December 1st, 2017
How often does your IT group inform your company about the latest hacking trends affecting company email and systems? The hackers, or “bad actors” in the corporate and industrial world, have moved way beyond the poorly-worded email guaranteeing millions of dollars that you inherited from an unknown and deceased relative. They also are not stopping at systems on the corporate level.
Industrial Control Systems (ICS) are under attack as frequently and creatively as on the corporate-administration systems. The problem, however, is that many industrial operational-technology (OT) departments have lagged behind their information technology (IT) counterparts in managing new threats.
This is often for valid reasons, such as the following:
- Properly designed OT systems are often isolated to intranet systems with no access outside the plant.
- The routine security software on administrative computers often crashes industrial control systems, requiring other measures to ensure the security of the system.
- OT systems with limited access and user-defined roles may already prevent these systems from having unwanted user activity.
- Older OT systems might not have the capabilities to see the level of network and control-layer activity that is available in newer systems today and personnel may be unaware of how the new developments affect them.
While those reasons still characterize some the realities in today’s OT system, other factors have drastically changed, providing the OT departments with more options than previously available to them. With technology developing faster than ever and more areas of the plant improving with smart devices, the plant is both more capable than ever to increase production from its ICS and concurrently, more vulnerable than ever to unauthorized users. If the movies, headlines, and personal experiences can teach us anything, it is that the bad actors will target OT systems for any motive and by all means necessary.
A Call to Responsible ICS Management
The proper reaction to the risk of improved technology is not to stay in the dark ages and think, “If we maintain this 20-plus-year-old stand-alone system, then at least we’ll be safer than connecting everything together.” Rather, forward-thinking OT decision-makers should embrace the often quoted Spiderman line, “With great power, comes great responsibility.”
If the responsibility in your industrial facility is being shirked by everyone as “someone else’s job,’ then think of this bit of cliché wisdom, “Friends don’t let friends have unsecured, undocumented, and unplanned industrial control systems.” Now speaking as a friend, if you know your ICS is at risk, it becomes your responsibility to explore ways to protect and educate your company on these issues, because eventually, it will affect your job.
The task to communicate this vulnerability, while potentially daunting, does not have to be entirely doom-and-gloom. After all, if the benefits of a well-designed OT infrastructure can improve quality, production, health and safety, and overall system security, the benefits of such a system to the company will far outweigh the potential inherent risks.
If that’s the case, then who doesn’t like being the bearer of good news? By bringing the possible benefits of ICS improvement to light for your particular application, those who start the initiative may be recognized and rewarded later – either by their existing company or another company that can appreciate the proactive approach.
To prepare for the objections from the status-quo peanut gallery, remember, the older systems are not impenetrable from outsiders. There’s often a false sense of security that may be present because newer industrial control systems and complementary systems can identify risks that were not previously visible to plant engineers. In overly vulnerable systems, bad actors, disgruntled employees, or errant programmers can do a lot of damage to the ICS without being detected or under the guise of alternate explanations.
The advances in OT resources and philosophies today allow for the Scooby-Doo resolution to ICS issues. When the obvious culprit is caught, do not accept the surface-level explanation. Instead, use the new tools to unmask the scapegoat and reveal the real culprit. In doing so, a company embracing the modernized ICS resources could discover the true culprits behind the following issues:
- Unexpected and unexplainable shutdowns.
- Loss of production time.
- Loss of raw materials.
- Missed deadlines.
- Poor quality resulting from unidentified changes to the process.
- Safety breaches and injuries from machines being started at the wrong times.
Lack of accurate insight into the ICS’s users, networks, processes, and changes may account for part of the misdiagnosis of issues. For example, a batch system that often experiences unplanned shutdowns on weekends may be attributed to old hardware or operator error. In reality, it could be a bit of bad-actor programming that causes a process shutdown at defined intervals, but no one in the plant is aware of the malicious code buried in an obscure controller by an unknown entity.
How Do You Assess Your ICS?
So what do you do to move forward with technology without exposing your entire ICS to the villains?
What if I asked you to list every process controller for your ICS platform in your facility, could you easily:
- Identify each one?
- Name the controller model number, serial number, and firmware version?
- List the network information and addresses associated with it?
If not, you might need to start with an ICS Assessment. An ICS assessment may start with an industrial-cyber-security focus, but it is more than just cybersecurity. It documents your system, creates a roadmap for secure growth and navigation, provides action items when breaches or errors occur, and educates and trains a culture of industry best-practices.
#1 Know What You Have
An ICS assessment allows you to know what you have in your plant so you can manage the risk. Each controller could be a vulnerability depending on the overall network architecture and system settings for the devices. In some facilities, everything is all on one network – administration and operations. While that’s probably less of a reality today than 1-2 years ago, that network layout means that someone downloading a simple file over email could shut down the whole production process.
While most industrial facilities probably have at least some separation between administration and operation networks, there can be plenty of vulnerabilities if the network has grown by sprawling switches and routers opposed to a well-defined architecture with demilitarized zones (DMZ) between IT and OT domains. Creating a DMZ allows teams on both sides of the zone share important data without jeopardizing production or sensitive information.
#2 Know Who Has Access
An ICS assessment can also identify who should have access to the various systems. If you know who should have access, then it is easier to identify who shouldn’t have access. By using tools available for ICS systems now, bad actors can be identified by:
- Unknown IP addresses showing up on a network scan.
- Changes made by a smart device or HMI connected to a controller.
- Changes made by bypassing the control network and using a USB port to upload changes.
#3 Know What’s Been Changed
Once you know what you have, and who should have access, it is much easier to know what has been changed. By watching the well-documented network, you can find out where the changes are made, who has been performing them, and what has changed. Not every change to a system is malicious or done by “THEM,” the faceless villains. Sometimes it is an honest mistake. Regardless of the source, any change that is not intended for the optimal production process can cause untold losses in labor, production, dollars, and sometimes life or limb.
Every ICS solution is custom and needs to be tailored to the needs of a facility and the life cycle of the current IT and OT infrastructure. If your facility is due for an ICS assessment, seek out a trusted industry partner to explore what it will take to document what you have and plan for the risks that you will likely see. You may not be able to stop every risk, but you can improve the time it takes to correct any unwanted activity.
Each step forward in securing and monitoring your system is better than taking none at all. For more information on this topic see some of our other related blogs including 4 Steps To Secure Your Automation System and The Growing Need For Industrial Control System Cybersecurity.