- By Eddie Habibi
- Special Section
- ICS defense is challenging because of increasing connectivity, expanding threats, difficulty discerning between human errors and cyberattacks, and the age, complexity, and proprietary nature of industrial control systems.
- The measures to secure an ICS against cybersecurity threats not only improve ICS cybersecurity, they also improve process safety and asset reliability.
- Companies can protect ICSs by implementing foundational ICS cybersecurity controls and "defense in depth," fostering IT/OT partnerships, and engaging CISOs.
Foundational cybersecurity best practices improve safety and production
By Eddie Habibi
Safety, reliability, and profitability within power, oil and gas, and other critical infrastructure facilities face a growing, worldwide threat from cyberattacks. These attacks exploit weaknesses in the industrial control systems (ICSs) that are at the heart of every industrial facility.
ICS attackers include nation states and ransomware attackers, as well as internal threat actors such as disgruntled employees. All are focused on using stealth cyberweapons to take control of industrial systems to disrupt critical infrastructure.
Regardless of the type of threat actor, the consequences of a successful ICS cyberattack are similar-safety risks and lost production. Although only existing in the realm of possibility today, large-scale simultaneous attacks on ICSs in multiple locations would be devastating to national security and the global economy.
For more than two decades, enterprise information technology (IT) organizations have recognized cybersecurity as an undeniable risk to business continuity and have taken calculated measures to protect information assets. However, only within the past five years have operational technology (OT) organizations begun to take cybersecurity threats seriously. Unfortunately, in the race to protect ICSs, time is not on our side. As OT professionals, we must act swiftly and wisely. We must also connect with our chief information security officers (CISOs), who are often new to the world of OT, and partner actively with them to plan and implement an effective ICS cybersecurity strategy.
Over the past 40 years, gross domestic product (GDP) in the U.S. has grown almost tenfold, and per capita GDP has grown nearly 600 percent (World Development Indicators Data from World Bank, 21 July 2017). The main contributors to this rapid economic growth include:
- discovery of new natural resources, such as new oil reserves
- investments in human and physical capital, such as factories
- population growth
- advancements in technology
Each of these contributors, both individually and in combination, have driven explosive economic growth as well as significant improvements in quality of life in the U.S. and the rest of the world.
Technological advances, and more specifically, productivity improvements delivered by advances in process automation technology, have had a key role in this economic growth. Process automation and the digital revolution have replaced human labor, significantly improved process reliability and quality, and dramatically lowered costs. They have also greatly improved process safety and environmental protection in highly hazardous process industries, such as oil and gas, refining, and petrochemicals. However, the great improvements in process automation have not been without technological challenges.
Historical ICS challenges
Although the first mention of feedback control dates back to a water clock in Greece in 270 BCE, modern industrial automation systems first appeared in the late 19th century. The evolution of industrial automation, which began with pneumatic damper controls, launched an era of productivity improvements that continues today.
Automation systems have continued to evolve over the years. The latest generation of connected automation technologies has driven a wave of Internet of Things (IoT) and Industrial IoT (IIoT). IoT and IIoT are taking our factories to ever higher productivity levels, driving our automobiles autonomously, and bringing even better health management by monitoring blood sugar levels in real time. However, proliferating automation also has a downside.
In 1975, Honeywell and Yokogawa introduced the first distributed control systems (DCSs), with other vendors following shortly thereafter. Most plants quickly embraced these systems, deploying control systems from a variety of vendors to meet a host of process automation needs. Over time, many facilities adopted 30 or more different vendor systems and applications.
Unlike the open, standards-based IT systems we see today, each ICS has its own proprietary hardware and software. With no standardized protocols for automatically gathering proprietary ICS inventory data, it is difficult to track critical security configuration data, such as firmware, installed software, and control logic. The highly proprietary and heterogenous nature of ICSs hinder efforts to gather and maintain a holistic enterprise view of the ICS network, devices, and configuration.
The flexibility of DCSs enables continuous improvement and optimization of industrial processes. This in turn increases productivity and profitability. However, control system flexibility has not always brought positive outcomes. Mistakes made by humans have caused safety incidents and lost production since the advent of the systems.
Industrial systems perform deterministic tasks with a high degree of availability and integrity over a life cycle of many years. Many ICSs in operation today were built 10, 20, or even 30 years ago. Ten- to 20-year life cycles are the rule, not the exception. This means that most ICSs installed in plants today were not designed with cybersecurity in mind.
The rapid proliferation of IoT and IIoT, enabled by increasingly affordable sensors, more and more powerful computers, and ubiquitous connectivity, has transformed the way we live today. The automation revolution allows us to monitor our homes remotely, correct poor driving behavior, and squeeze more out of a gallon of crude oil. However, the systems behind these advances are vulnerable to cyberattack.
ICSs pose cybersecurity risks at a totally different level than IT or IoT systems. ICSs are vital to every nation's critical infrastructure, and threat actors know this. Over the past few years, almost every industry has had a proliferation of cyberattacks that reach beyond IT and into OT. Recent cyberattacks on production facilities and power grids demonstrate that exposed ICSs are appealing targets for bad actors.
Cybersecurity vulnerability awareness and mitigation technologies for IT systems have been in place since the mid-1990s, but ICS cybersecurity technology is still in the early stages of adoption. Today, IT security limitations, rapidly increasing ICS connectivity, an expanding threat landscape, and difficulty discerning between inadvertent human errors and cyberattacks make defending ICSs very difficult.
IT and OT
Effectively meeting ICS cybersecurity challenges begins by recognizing that OT is uniquely different from IT. IT systems manage digital bits of information. OT systems drive production by monitoring and directly controlling physical devices, such as circuit breakers at power stations that distribute electricity and the valves and compressors at refineries that produce gasoline. While attackers focusing on enterprise IT seek to steal or deny access to information, attackers of OT focus on taking control of physical devices to interrupt production or cause safety incidents.
When connectivity between IT and OT systems began to emerge about two decades ago, there were few concerns about cybersecurity within the OT layers. Cybersecurity only became a priority within the process and power industries after the discovery of Stuxnet.
Since then, attacks on the Ukrainian power grid, attacks on nuclear power plants in the U.S., and the rapid proliferation of ransomware like WannaCry eliminated any doubts about the seriousness of the cybersecurity threat that ICS connectivity presents. And the threat only grows as the industrial sector speeds adoption of connectivity-based capabilities, such as remote access and cloud computing.
We hear about new ICS threats daily, many originating from compromised information technology systems. Effectively defending against these threats in an increasingly connected environment is a formidable challenge.
Successful attacks on an ICS require a high degree of specialized knowledge above and beyond that required to hack into traditional IT systems. However, the number of attackers with ICS expertise is growing.
It is true that there are fewer ICS attackers than IT ones out in the world. However, the risk ICS attackers pose to safety, productivity, and profitability is substantial and rapidly expanding.
Actions that an external threat actor takes when launching a malicious attack on an ICS are eerily similar to the inadvertent errors that well-intentioned automation engineers have been making for decades. These errors include accidently moving the wrong valve at the wrong time, shutting down the wrong pump, or unintentionally bypassing the safety instrumented function. All of these can cause industrial accidents and production outages that are just as devastating as a malicious external attack. It is extremely difficult to distinguish between mistakes made by a good engineer having a bad day and malicious changes made by a threat actor executing a critical infrastructure attack on behalf of a nation state.
Protecting the ICS
In light of the increasing threats to ICSs, protecting the mission-critical ICS core is more important today than ever. There are important steps you must take to better protect these systems.
Over the past few years, many IT organizations have focused on implementing foundational IT security controls. Such controls include:
- actively maintaining an inventory of authorized hardware and software
- hardening device configurations and managing change
- assessing and remediating vulnerabilities
- controlling access to systems
In industrial environments, implementing foundational security controls is even more important than implementing controls for IT systems, because the impact of OT systems is so much greater. Implementation of foundational ICS security controls in OT delivers additional benefits. For example, the foundational security controls implemented to protect against external attacks also protect against internal threats, such as human error and malicious insiders.
However, effectively implementing foundational controls in OT requires a different mindset regarding the nature and definition of endpoints. IT endpoints typically include workstations, servers, routers, and switches. OT endpoints expand beyond these Level 2 systems and include endpoints that reside in Levels 1 and 0 in the Purdue model, such as controllers, safety instrumentation systems, remote terminal units, I/O modules, and field instruments that convert digital signals to kinetic energy and cause the movement of molecules and electricity.
Due to the unique characteristics of industrial endpoints, implementing foundational controls in OT requires ICS-specific solutions that effectively recognize and secure both Level 2 endpoints and the mission-critical, production-centric endpoints that reside in Levels 1 and 0. Foundational ICS cybersecurity controls include:
- inventory tracking and management
- change and configuration management
- vulnerability assessment and management
- compliance management
- backup and recovery
Implement defense in depth
In addition to implementing foundational ICS cybersecurity controls, you should also implement other aspects of a defense-in-depth strategy in your industrial facility. "Defense in depth" refers to employing multiple independent layers of security controls throughout the ICS, with the dual goals of preventing security breaches and buying time to defend against attacks. "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies," published by ICS-CERT, details defense in depth for control systems.
Foster IT/OT partnerships
Most CISOs charged with protecting the ICS come from an IT background, which means they have limited experience with the complex world of OT and the critical role OT systems play in process safety and productivity. OT professionals, on the other hand, have primarily focused on process safety and optimization, and have little exposure to the security controls and the rapidly evolving threat landscape that IT security teams battle daily.
Based on these different areas of understanding, it is critical that OT experts within the company, such as automation leaders, and IT security experts, such as CISOs, reach out to one another and create the active partnerships needed to protect the organization's mission-critical ICS core.
Role of government
Protecting the nation's critical infrastructure begins with securing the ICSs that automate production and ensure the safety of power and process facilities. OT professionals have the lead in this task. However, the federal government also plays a role in securing ICSs.
Additional government-imposed regulations are rarely welcomed by the industrial sector. Nonetheless, industry leaders typically employ the best practices outlined in regulations long before they become the law. It is companies that fail to follow basic recommended best practices that drive the need to establish regulations.
For OT professionals responsible for ICS cybersecurity, now is the time to learn from past regulatory activity. Take action. Do not wait for ICS cybersecurity regulations to be imposed. Review existing ICS cybersecurity industry best practices from ISA, the International Electrotechnical Commission, the National Institute of Standards and Technology, and SANS. View them as generally accepted security practices. Strive to implement and abide by the recommendations applicable to your systems. Do not minimize and avoid them. If we work together to improve ICS cybersecurity in our industry, it is less likely that the government will have to impose burdensome regulations-or when it does, the impact will be nominal.
Domestic and foreign policy
Securing ICSs is fundamental to protecting the nation's critical infrastructure. In recognition of this, the executive branch continues to make securing critical infrastructure a high priority. The presidential executive order issued on 11 May 2017, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," addressed the right areas of concern-updated federal systems, critical infrastructure, deterrence, workforce education, and more.
However, the federal government needs to do more to clearly define foreign and domestic policies and strengthen the consequences of attacks on critical infrastructure. A cyberattack by a nation state on the ICSs in a refinery that damages property or injures people is no different from dropping a bomb on that refinery. So long as attribution is clear, consequences must include the option of a proportional kinetic response. An orchestrated cyberattack on multiple volatile industrial facilities can have the same results as tactical weapons of mass destruction. We need to treat it as such.
Operational safety and profitability
At a high level, the efforts that go into securing an ICS directly contribute to improved process safety and operational profitability. Such efforts include obtaining visibility into process control assets and managing configuration changes.
Securing the ICS within the enterprise is not trivial. It requires commitment, vision, and perseverance. It is a cross-functional initiative that spans company culture, technology, policy, and governance. It takes an entire enterprise to protect the ICS, but only one bad actor to breach it. The enterprise must be successful at protecting the ICS 100 percent of the time, whereas an attacker has to be successful only once.
OT organizations must reach deep within and address cybersecurity the same way they have dealt with safety over the past 25 years. They must also team up with IT and leverage cybersecurity best practices developed over the past two decades.
Successful companies recognize that, like safety, mitigating the risks of cybersecurity begins with leadership at the highest levels. This includes the board of directors, the chief executive officer, and the executive team. It requires clarity of vision, strong organizational and financial commitment, and a companywide culture that supports ICS cybersecurity excellence.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.