ICS Security - The Good, The Bad and the Ugly

Industrial Control Systems (ICS) security is an area in which Complete Cyber specialize. It requires a different approach to applying Cyber principles traditionally applied to IT or Cloud environments, given Operational Technology (OT) requires an almost Operational uptime of 99.9999%. Coupled with safety requirements to consider, given certain Cyber attacks could unfold and materialized into potential safety hazards that would have serious consequences to both human lives and our reliance on these systems.

So how do we examine the Cybersecurity aspects for ICS using standard approaches used in IT but with an aspect of caution to caption safety and the requirement to maintain high availability?

Well as with most security evaluations, it’s is no different with ICS systems that we need to define a scope of our boundaries? The reason being, is that our systems might somehow connect to our IT systems for administration or data abstraction processing.

Alternatively, we might have two separate ICS systems that are owned by an organization, and we might only need to focus our evaluation or assessment on one of the systems, so scope and boundary definitions is always key to begin with as it defines our evaluation criteria.

Next, is to understand how to evaluate your Critical Infrastructure, and we often do this by picking a security framework. There exists many security frameworks, however, for Operational Technology or CNI assets, using frameworks such as NIST, ISO27001 or CSAv4 would not give you a good reference framework to evaluate against. This is where the ‘Bad’ comes into play. Now there are frameworks such as ISA 62443 that outline processes for risk management, and define a series of controls for securing your infrastructure. However, you’re limited in the ability to use other frameworks as they don’t exist, leaving you limited with adoption of the ISA 62443 framework. This means nuances in your industry sector are left to adapt the framework to your industry needs, which differ from each other. For example, the aviation industry will work to a different degree of tolerances of risk when compared to the Nuclear industry. Now in both such industries, degrees of risk can be formatted and treated accordingly, however, the coupling of Cyber to Safety risk is still a grey area, and requires each industry to evaluate using Hazop approaches. This is a very interesting area in which evaluation of a Cyber threat, that materializes into a risk and thererefore has a potential safety hazard impact needs careful evaluation. The diagram below outlines how this process at a high-level can be used for safety risk analysis. The true measure in identifying the safety risk still requires extensive fault-tree analysis to evaluate the true probability of the outcome or impact of the safety risk.

The ’Good’ aspects with respect to CNI Security is that during the pandemic, we’ve had to adapt to remote working. Now, CNI assets still need people on-site to maintain high operational uptimes and manage systems from a safety perspective, however the change in climate coupled with an increase in attacks on CNI have led to many companies facing the prospect that your Cyber posture needs to be dealt with. This has led to fresh initiatives to address the gap in CNI regarding Cybersecurity and finally raising the profile and hence address the 'Elephant in the room'. The industry as a whole including governments around the world had begun to lead initiatives whereby enforcing better Cyber standards and principles of Cyber risk are being adopted.

Now let’s evaluate the ugly side of CNI! In IT systems whether in a data center or cloud (effectively someone’s data center), we can deploy lots of enhanced monitoring, undertake continuous vulnerability assessments, and even coordinate penetration tests to simulate adversaries attacking our networks and hosts. We even have host or system based protection such as EDR to prevent malware or virus/trojans from damaging our system kernels. The problem in CNI, is if you tried any the aforementioned, it either doesn’t exist, or you’ll cripple your system. Whilst there are products entering the market offering secure access control, intelligent anomaly monitoring, asset condition monitoring from a vulnerability perspective or being able to detect unusual activity on your SCADA network, the range of security products and testing for CNI assets is limited and therefore, when we try to adopt a security framework and take on controls such as prevent malware or perform regular vulnerability assessments, we’re left in the cold based on the limitations of the products and the fragile nature of these systems.

The question you might be asking is how do we fix this? Well, the truth is it’s not a simple change in policy wording or leave more emphasis on traditional desktop threat/risk analysis to assess the impact of an outcome occurring on your manufacturing control line. Vendors/Suppliers need to start adopting the controls so that the build in secure coding and hardening of their products, allowing for external testing to carry out and satisfy the conditions that the system will not fail or degrade because an enumeration of different protocols have been tested against a ICAN port. Likewise, changes in the hardening profiles should be considered so that if your network is ping sweeped or a port open scan requests is half-left deliberately against a port on your PLC then it is designed to ignore these kinds of requests can continue to function as normal.

Other considerations is to adopt virtualization of CNI assets to allow for life-like simulation. In construction, BIM modelling is used to assist evaluation of assets in terms of performance, usage and inventory. In the CNI world, if your source or assembly code for your Remote Terminal Unit is compiled to run on hardware then it could be adopted to run on a virtual environment designed to mimic similar functionality. This opens up many possibilities whereby use-case arguments on testing this form of test-bench or sandbox environment would give greater confidence in the security controls implemented in an Operational Environment. The exception to this is also cost! Not every supplier is going to be able afford offering their product selection in this format and also opens up commercial issues about hosting a companies IP in a environment which is open to abuse. One of the recent services offered by the NCSC is that they now provide a CAF evaluation of your products in terms of hardware of software services. This is similar to what is used in the USA whereby the old 'Orange Book' was used to classify the certification status of certain products and this is a good move for CNI product security within the UK.