A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. That is, a typical ICS component must have the capability to exchange information with both IT and OT systems across designated network or system interfaces. This is different from traditional industrial devices like heat pumps, actuators, and motors that were previously only accessed and controlled by OT systems, usually either analog or electro-mechanical.
So, today the existence of two access points for devices represents one of the primary vulnerabilities in OT/ICS infrastructure, and prompts the general strategy that malicious actors tend to follow. That is, conventional IT hacking tools and techniques would be typically used to first achieve sufficient proximity to the ICS component. Using this proximity, the attack would then attempt to either subvert OT control, or the device directly.
IT attack paths to gain proximity to OT/ICS target
The term SCADA refers to the supervisory control and data acquisition functions that exist at Level 2 of the Purdue model, and that are the essence of this IT/OT interface. Because of this attack path vulnerability, cyber security experts have increasing focused on demanding improved security features SCADA software, which is much easier for new control functions, than for legacy SCADA systems that might have been in place for many years. These experts recognize though, that no matter how many security features are built into OT software, all software has bugs and other residual vulnerabilities.
The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. Unlike some purely technical debates where issues of cost, functionality, or standards might be considered, when SCADA systems are hacked the consequences can include the following types of potential types of severe impact:
- Industrial Control System Hijacking – The remote-control safety-critical or reliability-critical OT system in an industrial control setting could be hijacked by criminals, terrorists, or aggressive military groups.
- Vital Telemetry Interference – Important information beaconed from an OT system regarding possible safety or equipment-damaging conditions in an industrial control system might be blocked or interfered with.
- Critical OT System Unavailability – The accessibility and availability of OT systems might be blocked or degraded, which could have real-time consequences if that target system is required for essential control of physical operations.
In many environments, the primary functional control separating IT and OT systems is the physical bus on some computing element. Using only software to drive such security separation is never recommended for any critical infrastructure component. For example, an automobile should never connect IT services such as WiFi and entertainment to the same physical bus as control services such as engine diagnostics and safety management.
Carrying this vulnerability further, the more general requirement is that IT and OT systems would be best configured to never share any functionality that can be remotely accessed. This creates that lifeline path hackers seek to gain access via routine, conventional means, and to then use this access to cross that shared path to the targeted OT device or system. This strategy is both effective and clearly demonstrated in practice.
In 2015, two security investigators from the University of San Diego demonstrated malicious remote control of the brakes in a Corvette vehicle by accessing the on-board diagnostic dongle located under the driver’s side dashboard. The use-case they cited was that someone might be sitting in your car, could plug into the diagnostic dongle, and then use that remote access later to perform the hack on other systems – including brakes.
Perhaps more shockingly, two well-known researchers, Charlie Miller and Chris Valasek, demonstrated, also in 2015, the ability to exploit a zero-day software vulnerability to access a moving Jeep on a live highway from their laptop, without ever having physical access to the target vehicle. The attackers used this remote access to send commands through the vehicle’s entertainment system to its dashboard capabilities, which included the brakes, steering, windshield wipers, air conditioning, and other functions.
In each case – and this is clearly not limited to automobiles, the primary vulnerability involves shared access between remotely accessible features and mission-critical functions. This is a fatal problem in OT/ICS infrastructure, because hacks can often occur in the presence of proper network security controls. By connecting critical and non-critical components across shared mechanisms such as the well-known CANbus on many OT systems, hackers are given a path to remote control.
Remote exploit across shared device bus
The solution to this problem lies first in establishing proper security separation requirements for industrial control system devices, as well as any other Internet of Things (IoT) component that might produce unwanted consequences if hacked. Separation needs to become a mandatory functional requirement embedded in the design process, enforced during development, and consistently audited before and after deployment.
Separation is best achieved using flow control mechanisms that can ensure complete avoidance of malware transferal from untrusted systems to critical infrastructure. This can be implemented using gateways that implement physical separation and one-way communication mechanisms. This technique, known as a unidirectional gateway, will be highlighted investigated further in a subsequent article.
Articles in this series
- Article One Provides an overview of the OT landscape, including an outline of the influential Purdue model
- Article Two offers an insight into how hackers have had success to date breaking into operational systems
- Article Three outlines the SCADA vulnerabilities associated with typical industrial control system architectures
- Article Four covers how innovations such as unidirectional gateways can be used to separate industrial networks from Internet-exposed IT networks
- Article Five provides a glimpse into the future of OT and SCADA systems in critical infrastructure.
The insights offered in these articles are intended to provide guidance for both traditional IT security experts, as well as OT engineers who might be new to cyber protection solutions. The optimal staff arrangement in any OT/ICS environment would optimize the OT experience and expertise of the engineers with the cyber security insights of the traditional enterprise IT security expert. These articles are intended to help both types of expert.
Contributing author: Andrew Ginter, Vice President of Industrial Security at Waterfall Security.