Developing a Security Strategy to Cover ICS Assets

Industrial Control Systems

At the most basic level, an industrial control system (ICS) is any system, whether standalone PC or other purpose-built hardware or software, that controls a process or event in the physical world. These systems are common in industries such as manufacturing, power generation, refineries, and other industrial sectors. Some examples of ICS technologies are:

  • SCADA – Supervisory Control and Data Acquisition
  • DCS – Distributed Control System
  • PLC – Programmable Logic Controller
Critical Infrastructure

Critical infrastructure consists of systems considered vital to an organization, government, or society. For example, the United States Department of Homeland Security defines 16 critical infrastructure sectors.

Many industrial control systems are also critical infrastructure. They deliver our electricity and water or facilitate the manufacture and delivery of critical goods. However, not all ICS are critical infrastructure. For example, a system that automates milking cows would be considered an ICS, but would probably not be considered critical infrastructure.

Likewise, not all critical infrastructure is industrial in nature. Some critical infrastructure systems are exclusively information-based and do not control anything in the physical world. A Wall Street financial system and a cell phone network are two examples of systems that might be considered critical infrastructure, but don’t meet the definition of ICS.

The Internet of Things

The Internet of Things (IoT) is a concept that refers to any device or object that is connected to the internet for the purposes of data exchange, remote monitoring, or control. IoT is a significant technology trend transforming both the consumer and industrial sectors.

Devices associated with an ICS can also be a part of the IoT. A smart meter, for example, is a network-enabled device that is part of a larger ICS. IoT devices can also have a broad range of criticality – anything from a connected refrigerator to a locomotive signaling system.

Cybersecurity Implications

The business benefits of this interconnectedness are numerous – valuable insights, improved operations, and other efficiencies. However, as control systems and other devices that were previously not connected come online, their attack surface increases, thus presenting new risks. Organizations with industrial control system (ICS) assets must consider these risks and design or adapt a cybersecurity program suitable to ICS technology.

The C-I-A Triad versus the A-I-C Triad

The three generally accepted objectives of information security are referred to as the C-I-A triad: confidentiality, integrity, and availability. Information security professionals prioritize confidentiality ahead of the other two objectives. As a result, information security architectures are designed to protect sensitive data such as personally identifiable information (PII), credit card numbers, trade secrets, and intellectual property.

However, in ICS security, the focus is not on information, but on the industrial process that information technology controls. Hence, availability and integrity are often more important than confidentiality. Control engineers look to maximize availability, ensuring systems stay up and running and avoiding any interruptions or unexpected downtime. Data integrity is also extremely important in control systems. If the operator’s screen in the control room does not accurately represent what is actually going on, there could be a significant impact to operations or even safety.

Confidentiality usually has a lower priority in industrial control systems. While there may be some scenarios where intellectual property resides on the plant floor or on an engineering laptop, most operational information or “tags” such as temperature, fill level, vibration and speed can remain unencrypted because their value is short-lived.

These differences in priorities require professionals to take slightly different approaches when implementing a cybersecurity strategy in IT and ICS environments.

Building an ICS security program

Even organizations with mature and effective IT security programs struggle with extending their capabilities to cover ICS assets. In fact, one of the easiest ways to fail at ICS security is to blindly apply IT security controls as-is to ICS. Organizations need to be mindful of both technical and cultural considerations. ICS environments consist of a mixture of IT assets and purpose-built technologies provided by specialized ICS vendors. Many organizations have a separate operational technology or engineering group responsible for ICS, complicating questions about accountability, ownership, roles and responsibilities with respect to ICS security.

Industrial control systems are built with a goal of running reliably for as long as possible – in some cases up to 30 years. An expectation of always-on availability, combined with low staffing levels and limited operations and maintenance budget, often drives an “if it ain’t broke, don’t fix it” philosophy.

While this operational philosophy is understandable, it contributes to a considerable amount of technical debt and security risk. ICS assets often remain unpatched against known exploits and untested for ICS-specific security vulnerabilities. Some of the security features commonly found in the IT space, such as authentication and encryption, are not available on ICS communication protocols.

Traditionally, asset owners have managed this risk by keeping ICS networks separate from IT networks – either on a separate “air gapped” network through various network segmentation techniques such as dual-homed devices and firewalls. Unfortunately, through basic inspection and assessment we have discovered that ICS networks are much more connected to IT networks and the internet than either plant engineers or information security officers realize.  Technology and business trends that incentivize asset owners to connect IT and OT will only accelerate a threat actor’s ability to pivot from one network to another.

When building a security program for your organization, we recommend taking into account the needs of both IT and ICS assets by building an overarching enterprise program that provides comprehensive visibility into risks while addressing the specific needs of each specific environment.

For more information about building your ICS security program or assessing the health of your existing program, check out our ICS whiteboard video series.