The challenges of protecting industrial control systems [Q&A]
Industrial control systems are often critical to things like power and water supplies. In theory they should have the strongest protection available.
In practice, however, this isn't always the case. It's estimated that 91 percent of industrial companies are vulnerable to cyberattacks. So what can businesses do to protect themselves and to recover quickly if they do get attacked?
We spoke to Dmitry Darensky, head of the Industrial Cybersecurity Practice at Positive Technologies, to find out.
BN: What makes industrial control systems particularly vulnerable?
DD: There are several reasons for the high vulnerability of industrial control systems (ICS). First is the long lifecycle of these systems, and the high complexity of updating and patching. A huge number of ICS are currently in operation with the same configurations and vulnerabilities that they had at the time of commissioning -- and this could be 10, 20 or even 30 years ago, believe it or not. So the techniques and exploits dating back 30 years can still be successfully used against industrial systems, while modern IT systems have long been protected from them. Also making these systems vulnerable are the legacy technologies still used in ICS, for example, in the form of MS DOS, Windows NT, XP and 7, network equipment that’s reached its end of life from the manufacturer (meaning it no longer receives support), and old versions of protocols such as SMB 1 and SNMP 1.2.
Second, the use of Ethernet and the TCP / IP stack in industrial systems critically reduces the effectiveness of security measures. All cyberattacks on industrial facilities, known and not, are carried out mainly on systems that use these network technologies. Alternatively, industrial systems based on serial interfaces and serial data buses (BUS) naturally have a much higher degree of security.
Third, many industrial control systems are completely opaque to administrators and security professionals. This lack of visibility, along with the inability to quickly detect anomalies or attacks make it simply impossible to manage the security of these systems effectively.
BN: How have the threats to these systems evolved in recent years?
DD: Because industrial control systems are being modernized very slowly, the threats to such systems haven't changed much. But production and operational threats are now more likely to be realized for ICS owners.
Earlier separate control systems were scattered and didn't have external connections to corporate and global networks, so a successful attack likely wouldn't lead to any significant consequences for the company or even the state economy. But today, everything is exactly the opposite. The latest high-profile cyberattacks in the US, Norway and Japan led to multinational companies being forced to halt their activities around the world.
BN: Is protecting ICS really that different from protecting other networks?
DD: Yes, the approaches to securing industrial control systems differ from the approaches to securing conventional IT systems greatly. The main difference is that some forms of protection simply cannot be applied to ICS, even though they may be necessary. Cybersecurity systems should take into account the peculiarities of the network infrastructure of industrial systems, the requirements for the modes and technological cycles of production, as well as user behaviors within these systems. For example, in ICS, it's not recommended to use antiviruses to block applications or executable files from launching, and network Intrusion Prevention Systems (IPS) should only be used in detection mode. By contrast, corporate networks don't have these kinds of restrictions. Security management processes, such as incident, asset, vulnerability and update management, response and investigation are also structured differently. For example, both operators and ICS service engineers must participate in incident response processes, because the infrastructure of technological networks is usually outside the area of responsibility of administrators of corporate IT systems and networks. However, protecting industrial systems doesn't live separately within a company -- it's carried out within the framework of the unified corporate security policies of the company, implemented through corporate security management processes and must have a certain degree of management centralization. The company protects its infrastructure, information and business as a whole, regardless if it's a corporate or industrial system.
BN: Should ICS be kept separate from the corporate network?
DD: It should not be about separating one network from another, but about competent segmentation of the network infrastructure. This is standard practice and probably one of the best general practices. High-quality segmentation makes it as difficult as possible for criminals to develop attacks and move inside the infrastructure. Unfortunately, at large enterprises, network segmentation projects can go on for several years, because many enterprises simply cannot stop production -- systems often need to run for years without interruption. Nevertheless, it's necessary to perform network segmentation.
BN: What's the most important single step that businesses can take to protect their ICS?
DD: Modern cyberattack techniques are aimed at preventing an enterprise from restoring its infrastructure after an attack. A cybersecurity system can protect enterprises with any level of automation and digitalization of their production activities from operational risks and unacceptable events. Therefore, the most important thing that an enterprise and its top management can do is identify the risks and most unacceptable events for production and the business as a whole. From there, the cybersecurity team can devise and execute a plan to make those unacceptable risks impossible for attackers to realize.
BN: What do you see happening next year in terms of ICS threats?
DD: All the threats we're witnessing today will still be present next year. Digitalization in industrial companies is proceeding quite quickly, which means industrial systems are receiving more and more new, untested and vulnerable technologies. This increases the attack surface, and these new technologies can be exploited by criminals if adequate protection measures aren't implemented, and the organizations doesn’t have the ability to quickly respond to threats. Machine vision systems can be deceived, a neural network can be trained on a data model 'corrected' by cybercriminals, and a bot network can be made from an industrial IoT network and used to attack the web resources of a state. The cybersecurity industry will likely continue actively developing and expanding the application of standards and practices aimed at securing new and emerging industrial technologies.
BN: Is there anything else people need to know?
DD: Industrial control systems today have a fairly large arsenal of built-in security mechanisms, the use of which allows you to radically increase the degree of their security. But during their creation and operation, such mechanisms were not configured and not used, because the systems were thought to be isolated and, therefore, organizations believed there was little point in investing in their security. But as time has shown, this approach turned out to be erroneous. Today, changing security settings in systems that have been in operation for 10-20 years can be quite problematic. However, of course, this doesn't mean it's unnecessary to protect industrial control systems. In fact, it's critically important, and this is best done a company-wide basis, rather than for a single system, plant or site.