The Era of Mass Connectivity: Why Industry Cannot Neglect ICS Network Infrastructure

The Era of Mass Connectivity: Why Industry Cannot Neglect ICS Network Infrastructure

By Loney Crist, Vice President of Engineering, NexDefense

Historically isolated, both physically and virtually, industrial control systems (ICS) were designed to last for upwards of four decades and independently perform the same function for the entirety of their lifecycles. With safety and reliability as the top two priorities for owners and operators of these critical systems, the majority of resources were given to the mechanics and operations personnel who needed to fulfill the 24/7/365 productivity objectives. In doing so, little thought was given to the ICS network infrastructure, because the networks were so simple and straightforward. Following the advent of the Internet, however, and the proliferation of inclusive connectivity that would follow, much has changed.

Today’s ICS networks still generate our power and water, move people and make the products we demand; yet, they have become complex intra- and inter-connected systems that are no longer as simple and straightforward as their original design intended them to be. Despite subtle changes to infrastructure and systems over many years, the emergence of connected systems and the Industrial Internet (also known as Industry 4.0 or the Connected Factory) have outpaced the deviations in design and operations.

As a result, many industrial organizations haven’t fully kept pace with the rate and significance of their evolving systems, causing some to argue that today’s risks to ICS are in large part due to years of network infrastructure neglect.

An Overview: The Internet Protocol & Control Systems

Unlike the control processes of yesteryear, automated systems and assets that serve countries, customers and companies are now largely connected internally and externally using the world’s most open and popular communication protocol ever: the Internet Protocol (IP). This de facto standard defines the uniform creation and routing practices of network packets, or the digital payloads containing key information used to move data from point-to-point or halfway around the world via the Internet.

Similarly, Ethernet helps devices exchange information while also enabling small, medium and large systems to interact. Its acceptance in automation systems has led to tremendous flexibility in how and where information flows both inside the system and outside of the control environment. Additionally, increased connections means communication routes can be controlled, but it also means such control can be quite complex. When configured properly, the way information flows within a control system is efficient, delivering just the right amount of necessary services to run an operation. When misconfigured, or when complexity leads to unforeseen challenges, vulnerabilities to the system surface and threat actors motivated to exploit these opportunities introduce never-before-seen attack techniques against the ICS network.

The most recently confirmed ICS-related cyber attack took place in Ukraine, where coordinated and intentional attacks against multiple regional power companies resulted in more than 80,000 customers without power for 3-6 hours. Unraveling all of the details in the events leading up to and after the attack may never be complete, but what is known is that the actual attack was perpetrated through a combination of social engineering and a remote connection that allowed IP communications to reach the control systems running the power companies’ mission-critical systems.

Convergence Killed the ‘Air Gap’

As evidenced by the attack on the Ukrainian power system and other events, industrial systems are at risk from adversaries seeking to disrupt, damage or even potentially cause destruction. This ‘new normal’ has spurred many organizations to invest in cyber protection on corporate networks through the use of firewalls, antivirus and endpoint security. Unfortunately, many of these programs neglect to include ICS specifications, production and ongoing operations.

Some forward-thinking ICS owners and operators, however, did build disconnected systems, focusing on the concept of a creating an “air gap” to ensure a clear boundary between their control networks and their enterprise or remote services. This means that their network is physically isolated from unsecure networks and devices such as the internet or systems connected to the internet.

While well-intentioned, the efforts that go into building and maintaining air gaps are impractical, and unanimously viewed by security experts as misguided, since every control system requires human interaction for troubleshooting, maintenance, updates, and regulatory and compliance purposes.

As any automation worker knows, remote access capabilities are largely essential to the operation of most every critical system in use today, and maintenance and support functions are unavoidable. Thus: convergence killed the air gap. Even in the most highly protected systems, any designed-in air gap is eventually bridged and becomes nothing more than a meaningless representation of an unattainable ideal, not a reflection of how a system operates or is maintained.

A recent cybersecurity assessment published by SnohomishPublic Utility District (SnoPUD) is a prime example of how ‘convergence killed the air gap.’ As the largest public utility in the state of Washington, the facility invested heavily in security on the corporate network to presumably prevent adversaries from gaining access to their ICS network. Despite the robust corporate security and NERC CIP compliance, assessors were able to gain access to the ICS network within 22 minutes – and once that task was accomplished, they found absolutely zero security tools in place. 

Unintended Consequences of IT/OT Convergence

Within industry, IT professionals have accelerated convergence by attaching advanced technology to the edges of legacy control systems to facilitate two-way data exchange and, in some cases, reach even deeper into the ICS network infrastructure to manage network appliances and location of the systems. Yet, in most all cases, IT resources do not play an active role in the daily management of an OT environment. In contrast, some IT engineers are brought into a production environment to perform much like a contractor – adding their technology, configuring portion of the network system and then leaving the long-term responsibility to the controls engineers and technicians. In addition, because they did not play a role in the configuration, many traditional OT professionals do not realize the risks that IT brings to their network infrastructure. 

Recognizing the vast attack landscape and vulnerabilities that have surfaced as a result of IT/OT network convergence, control systems have become an attractive opportunity for adversaries. Unfortunately, such risks will continue to increase significantly, only exacerbated by the skills shortage in managing risks and protecting systems from cyber attacks.

Complicating matters is the importance and multiplicity of benefits of a connected network infrastructure, even though individuals with malicious intent are increasingly focused on penetrating these networks. Reasons for doing vary, such as to establish a capability to gain control of the systems and their assets in the future to affect operation and those relying on the safety and availability of these systems nearly every moment of every day.

Mitigating Risk Requires a Culture of Proactivity

Knowing that 1) ICS infrastructures evolve, 2) increased connectivity leads to greater risks, and 3) the air gap is nothing more than a myth, are the first steps in establishing a firm grip on the realistic cybersecurity challenges facing today’s ICS and SCADA systems. Still, merely recognizing these challenges without knowing precisely how to reduce risks threatens the safety and reliability of operations.

For organizations, even those with a propensity to pay attention and address risk, these first steps can still be difficult. Building a clear understanding of how a system is operating, identifying access points and communications within and between systems, and contrasting normal and abnormal behavior can quickly aid companies in developing a plan to address their security program development and execution.

While the inclination, although difficult, might be to integrate ICS security into current risk and risk management plans, the evolving threat landscape requires owners and operators to build a fully developed ICS security strategy. In addition, industry must consider cybersecurity that goes beyond compliance; specifically, implementing solutions that were purpose-built for ICS environments. The most reputable organizations currently invest heavily in IT network protections and meet compliance, yet still find themselves vulnerable to cyber threats without adequate visibility into their ICS network, nor any true understanding of how information actually moves inside and in between systems.

As networks and systems within critical infrastructure continue to connect to the internet, there’s an interdependence of IT and OT functions communicating on the same wire. With so much activity on the same network and many aspects of the system being mission-critical, organizations need to be able to track what is considered normal operations in order to determine what is abnormal, accidental or potentially malicious. For the safety and security of industry, each organization must come to fully understand risks, identify threats to reliable operation and develop a comprehensive ICS security program.

In doing so, they will have taken their ICS network for granted no more.

About the Author

Loney is the vice president of engineering at NexDefense, a leading provider of cybersecurity for industrial control systems. With over 25 years in the software industry, Loney is a recognized expert in product development, computer and network security, and high-performance applications. His experience also includes successfully building SCADA, IPS, IDS, VM and cloud based software products.