2016 Reflections on ICS Security

As the year approaches the end, it is a time to reflect on 2016 and industrial control systems (ICS) security. Why ICS security? Because securing ICS should be everyone’s concern. Consider the impact on this critical infrastructure and what it means to you.

Impact	Why?
Your entertainment—watching movies on your TV or laptop, listening to music, etc.	ICS are a critical component in the process of generating energy* to power your electronic gadgets that offer you with entertainment.
Your transportation	ICS manufacture the vehicles you drive. ICS help run air traffic controls.
Your water supply	ICS process and generate clean water and dispose of sewer water. If not properly done, this could cause a significant hazard to your health.
Your nourishment	ICS are key to processing and packaging our food. If disrupted, food may not be made available or could become contaminated.
Your medication	ICS play a role in the manufacturing of drugs. If not working at 100% efficiency, defective drugs are more likely to arise. Pharma was Dragonfly malware’s key target.

*Energy was cited as being an industry with immature cyber security programs (RSA 2016). So, do I have your attention?

Obvious ICS Defenses

There are some glaring defense efforts organizations with industrial control systems can take. Proprietary: A Blessing? Many ICSs are proprietary controllers with life cycles of up to 30 years. The proprietary nature lowers the potential attack risk since their system is not a known public entity. Having said this, an attacker could decide to target these specialized devices and become knowledgeable on them. This cannot be the only thing to depend on. Asset Inventory and Assessment You can’t protect what you don’t know you have. Knowing what you have and the condition it’s in – for example, is it running an older OS and, if so, what are the vulnerabilities and the risks associated with it – are fundamental towards securing your environment and understanding your risks. Develop and Test Incident Response Plan Coordinate with your ICS vendors a proactive plan if a breach occurs. What makes these plans better are simulated exercises to address any glitches in the plan. ICS devices need to be segmented from public access. Industrial-strength firewalls act as gateways that know the industrial protocols and provide solid access control and filtering of malicious attempts. This is a good effect, but the reality is it is very difficult to completely segment the ICS environment. Other attack vectors could be a simple USB insertion or Uninterruptible Power Supply (UPS), as noted in a recent ICS conference. The key concern for ICS is uptime. If there is a breach, most cases there will be an attempt to bring the system down. To contain and mitigate the damage, having a redundant system will ease this potential burden. Real-time Monitoring Watching for abnormal patterns or behaviors in ICS may help catch a breach in action and/or alert an organization to operational difficulties. Be educated on Known Backdoors and Vulnerabilities Lean on your ICS vendor to be aware of all known backdoors and vulnerabilities and the associated risks necessary for you to make an informed decision.

More Lessons to Learn

When things go wrong, the best reaction is to learn from it. Let’s take a look at Havex malware. According to SANS 2015, the three attack vectors were:

1. Sending spear-phishing emails with a malicious file attached.
2. Infecting ICS vendor websites with malware and compromising ICS defenders when 
they visited those websites (known as a watering hole technique).
3. Providing a trojanized version of ICS software installers that infected the host system 
when staff ran the installer.

Knowing this, it seems to suggest some obvious must-dos for ICS environments. Heavy user awareness and training are needed. Organizations also need to work with ICS vendors to assure their websites are clean and not compromised, while the vendor should carefully review ICS software developed and delivered – perhaps these conditions should be written in the ICS vendor contracts. The Stuxnet malware that brought a facility in Iran down was known to perform reconnaissance to identify potential paths over a long period of time. It installed itself many times on Windows to eventually gain Internet access to transmit information on the environment back to the command and control server. To execute the attack stage, the malware reinstalled itself until it found it’s target, the WinCC SIMATIC server connected to a specific Siemens controller under certain desirable conditions. So, what to learn from this? If there is a piece of software being installed frequently in your environment – it seems that should be considered suspect. Real-time monitoring of changes and unauthorized applications should be considered. The challenge many ICS environments have is that the constant monitoring may be disruptive. Weighing in on the risk potential should suggest some level of monitoring is required, ideally a couple times a day and perhaps scheduled during a low time.

Progress

There have been many obstacles for securing ICS but some progress needs to be noted. An obstacle is the great divide and distrust between Operational Technology (OT) and Information Technology (IT) for obvious reasons. OT operates with availability being a top concern and being its own island. While IT is concerned about confidentiality and managing a highly dynamic and distributed environment with fickle users. These two very different worlds need to recognize their differences and essentially recognize they both have the same enemy and rethink how to defend against it. This is happening on a couple fronts. Some organizations are creating one leader for IT and OT to report to. Others are transferring IT personnel over to OT to share their perspectives while respecting OT challenges. The reality is as we connect more things, the IT and OT will be one world. Other progress for ICS security includes a level of recognition that ICS threats can be different than IT threats. This is reflected in dedicated organizations like the ICS-CERT or vendors that create ICS groups. There are distinct certifications for ICS Cybersecurity like Global Industrial Cyber Security (GICSP), ISA99 Cybersecurity Fundamentals Specialist Certificate, or Certified SCADA Security Architect. There are also standards and frameworks for ICS security such as IEC 62443 and NIST SP 800-82 for ICS. Heading into 2017, we need to keep the foot on the pedal for ICS security and continue with IT and OT collaboration to defend against attacks. I hope this reflective blog offered you some insight for your efforts to secure ICS.