Secure Industrial Control Systems with Configuration Control

Secure Industrial Control Systems with Configuration Control
Secure Industrial Control Systems with Configuration Control

Industrial control systems (ICSs), sometimes referred to as operational technology (OT), are the workhorses for manufacturing and critical infrastructure. They control processes for continuous production (e.g., electricity) and unit production (e.g., automobiles). Industrial control systems have been around for more than 50 years, but within that period of time, the operating paradigm has changed, which highlights the need for OT-based cybersecurity.

In this article, we will examine:

  • the evolving OT environment

  • types of security threats

  • configuration control and how it secures ICSs.


OT environments evolve

OT environments consist of programable logic controllers (PLCs), distributed control systems, human-machine interfaces (HMIs), and much more. At one time, air gapping—or the physical sequestering of OT systems—was the single and most effective security measure to protect OT environments from attacks, cyber-exposure, and miscreants. Traditionally, air gapping OT operations was viewed as the gold standard when it came to industrial and critical infrastructure environments. Operating as a “closed loop” without any interfaces to the outside world, the OT infrastructure was physically sequestered from any external environment. With no data traveling outside the environment, and nothing from outside coming in, this buffer was viewed as the ultimate methodology in securing an organization from security threats.

While the notion of air gapping was simple enough, today it is extremely difficult to maintain. Simply cutting connections as the sole method of maintaining a secured environment is no longer practical, and there are many other paths into what is supposedly an isolated infrastructure. Over the years, additional attack vectors have been discovered, including FM frequency signals from a computer to a mobile phone, thermal communication channels between air-gapped computers, the exploitation of cellular frequencies, and near-field communication (NFC) channels. Even LED light pulses among OT equipment have exposed critical systems to malicious activity.

While the notion of air gapping was simple enough, today it is extremely difficult to maintain. Simply cutting connections as the sole method of maintaining a secured environment is no longer practical, and there are many other paths into what is supposedly an isolated infrastructure. Over the years, additional attack vectors have been discovered, including FM frequency signals from a computer to a mobile phone, thermal communication channels between air-gapped computers, the exploitation of cellular frequencies, and near-field communication (NFC) channels. Even LED light pulses among OT equipment have exposed critical systems to malicious activity.

With an increased attack surface due to the erosion of air gapping, organizations need new security methods to capitalize on convergence benefits without exposure to unacceptable risk. Convergence can produce new attack vectors and attack surfaces; it can result in breaches that start on one side of the converged infrastructure and laterally creep to the other, from IT to OT and vice versa.

Threats that impact OT operations are not the same as those that impact IT environments thus; the required security tools and operating policies are different. Deploying the right ones can harness all of the benefits of a converged operation without increasing the security exposure profile of the organization. It is important for organizations to establish a carefully planned strategy before any convergence initiative, rather than bolting on security as an afterthought.


Attacks abound

Over the course of the past decade, and coinciding with OT environment evolution, there has been a steady increase in ICS attacks. Attacks may be financially motivated, as in the case of ransomware, but there are also attacks that foreign governments and rogue factions architect to gain “red-button functionality” or the ability to launch a cyberwar at the time of the attacker’s choosing.

This is particularly concerning when dealing with critical infrastructure or manufacturing processes, which society cannot live without.

While attacks continue to evolve, the last three years demonstrate that attackers increasingly and diligently perform reconnaissance to specifically target OT systems by finding the “weak link in the chain” to gain unfettered access to highly sensitive systems. This includes attacks that target IT and then laterally move on to OT systems or vice versa. Other attacks include gaining access through an IoT device and laterally progressing through the system to gain maximum and total control, sometimes completely undetected.


Targeting the brains of OT

The core of any OT infrastructure is the programmable logic controller. Much like its namesake, a PLC controls the industrial or manufacturing process. It tells robotic arms how to fabricate units (like an automobile) or defines how to transfer a load to meet demand (as in the case of an electrical generating plant). Defeating a PLC gives an attacker complete control over operations, which is also why PLCs are the prime target for OT attacks or incursions.

There are many types of programming changes bad actors can make to PLCs. Some of these changes may consist of:

  • adding in unauthorized commands and processes
  • deleting/ignoring a manufacturing or production process command
  • speeding up or slowing down a process or activity
  • changing upper or lower tolerance thresholds
  • changing a process value
  • creating an unsustainable process that results in damage and shutdown
  • gaining ownership of the process or facility
  • making changes to the operation of the PLC while masking the change.

Historical attacks on the PLC have changed settings that alter processes such as:

  • RPM Speed
  • ​Actuator Operation
  • Pressure Valve Level
  • Ingredient Mixtures
  • Crane Operation
  • HVAC Controls
  • Robotic Operations
  • Assembly Line
  • Wastewater Operations


Unauthorized activities sources

In virtually every environment, programming changes to PLCs can be completely normal. New manufacturing runs, models, or changes to formulations are all good reasons for authorized administrators to change PLC programming.

Attacks architected against industrial control systems consist of making an unauthorized change to a PLC. We typically think of an attack as something an outside actor initiates. There are times, however, when an authorized “insider” changes a PLC. The insider threat can be due to malicious intent; however, the vast majority of damage an insider causes is accidental in nature. The common thread, however, whether the attack was from the outside or inside or whether it was malicious or accidental, is the results can be equally disruptive and devastating. This is where configuration control helps.


Configuration control: Protecting OT environments

OT security, by definition, protects industrial networks from cybersecurity threats, malicious insiders, and human error. It identifies and protects OT environments from cyber-exposure and threats and ensures operational safety and reliability.

Configuration control creates a snapshot or paper trail to highlight a delta before and after a PLC change. By taking snapshots at regular intervals, you get visibility into changes, including how they were made and who made them.

Configuration control should provide a full audit trail and give ICS administrators the intelligence, insights, and ability to roll back to a “last known good state” if someone makes suboptimal or unauthorized changes to a PLC.


Key functionality

Tracking changes with configuration control should capture and track details and insights from the following sources:

a. Track remote changes by identifying every remote interaction that changes controller configuration with elaborate activity details.

b. Identify local changes by detecting and tracking local changes to controllers, as often happens in ICS environments.

c. Maintain version control by giving access to complete controller code snapshots, with a detailed history of ladder logic, firmware history, backplane hardware configuration, and more.

With configuration control, you can track malware and userexecuted changes over your network or directly on a device. In addition to real-time tracking, administrators can access a full history of device configuration changes over time, including granularity of specific ladder-logic segments, diagnostic buffers, tag tables, and more. This enables authorized personnel to establish a backup snapshot with the “last known good state” for faster recovery and compliance with industry regulations.


Operationalizing configuration control

Finding the right combination of feature functionality and ease of use to track any changes without impacting operations or efficiency can tend to be a difficult process. Several functionality features should include:

a. Automatic change tracking: This involves using a deep packet inspection engine that analyzes and tracks every communication with industrial controllers. The system should analyze engineering workstation commands sent through your network in real time to extract the full context of each activity. This includes commands that instruct firmware changes, code updates, SFC and IO forcing, and writes on set points. The solution should be able to capture and store the source, type, and other activity details, down to the tag or changed code block. In addition, the system should be able to alert on activities that violate organizational policies.

b. Controller baselining and versioning: Sets a baseline configuration to compare changes while tracking all code versions for quicker incident response. This involves extracting, backing up, and storing code snapshots. With the information gleaned from this operation, you will be able to compare versions down to the rung, routine, or code block level, depending on the programming language. The user can set a specific code version as the baseline and receive alerts upon a change.

c. Full controller code verification: Involves nonintrusive and periodic device integrity checks to verify controller code and configuration information. This typically is performed through active querying technology, which enables authorized personnel to periodically query controllers for their codes and configuration for change management. It identifies changes to each controller’s metadata and backplane, including firmware versions and configuration details, as well as changes in the code and critical memory segments. The frequency and timing of controller code verification should be completely user configurable. An option should exist to either automatically or manually run these device checks.

d. Event-triggered snapshots: Snapshotting automatically and comprehensively captures configuration detail based on networkspecific activity. Upon detection of predefined communications with—or operations on—an industrial controller, configuration control automatically extracts the most up-to-date configuration from the controller. This snapshot then serves as a reference in case it requires a subsequent restore operation. You can configure and set triggering to specific times or activities.

As industrial processes get more complex, manually managing the code and configuration changes on controllers is virtually impossible. Should the worst happen, having the last known good configuration of all industrial devices is paramount. To enable effective backup and recovery, you need reliable tracking and control of all hardware and configuration changes. For more information regarding OT security visit the Industrial Cybersecurity eBook.

This article comes from the Ebook Automation 2021: OT/ICS Cybersecurity.

About The Author


Michael Rothschild is the senior director of OT solutions at Tenable. With more than 20 years of security experience, he is a past professor of marketing and has published a number of works on the topic. He currently occupies an advisory board seat at Rutgers University and Ithaca College.

Download Ebook

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..

Subscribe