Cyber security in industrial control systems

According to a recent report, four out of 10 industrial control systems practitioners lack visibility into their networks, potentially leaving them unable to defend against cyber-attacks and putting critical infrastructure at risk.

Doug Wylie, director of SANS Institute’s Industrials & Infrastructure Practice Area, outlines the current cyber security threats to industrial control systems, the real-world readiness of those in the industry and how practitioners can effectively hold the line against cyber criminals and digital threats.

Robotics UK Oil and Gas Off Shore Oil Rig Platform
Without oil and gas, we would have no fuel for transporting goods.

Oil and gas, manufacturing, energy are crucial to the turning of the modern world. Without oil and gas, we would have no fuel for transporting goods, and without manufacturing, we would have no vehicles to transport those goods.

These industries help make up the backbone of society, so why do we find them to be so vulnerable and often fragile?

SANS Institute’s Securing Industrial Control Systems 2017 report explored how hundreds of industrial control systems (ICS) security practitioners are combatting cyber security risks and threats.

These are the very people entrusted by employers to identify risks, safeguard control systems and networks from malicious and accidental actions and recover these systems should disruption or damage occur. This year’s report brought to light concerns ICS practitioners have, as well as their current view of the most prevalent cyber security threats today.

Defining industrial control systems

Think of a power plant, or a factory that manufactures components at scale. Within that plant or factory sits an ICS, encompassing specialised industrial-grade hardware and software that monitors and controls how devices and machinery are used.

Contemporary ICS and an array of new technologies have led to significant, measurable improvements in safety, efficiency, and profitability for asset owners and operators. The flip side of this coin is a host of risks that have emerged that can disrupt operations, impact safety and carry financial consequences for companies and the broader supply chain.

A complex real world landscape

Many of today’s plant managers and other automation and control system professionals at least recognise current cyber security risks, but aren’t always positioned to combat them. While standards help define best practice, governance remains a challenge when it conflicts with business objectives such as efficiency and productivity.

ICS practitioners are frustrated with the stream of requests to apply new technologies. Many don’t want to become cyber security experts themselves, but nevertheless, they realise that their organisation needs an appropriate, cost-effective plan for managing threats.

Stock Image - Servers industrial control systems - Technology Virtualisation Data Server Computer IT - image courtesy of Pixabay.
Industrial control systems practitioners are frustrated with the stream of requests to apply new technologies – image courtesy of Pixabay.

Budgetary constraints and a lack of cyber security expertise make for a complex landscape that’s very different from even a few years’ ago.

ICS environments pose unique challenges when compared to business enterprise systems. It’s common for automation and control systems to run continuously, only stopping for mechanical failure, loss of power or lack of raw materials.

Yet, the operation of most ICS designed to run around the clock will be disrupted during a patch upgrade. To a plant manager measured on system safety, uptime, efficiency and productivity, the cost of downtime to patch a system as a preventative measure often has little appeal, especially since that process introduces risks to that highly-engineered and tightly-tuned system.

This process of upgrading ICS products and systems, if even just to apply a minor patch, contrasts starkly with most IT environments. In fact, only 46% of ICS respondents in the SANS report regularly apply vendor-validated patches.

While this might be understandable given the priorities associated with running OT systems 24-7/365, the result is an expanding attack surface that only increases the security challenges with protecting these systems against known risks and threats. This includes malware and ransomware often designed specifically to capitalise on exposed weaknesses in unpatched devices and systems.

It’s no surprise that 69% of respondents in our report considered the threat to ICS systems to be high or severe/critical. In addition, four out of 10 practitioners lack visibility into their networks.

This is one of the primary impediments to securing ICS systems; without full knowledge of connected and interconnected assets, configurations and the integrity of communications, defenders are working blindly.

This could be why 44% of respondents consider the top threat to their ICS to be adding to the network devices that can’t protect themselves. This was followed by accidental internal threats (43%), external threats from hacktivists or nation-states (40%) and ransomware (35%).

Protecting today for benefit tomorrow

But it’s not all doom and gloom. While human-factors continue to pose substantial security risks to ICS environments, people also provide the greatest opportunity to defend these systems.

Doug Wylie, director Industrials & Infrastructure Practice Area, SANS Institute.
Doug Wylie, director Industrials & Infrastructure Practice Area, SANS Institute.

The technical and administrative complexity of successfully operating, maintaining and protecting today’s ICS carries significant challenges. Investments in cyber security should be applied across a combination of people, technology and best-practice processes, all of which should be continuously tested and improved.

Educating people provides the best ROI since all risk decisions and action plans begin proactively with people. Globally, budgets for training and certification have fallen as reported this year, compared to years past. This is counter-intuitive, given rising threat levels and expanding attack surfaces requiring skilled professionals to address risks, but could be the result of budget reallocations towards technologies or governance programmes.

Regardless, organisations should be protecting their own interests by employing or cross-skilling staff to become wholly focused on ICS security, rather than requiring staff to split attention across multiple missions.

Industrial control systems are essential to manufacturing. The disruption of these processes can and often has an immediate financial and brand impact, in addition to the potential for safety and non-compliance consequences.

Yet the reality is, many organisations have not yet fully adapted to changing technological realities. While it’s clear that today’s manufacturing will never return to the less efficient, more expensive, disconnected systems of the past, firms who fail to proactively invest in adequate cybersecurity safeguards and workforce training will eventually find themselves paying a steeper price that also affects others depending on these critical systems.