ICS Networks: Three Major Security Pitfalls | Automation.com

ICS Networks: Three Major Security Pitfalls

ICS Networks: Three Major Security Pitfalls

By Barak Perelman, CEO, Indegy

The emergence of cyber-threats is forcing industrial sectors to take a long, hard look at how they protect their control systems. Industrial control System (ICS) networks pose unique challenges to security professionals, primarily because they are unlike traditional IT networks.

Built decades before cyber threats existed, these networks were not designed with security in mind. For years they were isolated, disconnected from the internet and the outside world by an ‘air-gap’. As a result, there was no need to develop the security controls we’ve grown accustomed to in IT networks. This reality is now changing due to the growing adoption of connected technologies (IIOT, Industry 4.0) and emergence of external and internal cyber-threats.

Protecting ICS networks is primarily a visibility and security challenge, which requires overcoming three main pitfalls:

  • Absence of an accurate asset inventory
  • Inadequate monitoring  capabilities
  • Lack of change management and security policy enforcement.

Let’s consider each of these challenges.

Do you know which assets need to be protected?

In order to protect ICS networks we first need to understand what technologies these networks consist of and how they operate. Unfortunately, in most industrial networks there is no automated process to ensure an up-to-date asset inventory exists at all times. In some organizations manual processes are used, i.e. an employee is responsible to keep an up-to-date spreadsheet. This approach not only leads to employee burnout, but is also inaccurate and error prone.

Without fully understanding which critical assets exist in the network, facilities operators cannot protect them. This is especially true when it comes to industrial controllers (PLCs, TRUs, DCSs, etc.). These industrial controllers are proprietary computers, provided by specialized OT (operational technologies) vendors, are responsible for managing the entire lifecycle of industrial processes. Securing these devices requires accurate knowledge of the firmware they are running, the code and logic are they executing and their current configuration. Any change to controller firmware, logic or configuration can cause operational disruptions.

An automated asset management system ensures all existing assets are known and accounted for. Since most ICS networks were deployed decades ago, it is commonplace for some assets to forgotten about. It also helps identify rogue assets if such appear on the network, while providing an important baseline for monitoring changes.

Can you monitor access and changes to critical assets?

The second major challenge to securing ICS networks is establishing visibility into activities that can impact the safety and reliability of critical assets. This is difficult because several different communication protocols are used in ICS networks. Standard protocols, like Modbus and DNP3 are used by HMI/SCADA applications to exchange physical measurements and process parameters (i.e. temperatures, pressure, etc.) with the I/Os.

Meanwhile, to execute control-layer activities (i.e. configure controllers, update their logic, make code changes or download firmware) a different set of protocols are used. These are proprietary, vendor-specific implementations of the IEC-61131 standard for Programmable Controllers. Since each OT vendor uses their own protocol, many of which undocumented, it is very difficult to monitor control-layer activity and logic changes. This is one of the primary reasons why IT network monitoring solutions are inadequate for ICS environments.
In addition to network access, it is important to monitor any changes made directly on the physical devices. This is very common in ICS networks, since integrators and third party contractors often work on site and make changes directly on these devices. Since there is no event log or audit trail, it is impossible to know what changes are being made.

This is a serious blind spot. Unauthorized control layer changes, whether resulting from human error, disgruntled insiders or cyber attacks, can cause operational disruptions and result in physical damage. Since there is no standard way to monitor these control-layer activity, changes often go unnoticed until damage starts to occur. Monitoring and keeping a comprehensive event log of this activity allows operators to trace down the source of disruptions and mitigate problems before they escalate.

Can you prevent unauthorized access and changes?

The last major security pitfall of ICS networks is the inability to enforce change management and security policies. Insiders have unfettered access to ICS networks and their critical assets. Without controls to prevent or alert on unauthorized access or changes, anyone inside the network can access any asset and change its configuration - whether it is an adversary that has breached the network, malware or an employee/contractor that makes unauthorized changes, intentionally or unintentionally.

To address these ICS security pitfalls new, purpose-built tools are required that can provide the visibility and control to monitor, detect and respond to threats as they occur.

About the author 

Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now
Back to top
Posted in:
Related Portals:
Cybersecurity, Industrial Networks