Effective ICS cyber defense methods

Cyber defense risks are on the top of concern for every manager operating manufacturing and critical infrastructure. The solutions for protecting the Confidentiality, Integrity and Availability (C-I-A) of IT systems are widely understood and accepted by most organizations.

On the other hand, the correct selection of defense for Industrial Control Systems (ICS) and deployment of cyber technologies for protecting the Safety, Reliability and Productivity (S-R-P) of and utility operations is a new trend. When searching for an ICS experts you will meet engineers capable programming of Human Machine Interface (HMI) computers and Programmable Logic Controllers (PLCs), but you rarely find cyber defense experts among these teams.

Now you see the challenge, and are few reasons for this situation:

• A decade ago, ICS experts specified the ICS for achieving high productivity, reduced maintenance cost, minimal downtime and safe and reliable operation. Cyber defense was not included as a requirement.
• While the IT computing is built with latest-technology devices, ICS systems often use legacy components, operating systems and application programs which are 10-15 years old and poorly documented.
• Cyber defense for ICS cannot utilize active protection, which upon detection of a suspected condition will shut completely down the operation, and therefore must use different defense methods.

Attack vectors

Internally generated cyber-attacks start with inserting the malware into one of the ICS computers or field controllers and that malware will propagate towards the targeted device. Externally generated cyber-attack is compromising the IT defense layer and consequently the firewall between the IT and ICS segments.

Both attack methods lead to anomaly behavior of the ICS system, which can be detected through analyzing indications generated by infected computers. This article focuses on effective cyber defense methods which are capable protecting the ICS section by using proven IT defense technologies.

Detecting the cyber attack

IT and ICS defense calls for different measures. One approach is analyzing log messages can be retrieved from both the ICS and IT architectures. This method allows analyzing logs combining time-stamped records and the log data transfer shall utilize encrypted method for preventing Man in the Middle (MitM) access.

The complete detection process shall comply with mandatory ICS cyber defense principles and not interfere in any way with the control process. Organizations which employ high level Security Information and Event management (SIEM) system will benefits from receiving classified log files and consequently the cyber-attack detection will be faster and more reliable. If the ICS operating the nuclear plant in Nataz-Iran plant (Stuxnet 2010) they could detect logs pointing on irregular HMI display.

Enhanced supervising of privileged accounts

Successful cyber-attacks in most cases involve spoofing of a privilege accounts typically used by Administrators. Therefore, privilege accounts deserve special and stronger defense methods for preventing identity spoofing and consequently unauthorized access to protected system zones.

These special security measures must prevent unauthorized access to remotely installed subsystems, recording of all network-communication related transactions and other malicious actions. The attack on Target stores was possible probably because the HVAC service provider failed to strongly protect their privilege account.

Tight access control and use of standard IT defense devices at remote ICS sites shall determine who can access the remote site, by which computerized tool (laptop), when (time slot) and for what purpose (specific device). Using these cyber defense measures, detecting a critical command to delete a directory, transfer files to an external user or intention to reconfigure the firewall at that remoter site, it sends instant alert to the high-level supervision such as SIEM or the Security operation center (SOC).

Minimizing risks caused by human

Organizations must realistically and equally consider the risks to both IT and ICS architectures resulted from external attacker or malicious insider. Since attackers are no longer private hacktivist for fun but experts financed by crime and hostile countries, their attacks are carried out by using advanced technologies. Important to realize that anonymous insiders (may be your employee) who are willing to hurt their organization are in many occasions a step ahead of defense methods.

In addition to deployment of IT defense measures, cyber defense for controlling ICS operations must focus on the following threats:

• Unusual / abnormal operation or system condition caused by a hardware failure or a software bug.
• Deviation from normal operation caused by error done by authorized person due to human mistake
• Operation outage / damage to equipment caused by external or internal intervention to the ICS.

Internally generated cyber-attacks on ICS initiated by insiders are taking advantage of known vulnerabilities caused by insufficiently secured architecture, negligent human behavior, previously detected (not fixed) bugs and temporarily not working defense measure, which allows unauthorized access to the system.

Therefore, specifically for ICS more advanced measures are needed which also concentrate on detecting unusual actions such as access to a specific library, download of files, and modifications to system setup caused by employee’s mistake or an attack. The deployed human behavior tracking tools may deliver stronger defense than standard passive technologies and support for both the IT and the ICS.

Conclusion

We are learning every day on new Advanced Persistent Threat (APT) and zero-day attacks, intention of people to cause sabotage, damages caused by failures and new variants of malware which are capable bypassing cyber defenses. Operators of critical infrastructure already know that there is no single solution (no silver bullet) therefore cyber defense experts shall seriously consider deploying several parallelly-operating defense measures, which deliver a truly strong cyber defense for the ICS.

This approach provides customized and adapted Critical Infrastructure Protection (CIP) and assures Safety, Reliability and adequate productivity. Effective deployments and timely maintenance of security measures is mandatory and shall be an integrated component in the Cyber Defense Preparedness Program of every industrial plant, utility operation and other critical infrastructure.