Almost a decade has gone by since I performed my first risk analysis of a nuclear plant and discovered a completely new world. Since then, security professionals will have heard a lot more about the current state OT security (or lack thereof). Operational Technology designates systems specially designed to monitor or make changes to physical processes; these systems are often called Industrial Control Systems (ICS).
It doesn’t matter if we’re referring to Supervisory Control and Data Acquisition (SCADA) systems or Programmable Logic Controllers (PLCs), the fact is security was never considered during the design of OT or ICS systems and the protocols they implement. These systems were not built to be interconnected with traditional IT networks. Their security relies on physical “air gaps” and physical access control to the plants or locations where these systems are implemented.
It’s clear that the risks impacting OT systems have grown exponentially during the last 10-15 years. Additionally, we’ve seen an increase in the attack surface and potential impact of an outage or catastrophic system failure. Risks in this area continue to grow as businesses require interconnectivity between IT and OT networks to enable organizations to provide remote access for engineering, operation, support or monitoring activities.
OT networks often leverage standard commercial off the shelf (COTS) technologies such as Microsoft Windows, SQL Servers, and TCP/IP based networks along with customized ICS/OT hardware. Using these COTS solutions often makes the critical systems vulnerable to the same security risks and issues that IT systems face. In fact, the situation is arguably worse, because often patching is not possible due several operational constraints and availability requirements. These constraints often include the potential of losing vendor support if the underlying COTS software or systems are upgraded or the reality that many of these systems cannot be taken offline or rebooted in order to apply patches because they must keep running 24x7x365.
Another reason it’s not possible and often dangerous to run standard vulnerability scanning products is due to the inherent fragility of those systems and the problems that unexpected traffic can cause to them. To complicate matters further, the non-TCP/IP protocols used within these OT networks are often proprietary protocols where authentication or encryption are not present.
In short, these are technologies built with out-of-date operating systems with dozens (or hundreds) of well-known vulnerabilities, built using an insecure network and communications protocols. These technologies must now be interconnected to the corporate IT systems due to business requirements but the systems cannot be scanned, patched, or secured using traditional security solutions and methodologies. OT/SCADA systems are currently used to monitor and operate everything from factory production chains to the critical infrastructure required to deliver electricity to the masses. What could possibly go wrong here?
The risks highlighted above are not just theoretical, in the past few years we have seen a significant increase in the number of attacks specially designed to target ICS/SCADA systems such as:
- 2010 Stuxnet was uncovered. Stuxnet is worm-like malware that targets PLCs designed to enrich uranium. Stuxnet looked for specific Siemens PLCs connected to very specific hardware and if found modified the configuration causing centrifuges to spin too fast. Stuxnet was a targeted attack addressing the Iranian nuclear program that famously became the first nation-state backed cyberattack design to cause physical damage to industrial control systems.
- December 2015, a Ukrainian regional electricity distribution company reported service outages affecting 225,000 customers and lasted for several hours. The outages were discovered to be part of an attack on the power generation systems. Attackers were able to remotely access and control the ICS to cause the outage and delay the restoration efforts.
- June 2017 Crashoverride was uncovered. This malware specifically targets ICS electric grid components. When Crashoverride infects Windows machines, it automatically maps out the controls systems, records network logs (to later be replayed by operators). Crashoverride is an advanced modular malware framework that can adapt to many protocols and is designed to be stealthy, disruptive, and automatic.
- December 2017 Triton was discovered. Triton is a new malware strain designed to target ICS systems. Triton was discovered after causing a shutdown of critical infrastructure in Saudi Arabia. This malware targets Schneider Safety Instrumented Systems (SIS) controllers. By modifying these SIS controllers, the attackers are able to increase the likelihood of system failures resulting in physical damage to the ICS.
In addition to all these security challenges, we also need to be looking towards the future and prepare for the evolution of ICS and now “IOT” systems. I’m confident that, as we have seen in other industries like finance or telco in the past, ICS and SCADA vendors will move towards providing cloud-based offerings for some of their systems. I really think that in the near future we will be talking about Historian-, HMI-, PLC- or even Control-as-a-Service approaches.
With this risk landscape and the associated challenges, we can easily understand that CISOs are having a tough time being responsible for their organization’s ICS security programs. CISOs will face challenges not only because OT security is an entirely new world for most security professionals, but also because historically priorities and concerns for IT and OT teams have been quite different. The stringent operational and availability requirements placed on OT systems often create difficulties when traditional security teams need to work closely with OT engineers.
Furthermore, when we talk about risks and incidents in ICS we need to keep in mind that the potential damage is going beyond financial losses or reputational damage. Attacks in this space could very likely result in physical losses, severe damage to the environment or even the tragic cost of human lives.
Fortunately, it’s not all bad news since the industry is working diligently to design solutions to help mitigate these risks. New best practices and guidelines have been published such as the ISA/IEC-62443 (Formerly ISA-99), a series of standards and guides on how to implement secure ICS.
Additionally, vendors have recently built technologies to identify anomalies or potential intrusions through passively monitoring traffic that then monitors OT networks? It’s important to note that machine learning approaches will struggle to become operational and effective in traditional IT networks, though they work perfectly well on OT networks.
Machine learning works well in OT environments because the traffic and the communications are very consistent and predictable. These tools are not only useful for security professionals to receive easily understandable alerts on potential threats but are also helping OT teams to gain a new level of visibility within their operational technology network and assets that they’ve never had before. They have clear operational advantages. This allows organizations to both improve their detection capabilities while also providing the OT engineering staff tangible benefits. I believe that working closely with the OT teams to show them the operational capabilities of these OT security solutions will lead to better communication and cooperation between OT and IT teams.
All in all, while protecting and hardening ICS networks is an incredibly difficult challenge for any CISO, there are still paths for the success to be followed. I think the efforts should be put on identifying the potential risks, focus heavily on network segmentation including limiting the potential paths of connectivity between OT and IT networks using one-way data diodes. Finally, building a smart security monitoring approach that not only enables the identification of security threats but also provides visibility and added value to the operational team will be a key factor to success.
Do you want to learn more? Click here to read our new Operational Technology whitepaper.
After working in variety of different roles such as Security Consultant, Security Engineer, Security presales, Team Leader and Security Officer Omar moved to Switzerland to join Kudelski Security as Global MSS Architect.
Omar's most relevant certifications in the field include CISA, CISM, CISSP, GCIH and PMP. He also has extensive experience in conducting PCI DSS Assessments as a certified QSA.