It is a tough world out there. Unscrupulous players will use any means to improve their own prospects by harming competitors—including hacking, industrial espionage, and sabotage.
Consider this hypothetical scenario: a major oil & gas conglomerate wants to take over a competitor who has no desire to be bought out. By hacking the competitor’s industrial control systems, manipulating inventory orders, or stealthy altering material specifications, it could negatively affect product quality. This would downcast customer satisfaction, reducing sales and driving down profitability, likely without ever being detected. The resulting shareholder dissatisfaction could create an acquisition opportunity and a favourable purchase price.
Industrial control systems are particularly vulnerable to this attack trend because many of these systems are now Internet-connected without adequate protection. And, given the prevalence of these automated systems, many daily decisions are made by machine-to-machine interactions, making them difficult to trace without proper security considerations. Although cyber warfare is clearly a morally bankrupt business decision, it is hard to debate its economic value.
In this digital age, where malicious hacker in some virtual landscape can throw a wrench into industrial control systems. How do we secure these systems while still meeting the needs of corporate stakeholders? Operational technology (OT) teams still demand high resiliency and availability. Information technology (IT) teams demand interconnectivity, enterprise security, and compliance. And both of these teams must accommodate the new kids on the block: data analysts who require real-time data capture, sharing, and analysis for every decision in the business.
Industrial Malicious Landscape
Physical break-ins and attacks on SCADA and ICS systems are largely a twentieth-century phenomenon. The overwhelming majority of attacks today are carried out by well-resourced, highly motivated attackers who are often accomplished software engineers working for cybercrime syndicates on other continents. Business competitors and nation states are the latest cyber warfare participants, as the battleground has expanded to include manufacturing facilities, entertainment companies, and critical infrastructure. Sadly, these types of security events continue to increase both in terms of damage and frequency. Below are 2 of the many incidents that impacted the industrial systems verticals.
- Next Generation Cyber Attacks target Oil & Gas Scada
- Exploiting GPS vulnerability to Hijack Ships, Airplanes with $3000 Equipments
Best Practices for Industrial Control System (ICS) Security
OT security is much different from its IT cousin and the key difference in my opinion is the availability requirements and the legacy nature of industrial automation systems add to the mind blogging cyber challenges that the industrial players face today. Preserving existing investments in ICS infrastructure is paramount. Therefore, viable security architecture must work with both existing and new systems. In addition, security is a dynamic process, because security needs, policies, and threat detection methods evolve over time. Therefore, any viable solution must be adaptable and updatable.
Hardened Devices
Establishing the chain of trust begins with validating the identity of the device. Previous approaches to validate device identities, such as using IP and media access control (MAC) addresses, are untrustworthy: IP addresses change routinely and can be very easily spoofed by hackers, while MAC addresses can be easily reset. Therefore, device authentication must start at the physical level—the processor within the hardware.
Execution of trusted devices and data is essential given the prevalence of machine-to-machine communications driving industrial automation. For example, trusted devices can digitally sign data received by trusted industrial control sensors. Should a hacker manipulate data, the data signature will be inaccurate and be flagged by the monitoring system. In this case, the untrustworthy piece of data and the machine or sensor where it originated will be clear.
Encrypted Communications
There is a reason legacy systems are so prevalent in industrial automation: they work. In fact, some have been refined for decades. New classes of intelligent gateways (some as small as two inches by two inches) are critical to extending legacy systems by connecting them to next-generation intelligent infrastructure. These gateways physically separate legacy systems, production zones, and the outside world, limiting the attack surface of an industrial automation system. The gateway can secure a device, or devices, without modifying the device in any way, making it an attractive initial security solution to create a consistent level of security within the environment.
Monitoring and Management
There is an old axiom in IT: you cannot manage what you cannot monitor. Effective oversight of distributed industrial automation systems requires the ability to centrally manage devices through an enterprise management console, as well as the ability to monitor, collect, and analyze event information on all devices for end-to-end situational awareness of the entire system. A company’s enterprise management console should be tightly integrated with its security information and event monitoring (SIEM) solution and other security modules.
Conclusion
No two businesses are the same—each has unique security infrastructures, operational technologies, and processes. Some have made considerable progress in creating converged IT/OT security solutions, while others are in the early stages. Regardless of where an organization resides on this continuum, here are some general guidelines to keep in mind.
- Establish a task force
Make sure it includes both IT and OT staff. Seek out key players in your manufacturing and industrial system controls groups, and include them in briefings and activities. Conduct site visits to the factory or manufacturing facility and speak to supervisors and front-line personnel to ensure policies and procedure are followed.
- Divide and Conquer
Target core functions that are achievable and measurable in reasonable time frames. For example, start by deploying intelligent control gateways on key devices or production zones in one facility, and use that site as a pilot for event monitoring, management, and policy refinement.
- Credible Vendors
Given the formidable complexities of securing industrial automation systems, there is no such thing as a single-vendor solution or technological silver bullet. Is security their core competency? Does the vendor have expertise in embedded security and critical infrastructure? Lastly, can they deliver more than slide ware or vision papers (i.e., do they have a reference architecture and customer references, and can they provide clear architecture designs and integration plans)?
- Size does Matters
Ensure that the management and monitoring technologies are able to scale to handle potential merger and acquisition activity, as well as what will certainly be a dramatic increase in Internet-connected devices and related security events as a company or utility grows.
I reckon no one wants to get a message demanding $20 Million ransom smack in our face first thing in the morning.