the scope for abuse.”

“If done incorrectly this is going to be very bad,” Slowik adds. “But this is going to happen whether we like it or not.”