Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Common ICS Cybersecurity Myth #4: Serial Communication

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on the series if you're interested:

Now, let's dive in.

ICS Cybersecurity Myth #4

Serial communication (non-routable) between a control center and remote sites (such as onshore oil rigs, electricity substations, or mines) provides immunity from cyberattacks

Serial communications such as RS-232 or RS-485 are logically isolated communication methods that provide controlled communications. There is a common assumption that any serial communication (non-routable and not over Ethernet/TCP/IP) is intrinsically secure and protected from cyberattacks.

ICS-cybersecurity-myth-4Source: NIST SP 800-82

 

Busting ICS Cybersecurity Myth #4

Serially connected remote industrial sites or substations typically have two networks for operations: one serial network to the control center and another local IP/Ethernet network for plant/substation OT communications. Usually there is also a third IP network for corporate purposes, such as email, web browsing, and so on.

To attack from the outside, it is true that attackers need access to externally routable devices and/or protocols. Recent incidents, however, have demonstrated that it is possible to compromise a serially connected remote site through other means. Attackers can find and exploit vulnerabilities via the corporate network (if the firewall is misconfigured), USB, transient systems, social engineering, third-party suppliers, or a physical security breach. Certainly, it is not that straightforward and requires additional efforts—attackers need to find bridging points where one network device deals with both IP and serial (i.e. serial-to-IP converters) or a firewall that segregates OT and corporate networks.

Many organizations use dial-up connections for emergency access to remote sites. If compromised by attackers, these could also allow unauthorized access. Most dial-up connections use older, legacy devices that are harder to protect.

Serial communications alone do not provide immunity from cyberattacks. In December 2015, unidentified hackers caused a power outage in Ukraine, in part by attacking serial-to-Ethernet converters—which, like any other devices, are vulnerable to remote attacks and compromise.

Recently, attackers also tried to convince and bribe a Tesla employee to plant malware inside Tesla’s network. The plan was to steal information, trigger a DDoS attack, and demand ransom. The attackers offered the employee up to 1 million USD to be paid in cash or Bitcoin. Fortunately, the employee did not get trapped, and instead reported the attempt to Tesla. Tesla contacted the FBI, and the alleged attacker was caught.

Just like what could have happened to Tesla, similar scenarios could play out at any remote industrial site and substationdespite having serial-based remote connections. Attackers can either breach physical security or possibly try to social engineer employees, planting a “wireless rogue device” to cause damage or outages at a later time. Due to a lack of remote monitoring, the control center team may not even know about the presence of such rogue devices.


Stay tuned for the next part in this series, in which we break down Myth #5: the belief that there is not much for hackers to gain by attacking industrial networks.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Sanjay Chhillar
Sanjay Chhillar
Sanjay Chhillar is the head of OT/ICS Cybersecurity Practice at Siemens UK & Ireland.

Related Posts

Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
Devin Partida Nov 15, 2024 7:00:00 AM

In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
Kara Phelps Nov 8, 2024 12:00:00 PM

Webinar: Zero Trust Outcomes Using ISA/IEC 62443 Standards

The ISA Global Cybersecurity Alliance (ISAGCA) held a webinar on 24 October 2024 to provide insights into...
Kara Phelps Nov 1, 2024 12:00:00 PM