The Era of Mass Connectivity: Why Industry Cannot Neglect ICS Network Infrastructure
By Loney Crist, Vice President of Engineering, NexDefense
Historically isolated, both physically and virtually, industrial control systems (ICS) were designed to last for upwards of four decades and independently perform the same function for the entirety of their lifecycles. With safety and reliability as the top two priorities for owners and operators of these critical systems, the majority of resources were given to the mechanics and operations personnel who needed to fulfill the 24/7/365 productivity objectives. In doing so, little thought was given to the ICS network infrastructure, because the networks were so simple and straightforward. Following the advent of the Internet, however, and the proliferation of inclusive connectivity that would follow, much has changed.
Today’s ICS networks still generate our power and water, move people and make the products we demand; yet, they have become complex intra- and inter-connected systems that are no longer as simple and straightforward as their original design intended them to be. Despite subtle changes to infrastructure and systems over many years, the emergence of connected systems and the Industrial Internet (also known as Industry 4.0 or the Connected Factory) have outpaced the deviations in design and operations.
As a result, many industrial organizations haven’t fully kept pace with the rate and significance of their evolving systems, causing some to argue that today’s risks to ICS are in large part due to years of network infrastructure neglect.
An Overview: The Internet Protocol & Control Systems
Unlike the control processes of yesteryear, automated systems and assets that serve countries, customers and companies are now largely connected internally and externally using the world’s most open and popular communication protocol ever: the Internet Protocol (IP). This de facto standard defines the uniform creation and routing practices of network packets, or the digital payloads containing key information used to move data from point-to-point or halfway around the world via the Internet.
Similarly, Ethernet helps devices exchange information while also enabling small, medium and large systems to interact. Its acceptance in automation systems has led to tremendous flexibility in how and where information flows both inside the system and outside of the control environment. Additionally, increased connections means communication routes can be controlled, but it also means such control can be quite complex. When configured properly, the way information flows within a control system is efficient, delivering just the right amount of necessary services to run an operation. When misconfigured, or when complexity leads to unforeseen challenges, vulnerabilities to the system surface and threat actors motivated to exploit these opportunities introduce never-before-seen attack techniques against the ICS network.
The most recently confirmed ICS-related cyber attack took place in Ukraine, where coordinated and intentional attacks against multiple regional power companies resulted in more than 80,000 customers without power for 3-6 hours. Unraveling all of the details in the events leading up to and after the attack may never be complete, but what is known is that the actual attack was perpetrated through a combination of social engineering and a remote connection that allowed IP communications to reach the control systems running the power companies’ mission-critical systems.
Convergence Killed the ‘Air Gap’
As evidenced by the attack on the Ukrainian power system and other events, industrial systems are at risk from adversaries seeking to disrupt, damage or even potentially cause destruction. This ‘new normal’ has spurred many organizations to invest in cyber protection on corporate networks through the use of firewalls, antivirus and endpoint security. Unfortunately, many of these programs neglect to include ICS specifications, production and ongoing operations.
Some forward-thinking ICS owners and operators, however, did build disconnected systems, focusing on the concept of a creating an “air gap” to ensure a clear boundary between their control networks and their enterprise or remote services. This means that their network is physically isolated from unsecure networks and devices such as the internet or systems connected to the internet.
While well-intentioned, the efforts that go into building and maintaining air gaps are impractical, and unanimously viewed by security experts as misguided, since every control system requires human interaction for troubleshooting, maintenance, updates, and regulatory and compliance purposes.
As any automation worker knows, remote access capabilities are largely essential to the operation of most every critical system in use today, and maintenance and support functions are unavoidable. Thus: convergence killed the air gap. Even in the most highly protected systems, any designed-in air gap is eventually bridged and becomes nothing more than a meaningless representation of an unattainable ideal, not a reflection of how a system operates or is maintained.
A recent cybersecurity assessment published by SnohomishPublic Utility District (SnoPUD) is a prime example of how ‘convergence killed the air gap.’ As the largest public utility in the state of Washington, the facility invested heavily in security on the corporate network to presumably prevent adversaries from gaining access to their ICS network. Despite the robust corporate security and NERC CIP compliance, assessors were able to gain access to the ICS network within 22 minutes – and once that task was accomplished, they found absolutely zero security tools in place.
Unintended Consequences of IT/OT Convergence
Within industry, IT professionals have accelerated convergence by attaching advanced technology to the edges of legacy control systems to facilitate two-way data exchange and, in some cases, reach even deeper into the ICS network infrastructure to manage network appliances and location of the systems. Yet, in most all cases, IT resources do not play an active role in the daily management of an OT environment. In contrast, some IT engineers are brought into a production environment to perform much like a contractor – adding their technology, configuring portion of the network system and then leaving the long-term responsibility to the controls engineers and technicians. In addition, because they did not play a role in the configuration, many traditional OT professionals do not realize the risks that IT brings to their network infrastructure.
Recognizing the vast attack landscape and vulnerabilities that have surfaced as a result of IT/OT network convergence, control systems have become an attractive opportunity for adversaries. Unfortunately, such risks will continue to increase significantly, only exacerbated by the skills shortage in managing risks and protecting systems from cyber attacks.
Complicating matters is the importance and multiplicity of benefits of a connected network infrastructure, even though individuals with malicious intent are increasingly focused on penetrating these networks. Reasons for doing vary, such as to establish a capability to gain control of the systems and their assets in the future to affect operation and those relying on the safety and availability of these systems nearly every moment of every day.
Mitigating Risk Requires a Culture of Proactivity
Knowing that 1) ICS infrastructures evolve, 2) increased connectivity leads to greater risks, and 3) the air gap is nothing more than a myth, are the first steps in establishing a firm grip on the realistic cybersecurity challenges facing today’s ICS and SCADA systems. Still, merely recognizing these challenges without knowing precisely how to reduce risks threatens the safety and reliability of operations.
For organizations, even those with a propensity to pay attention and address risk, these first steps can still be difficult. Building a clear understanding of how a system is operating, identifying access points and communications within and between systems, and contrasting normal and abnormal behavior can quickly aid companies in developing a plan to address their security program development and execution.
While the inclination, although difficult, might be to integrate ICS security into current risk and risk management plans, the evolving threat landscape requires owners and operators to build a fully developed ICS security strategy. In addition, industry must consider cybersecurity that goes beyond compliance; specifically, implementing solutions that were purpose-built for ICS environments. The most reputable organizations currently invest heavily in IT network protections and meet compliance, yet still find themselves vulnerable to cyber threats without adequate visibility into their ICS network, nor any true understanding of how information actually moves inside and in between systems.
As networks and systems within critical infrastructure continue to connect to the internet, there’s an interdependence of IT and OT functions communicating on the same wire. With so much activity on the same network and many aspects of the system being mission-critical, organizations need to be able to track what is considered normal operations in order to determine what is abnormal, accidental or potentially malicious. For the safety and security of industry, each organization must come to fully understand risks, identify threats to reliable operation and develop a comprehensive ICS security program.
In doing so, they will have taken their ICS network for granted no more.
About the Author
Loney is the vice president of engineering at NexDefense, a leading provider of cybersecurity for industrial control systems. With over 25 years in the software industry, Loney is a recognized expert in product development, computer and network security, and high-performance applications. His experience also includes successfully building SCADA, IPS, IDS, VM and cloud based software products.
What Production Data is Necessary to Drive Your Industry 4.0 Agenda?
By Mathew Daniel, Sciemetric Instruments
Data, data and more data. It’s the hot topic in manufacturing today with all the hype and anxiety...
Emerging Efficiencies for Packaging Lines
By Tom Egan, PMMI, The Association for Packaging and Processing Technologies
Robotics, automatic labelers, smart packaging and digital printing...
Talent is Key to Successful Industrial Digital Transformation
By Jennifer Waldo, GE Digital and IoT Talent Consortium
Given the rising importance of the Internet of Things, “digital transformation” has...
The Robots are Coming — But They’re Here to Help
By Jonathan Wilkins, EU Automation
While it may still be some time before we replace ourselves with androids, automation is having a significant...
Higher Demands Call for Intelligent Automation Systems
By Dan DeYoung, Rockwell Automation
Implementing a smart manufacturing approach requires an automation system that can keep up with these demands...
Otto Motors helps GE enable lean manufacturing of medical equipment
GE Healthcare has reduced the size of its repair cell stations at the Repair Operations Center by 40%, much of which is due to the integration of...
ABB announces partnership with IBM to create industrial artificial intelligence solutions
The first two joint industry solutions powered by ABB Ability and Watson will bring real-time cognitive insights to the factory floor and smart grids.
MTA2017: Digitalized manufacturing technologies at the fore
The 300-exhibitor event provided a platform for companies to conduct business, and tap into the talent and experience from the industry community....
Opto 22 announces joining of EdgeX Foundry open-source project
EdgeX Foundry is an open-source project hosted by The Linux Foundation, building a common open framework for Internet of Things (IoT) edge...
Siemens and EPLAN announce synchronization of component datasets in online data portals
The EPLAN Data Portal is an online source of free device and component data for machinery and plant design. Downloads now exceed over one million...