As attackers become more sophisticated, so do their attacks. This in turn exposes threat vectors that once were thought to be well protected, or at least not interesting enough to attack. Nowhere is this truer than in industrial control systems (ICS) environments.
The growing practice of connecting ICS to enterprise networks and the internet, driven by technologies such as IoT, edge computing and analytics platforms, has put ICS on the radar of cybercriminals.
ICS attacks can cause severe problems, ranging from supply chain disruption to physical damage to components and subsystems. What’s more, ICS traffic often contains proprietary data or information that has intrinsic value to business processes or workflows.
Securing ICS is more challenging than protecting traditional IT environments since ICS is insecure by design. ICS was originally conceived to be siloed from other IT systems, shared IT infrastructure and the outside world. These closed systems were considered immune from external threats, simply because they were “air gapped”.
Advances in IoT technologies and other IT centric systems made it logical to connect ICS to IT to garner numerous benefits. However, very few considered the implications of that connectivity, which cybercriminals are able to exploit. Especially the native insecurities of ICS, such as limited policies, a lack of access control provisions, weak password enforcement and infrequent patching. Perhaps the biggest threat to ICS is the fact that utility companies are such large targets – they are well known, cover large geographic areas, and their critical locations are all very public.
Simply put, ICS operators need additional methods of obscuring their critical infrastructure from cyber security threats and tactics while allowing teams to more anonymously conduct incident detection and response. One way to obscure ICS vulnerabilities is to procure sensitive equipment (including cloud infrastructure) through surrogate means. Hiding the billing trail is a proven method of making it more difficult for threat actors to determine access points. In addition, all cyber practitioners in the ICS space must have access to realistic training sandboxes where they learn how to disrupt potential vectors while also seeing the interactions of potential threats in a benign environment. Consider the following attack vectors that can impact ICS.
Brute force attacks against weak passwords are something IT pros have been dealing with for years and have developed countermeasures against. However, most ICS systems lack policies around passwords, meaning that attacks may go unnoticed or unrecorded. Here, ICS operators need to learn what constitutes a brute force attack, identify the signs of such an attack, and implement controls to prevent damage. Processes that require knowledge, action, and response. Those processes must be taught.
Another attack vector is false data injection, whose primary goal is to disrupt ICS processes. In the IT world, DDoS (Distributed Denial of Service) attacks are focused on disruption. However, with ICS false data injection may take on a different characteristic, one that not only disrupts processing, but potentially damages physical equipment, or cascades to other devices. ICS operators must learn how to monitor for those types of attacks, create policies that can stem them, and remediate vulnerabilities they exploit.
Dealing with data injection attacks also requires knowledge of how data is shaped and moves across the ICS environment, something that may be difficult for ICS operators to conceptualize. That means training must take on a new element, one that consists of simulations that can demonstrate the characteristics of those attacks, and show the consequences.
Other attack vectors ICS is susceptible to include buffer overflows, command injection, PLC programming modifications, and many more. Dealing with those attacks requires knowledge of both ICS and IT, meaning that ICS operators must achieve the same level of cyber competency as their IT counterparts, while also applying their knowledge of the intricacies of ICS.
Simply put, organizations must put in place plans and policies to adequately train those that manage ICS, build realistic scenarios, and also provide a layer of anonymity for those responding to those threats.
Just as in IT, the most effective way to train ICS personnel on is using the native environment and tools they work with everyday. Since production environments are off limits for training exercises, software-based sandbox environments provide effective alternatives.
Today’s threats to ICS are much more common than stuxnet was some 10 years ago, and the attackers have evolved to seek financial gains from attacks, making ICS a growing attack vector. That’s why players in the ICS space must employ better means of both critical infrastructure obfuscation and staff training to bolster their defenses.