Cybersecurity is a concern for all sectors, and the industrial control systems (ICS) industry is the latest to see an uptick in attacks. Whether it’s manufacturing, energy, oil or chemical plants, protecting the systems that run these operations is critical to businesses and consumers.
Hackers have set their sights on large industrial operations, penetrating industrial control systems (ICS) that operate energy, oil and various industrial plants. According to ICS-CERT’s Final Incident Response Statistics, there were 295 cybersecurity incidents involving critical infrastructure in 2015.
Though most attacks are financially motivated, there is the potential for service disruption as well, such as the power outages in the Ukraine which were caused by targeted cyber attacks.
Patrick Miller, a critical infrastructure cybersecurity advisor and regulatory advisor, consults for energy and utility organizations on information security and compliance. He discusses the threat landscape in ICS and how to improve cybersecurity.
What are the key challenges in protecting ICS from cyber attacks?
Industrial environments are pretty easy to break into once you get past standard external security. The industrial systems were not designed with security in mind, so they don’t have a lot of strong security measures you can use, especially if they weren’t installed in the last five years or so. Industrial systems are designed for a very long life span. We’ve got stuff on the power grid that’s 50 years old.
What are the best defenses against cyber threats in ICS?
In the legacy environments, which makes up most of the systems out there, you isolate them as much as you can, both physically and electronically. Then you wrap them up with a bunch of detective controls. Since you can’t prevent something from happening to them, you end up trying to detect when it does, and respond accordingly. For many of the systems, you can’t prevent some of the attacks on them. If someone can get to them, then they can be broken. In fact, they can be broken very easily, so you do what you can to keep the bad actors out, and just in case they get through, you detect quickly and respond in a way that doesn’t require you to take the system down.
It’s really a difficult landscape to navigate through, just from an operational perspective. For hackers, you’d have to master 50 different platforms to understand how to break an entire power system. It’s not necessarily easy from a knowledge base, it’s easy from the fact that once you get in, these systems are pretty easy to tip over. A lot of them just don’t have security designed into them. However, even if they did get in and did do something, most power systems are engineered for catastrophic failure already.
How is operational technology security different from IT security, and how can organizations bridge the gap?
The operational technology (OT) and IT world, just from a contingency and reliability perspective, are very different.
A key challenge for OT is the technology itself – most of them are purpose-built devices. They’re really only designed to do one thing. It’s basically action related, so it opens a valve, it opens a breaker, closes a breaker; it moves an arm on a conveyor belt so that boxes go in different directions. It’s really just a simple device that does one thing.
IT is everything from databases to enterprise-class servers, high-powered laptops and that kind of thing. Their worlds are very different; their capabilities are very different.
The biggest problem is a lot of the vendors are trying to build more and more capabilities into OT so that they can do more stuff with single devices or enrich the experience of the industrial side. In reality, a lot of the industrial side is not asking for this, but the vendors seem to be going in this direction anyway.
Do more IT capabilities in ICS cause more security risks?
Absolutely. The industrial side doesn’t have IT people. For example, patching to them is a foreign concept. You don’t take a system down; you don’t reboot a system. It runs 24/7, and it runs basically until it fails. And you have a failover device, so when it fails, it fails over to the other device so that you have continuity of operation. They understand how long the devices will live because they’ve engineered the mean time between failures and replacement models into the system.
They’re inserting a lot more IP, so now you have a lot of routability, services and servers. These are all concepts that the OT world hasn’t even come close to embracing, and they’re brand new to them – despite how old and mundane and pedestrian that might seem in the IT world. The industrial business units don’t have the staff to manage it. They don’t have the enterprise-class rigor in maintaining those programs.
How can vendors make IT products for ICS more secure?
Vendors have to start getting security built into the supply chain early on. We’re finding they’ll release a product and someone will find a vulnerability in it, then they’ll have to go figure out how to fix the vulnerability and somehow get the patch notices rolled out to customers, and hope the customers will actually patch – which is unlikely.
Designing them with security at the onset will cost them money, and I think they need to start thinking of it more as a market differentiator and long-term cost benefit. I think it’s also going to take some liability. If your product is insecure, you have the threat of recall. It makes it cost-prohibitive for vendors to release less secure products.
How do you think cybersecurity professionals can better secure America’s critical infrastructure?
First and foremost, we need more experienced, IT and OT cross-trained people in the field through further, advanced education. For example, IT folks need to put on a hard hat and steel-toed boots and get to know the industrial operations. OT folks need to spend some time in a data center and learn some IT service management tips.
We also need engineers and IT professionals to put aside their egos and meet in the middle to best understand how to design and maintain these systems in a world where the technology can change in 1-3 years, versus 10-30 years.
Just in case the bad guys get through, because they eventually will, we need to get our collaborative incident response to the same degree of refinement that we have during an operational outage. Borrowing from the safety discipline can help here.
Interested in a career that secures critical infrastructure from cyber attacks? Explore the Careers in Cybersecurity section to find out more about the field.