Attacks on industrial control systems (ICSs) are increasing in frequency – and have become a reality we can no longer ignore. Securing these networks poses unique challenges, primarily because ICS networks are unlike traditional IT networks. They use different technologies and perform discrete functions. In order to protect them we first need to understand how they operate.
ICS networks are different
Until recently, industrial networks were separated from the rest of the world by ‘Air Gaps’. In theory, this technique sounds great – disconnecting the industrial network from the business network and the Internet makes it very difficult for attacks to reach it. However, an ‘Air Gap’ is no longer a functional or operationally feasible solution in today’s connected world. With trends like IIoT (Industrial Internet of Things), industrial networks can’t remain stand-alone environments. For efficiency and competitive advantage reasons, they are being connected to corporate systems and cloud applications. In the process, they are being exposed to cyber-threats.
We find a range of weaknesses and vulnerabilities in software, hardware and the design exist in ICS networks. Many PLC (Programmable Logic Controllers – the computers that run industrial equipment and processes) vulnerabilities have been documented, including some that can be exploited remotely to disrupt operations and cause damage. Yet most PLCs are never patched since Industrial Control engineers value network stability at all costs.
Patching PLCs is difficult, can cause disruptions or downtime, and can lead to reliability issues and other operational problems. It is also common to find unpatched Windows-based workstations still running legacy operating systems like Windows NT and XP in operational environments due to the same concerns regarding operational stability and reliability.
As a result, malicious code can be used to remotely access and compromise Windows-based systems inside industrial control networks. From here, it is possible to attack PLCs and compromise industrial processes that control turbine engines, electrical utilities, petrochemical plants, water treatment facilities, etc.
Lack of visibility and control
Industrial Control Networks were designed years ago, before the cyber threat existed. Therefore they are not only vulnerable to attacks, but also lack visibility and security controls common in corporate IT networks. Most of these networks do not have any any basic security measures like authentication or encryption mechanisms to ensure authorized access.
They also use specialized Operational Technologies (OT) that are very different from IT technologies, and provided by specialized vendors like GE, Siamese, Schneider Electric, Rockwell and more. These OTs use proprietary protocols, which are not compatible with, and cannot be monitored by, IT security solutions. Adversaries are aware of these blind spots and are taking advantage of them to compromise these networks and avoid detection.
The control layer is difficult to secure
One of the biggest technical challenges faced when trying to secure ICS networks is that several different communication protocols are used by components in process automation systems. For example, the data-layer and control-layer use separate communication protocols.
Standard protocols, like Modbus and DNP3 are used at the data-layer to communicate measurements on physical conditions (i.e. current temperature, current pressure, etc.) between various types of controllers and SCADA/HMI applications.
Meanwhile, control-layer operations that manage the entire life-cycle of industrial processes use a different set of protocols altogether. To make matters worse, each OT vendor uses a proprietary implementation of the IEC-61131 standard for making changes to PLC logic, PLC code updates, firmware downloads and configuration changes. Since these implementations are rarely documented, it is very difficult to monitor these critical activities.
ICS attack techniques
Like most cyber-attacks, the first step in an ICS cyber attack begins with reconnaissance. Investigating a target usually involves gathering publicly available information, then launching social engineering and phishing attacks. In the reconnaissance phase attackers are typically probing IT network assets to find a way into the OT network. Once inside, further reconnaissance is required to assess the OT infrastructure and specific technologies in use, which processes they operate, and what vulnerabilities can be exploited to cause disruptions.
ICS networks lack basic controls
It is important to note that due to the design of OT networks and the lack of basic security controls like authentication and encryption, most ICS attacks do not need to exploit software vulnerabilities. Once an attacker compromises perimeter defenses, such as firewalls and/or network segmentation solutions, and reaches the OT network, any compromised machine that can ping a PLC can be used to launch an attack on industrial processes.
Since most ICS cyber attacks attempt to cause operational disruptions or physical damage, the next step is to change the way the process executes. Contrary to popular belief, attacking ICS networks is not extremely difficult. Any second year engineering student with basic understanding of industrial control systems has the knowledge required.
Once inside an operational network, all an attacker has to do is download firmware on an industrial controller or change its configuration. Since these actions are typically executed from engineering interfaces using proprietary vendor-specific protocols, there is no standard way to monitor these control-layer activities. As a result, changes made by an attacker (or even through human error) can go unnoticed until damage starts to occur.
The emergence of cyber-threats is forcing the industrial sector to take a long, hard look at how ICS networks, and specifically, industrial controllers, are protected. The current lack of visibility and security controls combined with the presence of unpatched vulnerabilities in OT networks is placing facilities at risk. In order to prevent unintended changes by insiders and protect systems from external attacks, ICS-native monitoring and control technologies are required.