Inside the Mason-IBM-NSF Insights for Securing Industrial Control Systems
The Mason-IBM-NSF April 2015 conference engaged industry, academia and government in a dialogue to address the challenges and uncertainties associated with securing industrial control systems (ICS) and processes, including supervisory control and data acquisition (SCADA) systems. It also made recommendations on possible actions and steps for industry leaders and policymakers.
Industrial control systems are vital to the operation of the U.S.’s critical infrastructure and can be found in electric, water and wastewater, oil and natural gas, transportation and discrete manufacturing industries, among others. The increasingly networked and linked infrastructure of modern ICS introduces serious cyber risks and vulnerabilities that cannot be addressed by physically separating the system and the components they control and monitor. Innovation and advancement will require the combined resources and collaboration of academia, government and industry.
Historically, security concerns over ICS were limited to physical attacks. According to a white paper from Schneider Electric, new factors have increased the vulnerability of control systems. Some of these include: growing connectivity through the integration of control systems and enterprise networks; insecure remote connections, where a failure to use encryption or authentication mechanisms with dial-up modems and wireless communications for remote diagnostics and maintenance exist; availability of technical information about infrastructures and control systems on the Internet; and standardized technologies that have made it easier for knowledgeable people to attack systems.
With the increasing connectivity of ICS and the evolution toward the smart grid, cybersecurity is playing an increasingly prominent role in the electric sector’s security strategy. Recent ICS-CERT statistics showed that the energy sector is the most-targeted of ICS operators, and U.S. policymakers are increasingly concerned that well-financed groups are targeting the country’s critical infrastructure.
Industrial Control Systems Get Serious About Security
One of the major insights discussed at the conference was the fact that cybersecurity risks to the electric industry continue to rise due to the increasing complexity of smart grids, greater use and adoption of new technologies, increased connectedness and the growing number of entry points available for potential adversaries. Cybersecurity must be included in all phases of the system development life cycle, from the design phase through implementation, maintenance and disposition.
With the Internet of Things (IoT), grid security threats have jumped the gap from physical to cyber, while the security of legacy systems is more often bolted on than built in. New critical infrastructure risks have been generated by an environment that combines TCP/IP, wireless radio frequency (RF) and Wi-Fi. Since the electrical grid is interconnected, a problem in one section can quickly affect another.
The convergence of IT and operational technology (OT), together with sensor proliferation and the higher level of intelligence on grid architectures, is increasing the ICS attack surface. This new environment will enable a shift away from data theft to more complex cases of sabotage and cybercrime.
ICS Needs Cooperation to Succeed
Different departments within a business are increasingly cooperating on security as IT and OT are more integrated. Achieving a culture of cooperation is a major objective for energy providers.
People are often the weakest link in an organization. Employees need support from senior leadership to be trained and aware of threats, assigned responsibilities and roles and have established policies and procedures. Threats to people include phishing, spear phishing, advanced persistent threats and malicious company insiders.
The looming reality that cyberattacks can impact key aspects of business operations calls for cybersecurity leaders to possess both cyber and business acumen — a combination not traditionally emphasized by the academic or the business realms. For many, the only option is relying on modern security measures.
A strong security solution assures the right technologies are procured, deployed and defended at multiple points. These tools supply layered defenses and deploy technology to detect intrusions.
Managing and Securing Utilities
The utilities systems that comprise the national electric grid require processes and procedures to manage overall security. These processes include password management, server administration, patch management, incident response and following industry-wide standards and regulations. Procedures include personnel training and regular assessments.
Additional cybersecurity insights discussed at the conference included:
- Access controls are needed in the form of fences, security locks, card readers, video cameras, firewalls, virtual private networks (VPNs) and unidirectional gateways.
- Hardening is required through installation processes and procedures, Host Intrusion Protection System (HIPS) and application white-listing.
- Authentication and authorization should be controlled by centralized account management and role-based access control.
- Monitoring and auditing should be implemented through centralized security event logging, real-time alerting and 24/7 monitoring.
- The patching of control systems can be a challenge since ICS patching cycles are not as rapid as IT patching cycles. In addition, electric systems are 24/7, and any system downtime is unacceptable.
The Future of Industrial Control Systems
The conference speakers and participants provided recommendations for securing the smart grid and its IoT as part of a defense-in-depth strategy to limit the potential for damage and data leakage. Some of these recommendations were:
- Using heterogeneous software and hardware to avoid cascading and wide failures when weaknesses are discovered;
- Employing authentication and diverse encryption schemes;
- Adopting hardened operating systems;
- Tying data leaving local groups of devices to a bastion host or gateway device that filters communications;
- Restricting local communications;
- Limiting transmission of information from local sites;
- Applying standards to ensure the smart grid and IoT interoperate safely.
Incorporating cybersecurity into the design phase early contributes to each of these measures and overall grid security. The integration and correlation of data from multiple ICS in conjunction with traditional network security information and event management (SIEM) systems contributes to grid security.
Cybersecurity should be addressed from the perspective of enterprise risk management. It needs to be on the agenda of an organization’s corporate risk committee. Risk-based methodologies should be used to assess the value of information assets, understand cybersecurity threats and develop a program that mitigates threats.
A successful model of building an effective organizational cybersecurity program is to develop a comprehensive cybersecurity strategy and translate it into programs that include benchmarking, asset classification, operational metrics, threat analysis, security alternatives and risk management. This approach will provide the basis for continuous improvements to help address risks and vulnerabilities.