What is Industrial Control System Security?

Industrial Control Systems (ICS) are used to manage critical infrastructures that provide public facilities. These may include the supply of water, power, gas and transportation services. The same technologies are used for manufacturing and mining and have a direct impact on the community and the economy. The integrity and security of industrial control systems is of paramount importance to operators of the infrastructure, to the government and national security.

Cyber Security threats to Industrial Automation are very real

There are several instances of Control System breaches that are frequently referenced in any conference about this topic. The truth is, there are only a few “reported” examples of system degradation due to hacking or some form of internal personnel interference. This statement does not imply that the capability to hack into systems is not real, quite to the contrary, it is more about timing and the greater political posture that currently exists in a relatively stable world stage. Private organisations sensitive to community backlash are also reluctant to report that their systems have been breached and this may be why public infrastructure impacted systems are mainly in the headlines.

This Photo by Unknown Author is licensed under CC BY-SA

Historically the position has been taken that Industrial Automation systems are safe and secure if they are not on the internet. This isolation method continues to remain just one aspect of an overall strategy however, isolation is becoming an increasingly challenging strategy to uphold in this device connected world. More and more organisations are shifting from physical private networks to private public infrastructure for a number of economic reasons.

What are some of the challenges with Industrial Automation technologies?

There are a number of factors to consider as it applies to Industrial Automation. Historically Industrial Automation solutions, due to the very nature of being conservative and careful about system availability, have not been as quick to market with their latest offerings as their consumer software counterparts. This has been improving in recent years, however the increasing frequency of operating system security and other application updates poses a serious threat to the integrity of any critical system. This situation is exacerbated in unattended systems where a user may not be monitoring the performance after an update, as a consumer would when they press the “update now” button.
The shrink wrap approach to managing cyber security threats in one environment cannot be assumed as suitable for another environment. This is less important on the home computer, or even the business computer on wall street, as it is to systems that maintain power to a city or ensuring drinking water is safe.
Another important consideration for maintaining computer infrastructure is avoiding denial of service attacks (DOS). This very common method (a cyber war strategy) aims to compromise the performance of the internet connections to an enterprise thus rendering the system inoperable to the extent of there dependency on outside systems. While the world is rushing to replace computer infrastructure with cloud hosted solutions, and for a number of very viable reasons, this strategy places great dependency on internal systems being able to be “business as usual” (BAU) if the internet is off. Private networks go some way to avoiding this from occurring, assuming that the cloud hosting infrastructure is immune to denial of service attacks. This assumption is big, and untested by the consumer of the environment.

What are governments doing to reduce cyber threats?

Governments grapple with adopting a strong strategy that is both practical and cost effective. Governments at various levels work toward having uniformity and compliance against an acceptable set of standards. References are made to several international standards with ISO 27001 being just one of them, however for obvious reasons mandating a specific approach that fits all is impractical.

This Photo by Unknown Author is licensed under CC BY-SA.

What are the types of cyber security?

A recent initiative was released in June 2020 by the Australian Federal Government and is called the Essential Eight Maturity Model. This model illustrates areas of focus and a pathway for organisations to understand how to progress through three levels of maturity to reach the preferred level of performance. The standard addresses mitigation strategies for the following areas:

• Application control
• Patch applications
• Configure Microsoft Office macro settings
• User application hardening
• Restrict administrative privileges
• Patch operating systems
• Multi-factor authentication
• Daily backups

In its vanilla form, the standard summarises best practice principles advocated by software and hardware vendors. It is important to consider that vendors also have commercial risk to manage. This commercial risk is reduced by advocating the use of their latest software and hardware components. This strategy is also closely linked to ongoing support contracts which is a revenue spinner so there is a challenge for users of technology to contend with being directed to use the most recent updates without having any evidence that their systems will not be compromised.

How can we harden Industrial Automation solutions to cyber threats?

As an example of one high level approach, the Essential Eight Maturity Model, highlights that Cyber Security is more than patching software. It is about full life cycle management of software assets including supporting the systems.
To harden Industrial Automation systems against potential threats, each system should be considered against its own deficiencies and practices. Practice and technology need to change to move our critical systems to a place where community and business integrity is maintained, despite the macro environment. That aside, unforeseen challenges will definitely occur and the recovery strategies embraced by the standards then play their part.
Cyber threat avoidance is the obvious focus for most organisations and that is the big money spinner, however, the recovery after a cyber event is a close second and this is more about people, how they manage information and follow guidelines.
We recommend baselining an Industrial Automation system by performing Cyber Security Assessments. The assessments create a foundation for recommending the most sensible next steps to improve both technology and management practice. Recommendations usually point to better use of existing technology or replacement, the development of procedures and methods to maintain a systems design and configuration and the selection of architectures and products to complement the current initiatives or move up the maturity model.
For support with your Cyber Security needs, be sure to contact us for an open exchange of ideas.

YOU MIGHT ALSO BE INTERESTED IN:

The Network Boundary has changed

Ten years ago, “Operational Technology” (OT) vendors had only just really started to embrace Ethernet and TCP/IP as enterprise wide and global networking technology. The devices were generally designed “assuming” they would be on isolated “Supervisory Control and Data Acquisition” (SCADA) network segments and “something else” was going to take care of any security issues. In some c  Read more

Aussie Infrastructure needs to be more Cyber Secure

If the lights go out, or the water is contaminated, who do we blame? Can we blame the Government, can we blame our aging infrastructure? No matter who you may conclude is to blame, we are still left to solve the problem. How can we make Australian Critical Infrastructure Cyber secure? How do we safeguard our economy and our lifestyle? Do we have to replace everything to be comfortable we are safe?  Read more