Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series will disprove five common myths related to ICS cybersecurity.
Introduction
ICS stands for industrial control systems (also know as operations technology or OT). It is a generic term used to describe various control systems and their instrumentation. ICS are used for controlling and monitoring industrial processes used in manufacturing, energy, utilities, chemicals, and many other industrial sectors. ICS basically integrates hardware, software, and network connectivity for running and supporting critical infrastructure (such as electricity, gas, water, and so on). ICS systems get data from remote sensors and send commands to the machinery for the appropriate actions to take.
In the older days of industrial revolution, ICS were built with a primary focus on safety, reliability, and availability. For decades, physical gates and locks were used as primary protection mechanisms. Cybersecurity was not even considered a concern at that time. Concepts like firewalls, intrusion detection, and anti-virus measures were not well-known.
As a result, organizations developed some beliefs about ICS cybersecurity (such as the air gap, proprietary ICS protocols, and security through obscurity), which, at that time, were sufficient to justify the “no further action for cybersecurity” policies.
These beliefs were further strengthened because there was no evidence of any reported cyberattack against ICS until around 2010 or so. Even if any cyberattack on ICS had happened before 2010, it must have gone unreported due to the lack of adequate ICS forensics capabilities to investigate ICS cyberattacks.
As for business/corporate IT systems, the need for cybersecurity in ICS has evolved over a period of time, but at a much slower pace compared to corporate IT security. However, because ICS are used in critical infrastructure, the implications of not having adequate cybersecurity measures in ICS are much more serious compared to that in corporate IT systems. Also, ICS cybersecurity primary requirements (safety, reliability, and availability) are not exactly the same as the cybersecurity needs of corporate IT systems (which typically focus on confidentiality and privacy). It even becomes more difficult to secure ICS due to inherent design issues and the presence of legacy systems and protocols with limited capability to support security requirements to address risks.
As we discuss a few myths and beliefs related to ICS cybersecurity over a series of several blog posts, it is important to avoid blaming anyone (the operations team or the security team) for these beliefs. Instead, we need to focus on exposing ground reality based on field experience and spread awareness. In this blog series, we will not only discuss a few myths, but also review some of the cyberattacks that could have been prevented with basic awareness and security measures.
To stay focused with the scope, I will try to avoid discussion on solving the ICS cybersecurity challenges, and rather focus on discussing the common myths and beliefs. I will cover ICS cybersecurity solutions and best practices in a future paper.
Finally, there may be many more ICS cybersecurity-related myths, but I have included only the five most common in this blog series.
ICS Cybersecurity Myth #1
The ICS network is absolutely air-gapped/isolated from internet and corporate networks; therefore there is no cyber risk
Busting ICS Cybersecurity Myth #1
Air gaps between the ICS network and other networks—if implemented correctly and maintained—are very effective barriers against cyberattacks. However, a true air gap is no longer practical in an interconnected world. While many will agree that air gaps are disappearing, some still believe this is a viable security measure.
With increasing digitalization (Industry 4.0 and smart grid networks), the use of the air gap has eroded or disappeared altogether. OT (operations technology) and IT (information technology) networks are converging and resulting in the evolution of a new threat landscape.
Files/Data Movement in Air-Gapped Networks
Even in an air-gapped ICS network, there are many business reasons for files and data to be moved between the ICS and outside networks. Some examples include configuration files, software patches, and files from vendors such as system integrators or contractors.
In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.
-Sean McGurk, Former Director, NCCIC, the Department of Homeland Security
An adversary can take advantage of these ad-hoc channels by tricking staff or contractors into installing fake software updates and patches, or transferring files that will introduce malware into industrial networks via USB drives. This is how the Stuxnet malware was able to disrupt Iran’s nuclear program.
In many incidents, attackers first gained access to corporate networks or exploited suppliers’ systems before moving to OT/ICS networks. This happened in the case of the cyberattack on Ukrainian utilities in 2015 that caused loss of power for more than 225,000 customers.
If you still believe that ICS networks are air-gapped, then you should look at Shodan. You may be surprised to see so many unprotected or misconfigured ICS devices directly connected to the Internet. (Note: Hacking any system without authorization is illegal.)
Air-gapped or isolated networks often create a false sense of security, and even truly air-gapped networks are vulnerable to targeted attacks by determined adversaries. Instead of holding onto a belief in this myth, it is important to assess and take concrete measures to address ICS cyber risks.
Next Steps
- Review whether your ICS network is 100% air-gapped (absolutely no connection to/from the OT/ICS network to the outside, not even through a firewall or USB file transfers). Or is it only considered air-gapped because there is a firewall between ICS network and other networks?
- Review whether threat modelling/risk assessment has identified all threats and risks to your ICS network.
Stay tuned for the next part in this series, in which we break down Myth #2: the belief that ICS protocols are proprietary and inaccessible to hackers.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.