As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.
Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.
Until security becomes a priority, industrial organizations will remain soft targets for threat actors.
Are ICS Environments Too Trusting?
Data from CyberX’s recent “2019 Global ICS & IIoT Risk Report,” which analyzed network traffic data from 850-plus production OT networks worldwide, confirmed that ICSs continue to be easy targets for adversaries, with security gaps in key areas. These areas included the use of plain-text passwords (69 percent of sites), direct connections to the internet (40 percent), weak antivirus protections (57 percent) and legacy Windows systems such as XP that no longer receive patches from Microsoft (53 percent).
According to Andy Jones, a research specialist with the Information Security Forum, one of the most concerning risks to critical infrastructure stemming from emerging internet-connected technologies is that many ICS environments were designed with safety, rather than security, in mind. As a result, they are inherently trusting environments. They trust that instructions received are bona fide and will execute them without verification or validation.
“ICS environments were designed in an unconnected world, so where else would an instruction have come from if not a trusted peer environment?” Jones said. “However, these systems are now often internet-connected, exposing their operations to new threats. In addition, they move, which poses physical dangers.”
Beyond Identity and Patch Management
While identity and patch management may be the biggest obstacles to securing ICS environments in some cases, there is often a broader inadequacy, according to Sandy Carielli, director of security technologies at Entrust Datacard.
Because IT security leaders are still learning about the differences in their practices and priorities from those of OT and operational leaders, there are gaps in understanding and communication that make even something like patch management problematic. For example, it’s one thing to say a server must be taken offline once a week to apply patches, but in reality, many ICSs may not allow for that kind of downtime.
“Without all stakeholders understanding and accepting the realities of ICS requirements, security owners will develop policies and security road maps that are not adequate. That will trickle down to individual security practices like patching,” Carielli said.
Aspects of Current ICS Security That Need to Change
Before the IIoT started complicating the security of ICSs, systems ran safely and securely for many decades. As the world of technology has changed around these legacy systems, however, innovations that promise enhancements and efficiency have introduced risks, such as the dangers from remote hacking, malware and other attacks that simply were not part of original design briefs.
Now that connected ICSs face many of the same threats as IT systems, security needs to be a priority item for ICS designers and suppliers.
“The complicating factor is that many of these complex systems are part built and part assembled from common components, which may be sourced from multiple suppliers on the basis of lowest price,” said Jones. “If these core components are not secured, then anything built from them may remain vulnerable.”
Also problematic is the device manufacturing process. Rishi Bhargava, co-founder at Demisto, said the problem is tantamount to trying to fit a square peg in a round hole. Because manufacturers typically have outdated operating system (OS) and patching features on their products (if at all), are lax with password protection and changes, and have no regular software update mechanisms to communicate with their customers, things don’t always fit together in these complex environments.
“We need a better alternative to network segmentation and air-gapping IT and OT environments,” Bhargava said. “The potential upside to connected devices is massive and the better alternative going forward is to find a way to ‘stay connected and stay secure’ rather than isolating different infrastructures.”
Improving the Security of Critical Infrastructure Systems
It’s hard to say how to improve something if you don’t know who is responsible for making those improvements. That’s why defining who is responsible for OT security is a necessary first step toward improving the security of critical infrastructure systems.
“The sophistication of recent cyberattacks has demonstrated the need to leverage the skills of existing security operations center (SOC) personnel to combat threats that often cross IT and OT boundaries,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “From a governance point of view, it also makes more sense to have a single C-level executive — typically the chief information security officer (CISO) — be responsible and accountable for all of the digital risk in your organization, regardless of whether it affects IT or OT networks.”
One of the greatest challenges with ICS environments is limited visibility, which is why the next step in ICS security is conducting a thorough risk assessment. It’s critical to know and document what ICS environments exist and identify their criticality to the organization. Jones noted that this is a nontrivial undertaking for complex and global organizations.
“Once this is complete, the focus should be on identifying which of these environments are connected and which of them would be vulnerable to attack,” he advised. “This can very quickly give a focal point for remediation activity.”
It’s also smart to leverage security frameworks that address both IT and OT, such as the white paper on a new security maturity model published last year by the Industrial Internet Consortium. According to Carielli, “Such frameworks will help [organizations] focus on their goals, understand the impact of industry regulations and practices, clarify the resulting security requirements, and prioritize their investment accordingly.”
Bring IT and OT Together
Strong collaboration between IT and OT is a critical step toward improving the security of critical infrastructure systems. When organizations encourage communication between and among their IT, OT and security stakeholders, these different groups can better understand each other’s constraints and work together to meet common goals.