Ultra Intelligence & Communications

Improving Your ICS Security Through Better Situational Awareness

July 13th, 2018 / By

In the pre-internet era, businesses maintained traditional industrial infrastructure security by implementing demilitarized zones (DMZs) to physically separate their plants and networks. They used gates and walls to secure their physical equipment and buildings. They used proprietary software and protocols to keep their communications safe. But the internet and especially the Internet of Things (IoT) or connected devices are changing the security landscape of industrial control systems (ICS).

According to Gartner, there will be around 20.4 billion units of IoT devices installed by 2020. A significant portion of these devices will be in the industrial space. But most cybersecurity solutions are geared towards enterprise environments, leaving cyber-physical security a point of potential vulnerability. Cybercriminals are noticing, and they have started to take advantage of these weaknesses. So, it is becoming more important for companies to gain situational awareness in terms of their industrial security needs.

Enterprise-level Protection is Not Enough for Industrial Cybersecurity

Internet connectivity is changing how organizations are approaching information technology (IT) and operational technology (OT). In the past, the two disciplines could live in their own silos. But connectivity also means convergence. Today it is difficult to separate IT and OT in terms of their role in ICS networks.

However, the cyber security solutions designed for enterprises only concentrate on the IT part of the equation. Most businesses don’t have to worry about industrial plants and equipment. They don’t have to deal with cyber-physical security. Naturally, solution providers concentrate only on the problems and pain points of IT needs of their enterprise customers. The result is there is a lack of comprehensive ICS security solutions that can cover both IT and OT requirements. Businesses who are in the industrial space need to be aware of this deficiency and make sure their industrial infrastructure is secure from both IT and OT points of view. Cybercriminals are already launching massive attacks to compromise industrial infrastructures.

Looking at Real Industrial Cyber Threats and Breaches

The cyber threats for critical industrial infrastructure are increasing in scope. As more nation-states take an interest in cyber aggression and more hackers find cyber-attacks lucrative, the potential security threats will get worse. Today national grids of various utilities and manufacturing plants with sensitive technologies are prime targets for rogue nation states and cyber criminals.

Dragos, an industrial cybersecurity firm, has reported on the cyber threat group Xenotime. The group had previously launched a malware targeting a Middle Eastern company that provides industrial safety solutions for operations of nuclear, chemical and industrial facilities. The malware was specifically targeted at Triconex safety systems manufactured by Schneider Electric. Xenotime was able to successfully shut down the plant using the malware attack. Now the group is expanding its operations to target the US and other territories.

An important lesson from the Xenotime and other similar cases is that the operations are not haphazard efforts. These groups spend enormous time on reconnaissance mode learning the ins and outs of the physical layouts and operational processes of their targets. In March, the US Government accused Russia of a multi-stage intrusion campaign to compromise the US energy infrastructure and national grids. According to the US government, the Russians managed to access sensitive national grid information on US ICS networks across the country.

Organizations have to take more proactive approaches to monitor their ICS networks to prevent such hacks from happening. They need more situational awareness to understand their own ICS environment.

Understanding Situational Awareness for Industrial Cybersecurity

The National Institute of Standards and Technology (NIST), the organization that sets standards for the US government and various industries, has developed a Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) architecture. It defines 11 domains that could help organizations evaluate and scale their continuous monitoring process to collect data from diverse security tools and gain overall situational awareness.

Even though the document concentrates on a broader scope, companies can rethink these domains in terms of industrial cybersecurity. Here are the domains in terms of relevance to ICS compared to enterprise-level IT cybersecurity:

  • Vulnerability Management: Traditional IT has more resources available to find out about enterprise vulnerabilities. Compared to that, ICS security vulnerabilities are less monitored and reported. ICS security managers need to find better sources of information or develop their own information gathering mechanism.
  • Patch Management: For enterprises, IT managers can easily use automated processes to deploy patches to well-defined endpoints. In an ICS environment, physical endpoints can be difficult to update due to OEM-specific software and hardware.
  • Event Management: For enterprise IT, there are mature security information and event management (SIEM) tools available. ICS networks have to develop more comprehensive tools to catch up with modern threats.
  • Incident Management: Forensic procedures for ICS incident detection is not well-developed. When an incident occurs in an ICS system, it can often remain unnoticed due to the lack of proper tools.
  • Malware Detection: Due to the memory and footprint restrictions of small devices, deploying effective malware detection tools can be more challenging.
  • Asset Management: Taking inventory of non-trivial assets were not a priority in the past. But connected devices mean that non-trivial assets can become cybersecurity threats.
  • Configuration Management: The configuration management or change management tasks can have an adverse effect on production efficiency. So, cybersecurity experts have to be more careful about how they schedule the configuration management activities.
  • Network Management: Network topography of ICS environments is significantly different from enterprise IT environments. Cybersecurity specialists have to design solutions that take into account the ICS physical endpoints and network characteristics.
  • License Management: Most IT assets have 2-3 year licensing cycles while industrial licensing can span10-20 years. Managers need to consider the implications of the new security concerns during those long licensing periods.
  • Information Management: Connected devices are an excellent source of data to improve process efficiency and cybersecurity. But it also means that the data needs to be secured. Hackers can attack physical endpoint devices and collect valuable information.
  • Software Assurance: Due to the benefit of physical separation of infrastructure and proprietary tools from OEMs, organizations didn’t have to worry about secure system development for industrial software. Now organizations need to be more careful about the software assurance policies of their vendors.

Need for Evaluation and Preparedness

Ensuring industrial cybersecurity was simpler because the infrastructure itself used to provide a level of isolation. But the internet and connected devices have changed that dynamic. As a result, national grid protection and industrial cybersecurity implementations have become more complex. Businesses faced with this new reality need to evaluate their infrastructure requirements and gain the necessary situational awareness. It will help organizations better protect their investments through improved ICS security measures.