Industrial control system (ICS)/operational technology (OT) infrastructure security is different in many ways from informational technology (IT) security, and one of the main reasons is the reverse confidentiality, integrity, availability (CIA) trade. In OT infrastructure, availability is the highest priority, and because of this implementing cybersecurity solutions to secure OT infrastructure is a very crucial task. It requires good command over proposed cybersecurity solutions, security standards/framework, ICS functions, and their operations. Here, we will cover the aspects that make ICS/OT infrastructure insecure.
Why ICS/OT Infrastructure Security?
In the past, ICS/OT systems were not connected with the internet; OT security was restricted to safeguarding the physical infrastructure with well-known solutions such as security guards, biometrics, and fences. Now, for ease of operability, all ICS/OT infrastructure introduces internet connectivity or are in the process of doing so. However, this transformation exposes these infrastructures to vulnerabilities that cannot be only protected with the help of old customs. Vulnerable infrastructure results in destructive tendencies with huge financial, environmental, and/or health issues.
What Aspects Make ICS/OT Infrastructure Vulnerable?
There are many aspects which make ICS/OT infrastructure insecure. Some of the most common and critical are as follows:
- Outdated Operating Systems: End-of-life operating systems which have not received any security updates from the original equipment manufacturer (OEM) are highly vulnerable. They have the most critical vulnerabilities (e.g., remote code execution) which generally can easily be exploited by a script kiddie hacker.
- Outdated Firmware: Most of the switches and firewalls from L1 to L3 are ignored by firmware updates because in general they never impact the operation directly. This ignorance leads to highly vulnerable ICS infrastructure connectivity within different levels.
- Implementation of Inaccurate or Cost-Cutting Levels of Security: Depending upon the ICS/OT infrastructure, the level of security needed varies and is clearly defined in the ISA/IEC 62443 series of standards. Many times, inaccurate selection of security levels or cost cutting leads to exposing the system or indirectly opening back doors.
- Insecure Passwords: For easy access to networks, operators have been employing weak passwords. Due to this, it is easy for attackers to obtain access. Even if the operators are forced to use critical passwords, they make another mistake by using the same critical password for all access points, which can easily be cracked by attackers.
- No Inventory Database: In ICS/OT infrastructure, due to the large number of network devices, endpoints, and automation devices of many vendors, it has become very tough to create updated inventory databases, which indirectly creates a loophole in OT infrastructure. In such cases, if there are any unauthorized devices trying to connect or get connected into the existing infrastructure, it will become very hard to find and isolate the network from that device.
- Test Restore of Backup in Case of Emergency: In most ICS/OT infrastructure, the backup of systems is either only full system backups, or incremental or differential full system backups. In case of any ransomware attack, we will easily restore the system with the available backup. However, the important point is that we are sure that the available backup will work after restoring. If the restore fails, then it will result in a huge financial loss for any ICS environment. To reduce this risk, identify the most critical system of your OT operation (e.g., application and automation server of distributed control systems [DCS]), and in a regular interval of time restore this available backup in the external machine to make sure it will work.
- Complex Firewall Rules in L3.5 and Above: In today’s ICS/OT infrastructure, most plants share a common regional demilitarized zone (DMZ) and many other applications such as remote access, security information and event management (SIEM), intrusion detection system (IDS), centralized antivirus (AV) and patch management (PM), etc. In such cases, the use of most complex firewall rule tables make it very difficult to manage, and it will become an access point for an attacker. To reduce this risk, follow two rules of thumb: First, do not open any inbound traffic unless it is very important for operability, and second, make firewall rules as simple to understand.
- Lack of Security Product for OT: As we all know, most cybersecurity solutions available in the market were designed for IT security. Now, they are retrofitted for OT security, which either create system performance issues or need regular patch updates which will directly impact operations. Some cybersecurity solutions are good to fulfill compliance but are unable to provide cybersecurity at the level of IT infrastructure. For example, rarely can products create accurate inventory databases for OT, or how security patch installation is still a headache for OT infrastructure. Indeed, malware protection solutions are still creating performance issues in many use-cases.
- The Mindset of OT Customers: Many OT customers believe their system and infrastructure are in an isolated zone. Either they have never required to connect to the internet, or they only do it occasionally. Such mindset needs to be changed to create awareness that cyber-attacks can be performed by any means and at any time (e.g., Stuxnet).