Light Dark
June 30, 2015 By Douglas Bonderud 2 min read

The industrial control system (ICS) market is already worth $58 billion and should hit $81 billion by 2021, according to WhaTech. It’s no surprise; the burgeoning Internet of Things (IoT) is driving an industrial control environment that is more connected, integrated and intelligent — but that also opens new avenues of attack.

In fact, SecurityWeek reported that a new SANS Institute study found 32 percent of companies that experienced an ICS breach were unsure of how many times they had been breached, while 44 percent couldn’t identify the source of the attack. With IT experts facing larger challenges thanks to bigger networks and evolving technologies — and attackers poised to take advantage — can companies keep their ICS and SCADA networks safe from harm?

Logic Gates

Defense mechanisms for industrial control systems have historically focused on logical segmentation; if unique parts of the system are effectively insulated from one another, breaches have little impact. But according to Derek Harp of SANS, there’s a new worry: “cyber threats that are able to transcend that protection by riding along on media or taking advantage of remote connections.”

These attacks are difficult to detect once inside ICS perimeters. One response has been to leverage monitoring tools designed for IT networks, but the interface with ICS is often shaky at best and can lead to problems such as false positives, network slowdowns or even unexpected shutdowns. In other words, by going beyond logic, ICS operators can become their own biggest threat.

New Targets in the Control System

So how do ICS operators protect their assets? It starts with threat identification. The SANS report found that 73 percent agreed outside threats were among the top three risks, while 49 percent placed internal threats in the same category. To narrow the focus, however, better visibility is required.

For example, Intelligent Utility reported that while 74 percent of companies collect logs from their network devices, just 40 percent collect logs from control system apps. And with only 36 percent of businesses just beginning the process of integrating their industrial control system with IT solutions, the result is a kind of willful blindness — controls are under attack, but companies don’t know how or who’s to blame.

Along with better visibility, companies also need improved security at the vendor level. According to IT World Canada, just 20 percent of those asked said that qualification of security technologies by their ICS equipment vendors is mandatory, while 25 percent said this kind of rigor was only moderately important or not important. Without effective security testing before deployment, however, ICS systems are at significantly heightened risk.

Attackers are interested in ICS networks because they offer access to high-value targets and the opportunity to disrupt large-scale industrial efforts. Logical segmentation has been the standard response to malicious actors, but malware creators and disgruntled insiders alike are now capable of acting outside these bounds. To manage an increasingly interconnected, device-oriented ICS program, companies must take steps to improve visibility, enhance integration and test controls before they go live.

Looking for an ICS to live long and prosper? Start with logic, then go beyond.

 |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature