May 6, 2019
Many systems were installed before the advent of Stuxnet, built decades before a 24/7 internet connection was usual. Neither these nor their legacy protocols had built-in security controls that we take for granted today. Cyber security was not a realistic threat when they were manufactured.
Connecting Industrial Control Systems (ICS) to the Internet and enterprise business networks is increasing. Transitioning these systems to the Internet has opened them up to cyber attacks from a myriad of angles.
A malicious actor attacking an ICS network could cause major physical impact, opening circuit breakers or destroying substations to cut power to hospitals, water utilities, or harbors. Some industry organizations handle hazardous materials which can pose a threat to individuals’ health or cause damage to nature, further elevating a cyber attack’s impact.
Critical infrastructure is unique in the threat landscape. It is one of few sectors to be tied to private and public infrastructure, and has a wide spread of physical and mobile assets. A variety of different adversaries, each with their own motivations and tradecraft, constantly strive to compromise organizations that operate CNI. Nation-state sponsored Advanced Persistent Threat (APT) groups continue to seek network foothold positions on CNIs and espionage opportunities in the interests of exercising political leverage.
ICS, used to control and manipulate physical matter, consist of multiple single components. These include programmable logic controllers (PLCs), sensors, motors, actuators, and human machine interfaces (HMI). Cyber attacks using individual vulnerabilities and exploits have, and always will be directed against the vast number of PLCs in existence.
PLCs are generally controlled from Supervisory Control and Data Acquisition (SCADA) systems, and the combination of multiple components and potentially highly-customized systems can lead to unexpected vulnerabilities across the ICS estate. Other potential weak spots can be database servers storing sensor data, and human machine interfaces running legacy operating system versions.
Defending against attackers starts with basic Industrial Control System network risk assessment. This allows for evaluation of an attack’s potential impact, an organization’s basic information security hygiene, and focus on ICS-specific threats and security controls.
Power facilities have different ICS components for handling production, transmission, and distribution. Each of these are equally important for conducting business. However, the impact of a cyber attack hitting production is potentially higher than on transmission because of the increased risk of injury to personnel, not to mention financial loss and damage to equipment and the environment. Identifying different assets’ criticality level will make choosing and implementing proper security controls more straightforward.
A power facility also needs a corporate network populated with systems such as financial, HR, email, marketing, and a supporting IT infrastructure to conduct business. This should be strictly segregated from the ICS network regarding network traffic and access control.
Many cyberattacks start via phishing emails or through compromised public-facing services which are situated within the corporate network. Proper segregation will prevent easy lateral movement attempts from the corporate in the event of a compromise.
Engineering, endpoints, enablement
Another challenge is that data such as availability, production, or consumption is needed from the ICS networks for business purposes. There is also the issue of remote control access. A secure solution such as unidirectional gateways or a de-militarized zone (DMZ) with strict firewalls could be implemented to transfer data between the ICS and corporate networks.
Moreover, control rooms with main HMIs are usually static and can be connected to the ICS network, but mobile remote access from engineering laptops needs a VPN solution. Potential issues can be avoided by deploying mandatory multi-factor authentication. Endpoints such as engineering workstations and laptops should be dedicated to either one network or the other.
Extensive logging of information at the boundaries of ICS network should also be enabled. These logs provide capability for more extensive investigation in case of an incident and enables better hunting and detection. The traffic flow from ICS network should be rather static and limited to specific systems and protocols as well. This allows easier detection of abnormalities.
Additional measures include:
- Installing intrusion detection systems (IDS) at the boundaries of ICS networks
- Installing traditional AV software on any endpoints on an ICS network. Additionally, use even more recent technologies such as EDR, if possible
- Updating and enabling security patches and strict access control to defend from adversaries looking to access HMI or other devices when breaching an ICS network
- Building a cross-functional security team. ICS and traditional IT networks are different, so having experts in both is essential in preparation for, and in response to an incident
- Predefining a response and recovery process with a well-trained team and organization
- Employing well-implemented monitoring, which will greatly reduce incident response overhead and decrease post-incident recovery time
Sami Ruohonen is a threat researcher at F-Secure, where he primarily works with APT adversary related research along with EDR development. Before threat research, Sami worked in various tasks such as cyber incident response and IT administration.
Being an engineer to the bone, Sami enjoys reverse-engineering malware and building high-performance cars.
For contact, please use: https://www.f-secure.com/.