Cybersecurity for Industrial Control Systems: The Time Is Now
The need for strong cybersecurity on industrial control systems (ICS) has never been greater, or more urgent. These systems — vital to the chemical, electrical, water, oil and other industries — help companies control their field devices, collect data and detect problems. And they’re increasingly under attack.
Cybersecurity events affecting ICS have increased by 2,100% over the past three years, according to data from the U.S. Department of Homeland Security’s ICS Cyber Emergency Response Team. These include targeted attacks by well-funded organizations, including both nation-states and terrorist groups.
Watch the 1-minute video: CSC360: Cyber Threats to U.S. Critical Infrastructure
Yet today’s ICS environment is difficult to secure, mainly because older approaches no longer work. Historically, ICS environments had been protected from cyberattacks by physically isolating them, a practice known as “air gapping.” ICS environments were also considered low-priority targets. After all, these systems controlled not money, but industrial processes.
Now all that has changed. The attacks are real, and they’re increasing. At the same time, businesses in nearly every industry are under pressure to do more with less, and that includes their ICS environments. These systems are now expected to provide insights into business metrics, increase supply chain efficiencies, provide business intelligence, and support mobile computing. Air gapping is no longer a viable approach.
What’s more, ICS environments were never designed to support these new business requirements. Many IC systems, in fact, are quite old; some still run on Windows 98 or Windows 2000, versions of the popular OS no longer supported by Microsoft. While the solution would seem to be simple — just upgrade — the reality is more complex. Some hardware and underlying applications can’t run on the newer Windows versions. And many of the vendors of these older applications can’t write software patches, because they’re no longer in business.
Another challenge stems from how ICS environments are connected — or, more accurately, not connected. An ICS setup typically involves discrete processes known as “control loops.” For example, imagine a chemical plant process that combines two chemicals, blends them, then heats them, and finally packages the result. Each step could involve a separate control loop, one that does not communicate with the others. Worse, the control loops may not use TCP/IP, the common protocol for both networks and security tools.
Combine all these factors, and you get an ICS environment that’s complex and difficult to secure. Companies must balance what’s reasonable from a security viewpoint with what’s feasible for the business.
Policies are another piece of the ICS cybersecurity puzzle. Security policies essentially codify industry best practices. Unfortunately, many common security policies can’t work in the ICS environment. For example, consider the practice of giving all users a unique user ID and password. Basic, right? Now imagine a factory control room staffed by six or seven engineers. The control-room displays show critical processes from across the plant; therefore, they can never go dark. But what happens when one work shift ends and the next begins? The plant can’t let the system go down while the new work crew logs in. Somehow, an alternative to individual logins and passwords must be created and implemented.
In other words, ICS security differs dramatically from traditional LAN/WAN security. You can’t blindly apply the same policies or standards to both. You must think about each critically.
How? Mainly, by assessing risk. CSC has embraced a process that examines all devices in an ICS setup and then evaluates the ramifications or risks they could pose to the business. This involves a review of several key risk factors, including life, health and safety, environmental release, monetary risk and reputational risk. Next, we review existing security standards to apply not the letter of the law, but its spirit. Then we cobble together a new standard — one that applies to the ICS environment while also striking a balance between the need for security, the relative areas of risk, and the unique demands of industrial controls. For any company with an at-risk ICS environment, that’s one safe bet.
Edward J. Liebig is the CTO of cybersecurity consulting at CSC.