ICS security is becoming a growing concern and threats against industrial systems are on the rise. You only have to look at ICS attacks such as Stuxnet, Industroyer or the attacks on Ukrainian power supplies to see that the threat is real and the effects of such an attack can be serious.
Improving and maintaining ICS security should always be a top priority, but for many organisations there are a number of key issues that need to be addressed in order to start this process.
Keeping your systems up and running is your key priority. For numerous reasons, you can't afford any downtime.
It’s this fear of downtime that keeps many organisations from testing their industrial systems, or even from installing the latest security patches. This approach can be dangerous and, without the necessary testing, systems are becoming increasingly vulnerable to attack from outside threats.
Whilst fears of downtime from testing or updating software are common, for ICS it just means extra planning, and an approach tailored to your environment. In the right hands, there are a number of options that can be taken to carry out safe, in-depth penetration testing and security assessments.
According to a recent CyberX risk report, 76% of industrial sites are running Windows XP or Windows 2000 on their OT networks.
Whilst these operating systems may appear to be running fine, security updates are no longer supported by Microsoft, leaving systems exposed to an ever increasing attack surface and providing an obvious route in for those who may wish to gain access to your ICS.
Improving the situation can be difficult and replacing operating systems needs to be carefully managed to ensure that risks are minimised. However, the potential costs of an attack far outweigh those of taking preventative measures.
Many industrial systems running in Europe and the US were installed in the pre-internet era. Designed to work on small, isolated networks, they typically have no means of authenticating commands received and were never designed with connectivity in mind.
Over the years the need for connectivity has become more pressing. Operatives now require access away from consoles, third party vendors need to view operational data and suppliers want access to ensure cost-effective maintenance and monitoring. The truly isolated industrial system has become a thing of the past and security vulnerabilities have only increased as a result.
Believing your legacy system is secure just isn’t true anymore, but ripping out old systems and replacing them with new is not an option. However, that doesn’t mean we can’t work together to ensure legacy systems remain protected for years to come.
Directors and top executives hold the ultimate responsibility when it comes to cybersecurity. This includes ensuring that security measures are in place, risk profiles have been conducted, and that there is a company wide adherence to secure communication policies and practices.
This isn’t always the reality however, and for many companies cybersecurity can be seen as a tick box exercise, one where an annual pentest is believed to be good enough. This mindset can be dangerous and companies really need to adopt a security conscious culture to ensure they stay properly protected.
ICS managers can help gain security buy-in by educating leaders on the importance of security and the risks the company face, outlining the steps and processes that need to be undertaken, and highlighting the potential consequences of inaction. You certainly don’t want your first security discussion with the Board to be after a breach.
When it comes to priorities, OT and IT teams have two very different approaches. OT security is primarily concerned with protecting physical processes, whereas IT security will focus on the information and data of the organisation as a whole.
Over the years, IT and OT systems have started to converge and the two contrasting priorities have often led to conflict, mistrust and a security disconnect. This only leaves systems vulnerable to attack.
It's essential that OT managers and engineers work closely with IT counterparts. Historic ICS breaches have gained access via IT vulnerabilities and OT teams can no longer simply ignore actions and recommendations. A good cybersecurity company can provide advice and recommendations to bridge the gap between these two security strategies.