Top five hurdles to security and compliance in industrial control systems

For many decades, Industrial Control Systems (ICS) have been the operational systems relied upon to safely and reliably deliver the essentials of daily life. Sometimes referred to as a Critical Infrastructure, they are the backbone of a modern economy. With these systems generally working well, there has been little need to make major changes to them. There has been innovation and some incremental changes, but in the ICS world, it has largely been “business as usual.’

That’s very different than other industries and sectors, such as enterprise IT, where seismic technology shifts seem to occur about every two years. Change in industrial control environments has been handled at a more measured pace and with a lot more caution.

There are several good reasons for this. The first is that the processes these systems control are usually very large and critical to the general public and the normal functioning of society. They support the provisioning of essentials like electricity, water, oil and gas and other basics.

If these systems go down, people’s health and safety are quickly put at stake. For that reason, reliability and availability have long been the overriding priorities in the design and operation of these systems, making broad-based changes in these environments a real challenge. That’s why slow, methodical and incremental change has been the norm for so long.

Another reason why ICS and Supervisory Control and Data Acquisition (SCADA) environments have not seen a more rapid rate of change was because it was not needed. Designed for a simpler era, automation systems typically were designed as proprietary (closed) systems and were implemented in isolated settings, both physically and electronically.

For many years, these systems successfully controlled industrial processes without requiring direct connections to enterprise networks, the Internet, or too much else for that matter.

But the time has come to upgrade or replace these aging systems. There are now compelling reasons to connect these systems to corporate networks and the Internet. As those connections are made, the isolation – or “air gaps’ – that protected these systems disappears. The long-standing strategy of “security through obscurity’ no longer holds up. In addition, corporate and operations staffs have other realities and requirements to consider, including:

• Shifting from proprietary to open, standards-based solutions can lower costs, increase operational flexibility and avoid vendor lock-in
• Generating real-time business intelligence from operational data can enhance service delivery
• Improving the effectiveness of automation systems drives new efficiencies into the industrial processes they control, yielding better performance and results
• Ensuring that the operational health and safety levels of the systems and processes are continually maintained.

Another major change that ICS and SCADA system professionals must manage is the explosive growth in the number of intelligent endpoints in industrial environments. In rapidly growing industry segments such as the Smart Grid, the numbers and types of networked and IP-enabled devices is increasing exponentially. This array of issues, including economic, operational and technological drivers, is forcing automations systems professionals to grapple with much more change at a much faster pace than ever before.

The following are five of the major hurdles that critical infrastructure and industrial process companies often face as they move forward with initiatives to modernize their control environments.

1. Lack of “Last Mile” Coverage and Instrumentation for Device Visibility – ICS systems are increasingly leveraging wireless and Internet connectivity to expand the system’s reach and effectiveness. Gaining faster access to more granular and real-time data from far-flung end points can produce substantial operational benefits. From a security perspective, however, such expansion introduces new risks.

One of the primary security issues that arise in these implementation scenarios stems from the fact that embedded devices often lack local or remote logging capabilities. As a result, they cannot adequately log relevant security and compliance data. Additionally, interactive remote access can be cumbersome, hard to achieve or only available in an insecure manner.

To address the lack of visibility largely inherent in these devices, organizations should place network sensors logically near the devices to detect events which would normally be present in event logs. Network Intrusion Detection Systems and network flow tools are two such examples. Additionally, organizations should consider protocol-aware gateways or firewalls to restrict access and add a layer of security, since many industrial protocols lack authentication and security features.

2. Not So Automatic “Automation” – Whether or not they have the Critical Infrastructure designation, ICS operators of all kinds face growing internal and external (regulatory) requirements to produce ever-increasing amounts of operational data. It is a growing operational and administrative burden, and automation systems operators must find an efficient and secure way to deal with it. Since old habits – and cautions – die hard, many asset owners are averse to fully automating their data collection processes.

This reluctance to fully automate data collection often leads operators to conduct partial automation efforts. Examples include scripts being run manually on each individual host, or scripts that can run remotely but have to be initiated manually. These half-measures are not thorough and are often incomplete.

Operators do have other options for addressing this challenge. There are technologies and solutions available on the market today that enable operators to automate all of their data collections processes safely, securely and effectively. By embracing a fully automated approach to data collection, operators can safely meet their data collection and reporting requirements, while also alleviating many hours of manual work and human error.

It should be noted that automating data collection is not the same as “network scanning.” Automated data collection utilizes built-in, administrative capabilities in the cyber assets and can be performed in a controlled manner, which utilizes very little overhead on the cyber assets. “Network scanning” is associated with network-based port scanning, which when not done carefully, can affect cyber asset availability in some cases.

3. Dirty Data – Often times, raw output from tools used to collect security and compliance data is all-encompassing and complete. That’s the good news. The bad news is that it usually includes data that requires analysis by the asset owner in order to make determinations of security or compliance state. When raw output is treated as analyzed output, asset owners get an inaccurate picture of the security and compliance state of their assets.

For example, in the upcoming NERC CIP-010-5, asset owners are required to create a baseline of each cyber asset, which includes several categories of information, one of which is “logical accessible network ports.” If an asset owner utilizes raw “netstat” output as a final source of data for compliance, there will potentially be many additional records of data that do not apply, such as records for local host-only services, which are not available as “logical accessible network ports.”

4. Inability to Detect Anomalous Behavior – Zero-day attacks can be devastating to automation systems. They are exploit system vulnerabilities that are unknown at the time of the attack, so there is no patch or fix at the ready, and great damage can often result.

One of the most effective ways to protect against these types of attacks is for operators to continually monitor their networks to develop a baseline of normal activity. This baseline is a reference point that can help operators quickly identify the anomalous, attack-related activity they need to guard against.

However, for most ICS and automation system operators, baselining and tracking expected behavior is difficult, and requires lots of time and specialized expertise. Additionally, not all applications and operating systems are easy to configure in order to log the data required to accurately detect anomalous behavior. Although asset owners can benefit from having logging and monitoring capabilities in their ICS-process specific applications, most often, these capabilities are geared solely to making improvements in process performance. By refocusing their use of these systems to include detection of anomalous – and therefore suspicious – network activity, ICS owners can significantly improve the security posture of their systems.

5. Collection, Analysis, and Workflow Lifecycle Integration – Many organizations stop at the collection step and then label their security and compliance efforts a success. The fact is that data collection is really just the first step. To be truly successful, an organization must collect, analyze, and then act on the security and compliance data it gathers from its ICS environment. By continually iterating over and acting upon the data, an organization can track and improve its security and compliance efforts over time.

For example, consider an organization that logs failed logons. If no analysis is performed on the failed logon events, the organization will not know if the failures are malicious or if the events are failed logons from a service that is configured to use an expired password.

Another example, from a compliance perspective, is when an organization logs events to meet a compliance requirement. How will the organization know when log data collection fails or if there is a gap in the collection? Without tracking the dates, times and failures of log collection, the organization leaves itself vulnerable to a compliance deficiency.

Conclusion
The scope and pace of technological change now occurring or coming soon to many ICS environments present new risks to automation systems professionals. But as is always the case with change, risks are accompanied by opportunities. Old approaches to ICS system design and security are becoming increasingly ineffective in the face of major technology trends and business changes that are now impacting operators. Forward-thinking professionals must find effective ways to overcome these new security and operations challenges.

The first step is recognizing that in many areas of ICS security, what worked in the past likely won’t work in the future. Teams must explore new options and develop effective business cases for investing the next-generation ICS security technologies. By embracing the changes that are taking place in the industry, and adopting new solutions to address them, ICS professionals will be able to mitigate risks and capitalize on the terrific opportunities that lie ahead.