ICS Control System Security

This article provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

Contents

ICS Control System

Industrial control systems (ICS) include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) are often found in the industrial control sectors.

ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control.

DCS is generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control.

Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas and the components were not connected to IT networks or systems.

Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry-standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems.

This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems. The increasing use of wireless networking places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment.

While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment.

Although some characteristics are similar, ICS also has characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world.

Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact on a nation’s economy, and compromise of proprietary information.

ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems.

ICS cybersecurity programs should always be part of broader ICS safety and reliability programs at both industrial sites and enterprise cybersecurity programs because cybersecurity is essential to the safe and reliable operation of modern industrial processes.

Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders. ICS security objectives typically follow the priority of availability and integrity, followed by confidentiality.

Possible incidents an ICS may face include the following:

Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have various negative effects.
ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.
Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
Interference with the operation of safety systems, which could endanger human life.

ICS Security

Major security objectives for an ICS implementation should include the following:

Restricting logical access to the ICS network and network activity.

This may include using unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks.

The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

Restricting physical access to the ICS network and devices.

Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.

Protecting individual ICS components from exploitation.

This includes deploying security patches in as expeditious a manner as possible,

after testing them under field conditions;
disabling all unused ports and services and assuring that they remain disabled;
restricting ICS user privileges to only those that are required for each person’s role;
tracking and monitoring audit trails; and
using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.

Restricting unauthorized modification of data.

This includes data that is in transit (at least across the network boundaries) and at rest.

Detecting security events and incidents.

Detecting security events, which have not yet escalated into incidents, can help defenders break the attack chain before attackers attain their objectives.

This includes the capability to detect failed ICS components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of the ICS.

Maintaining functionality during adverse conditions.

This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks or does not cause another problem elsewhere, such as a cascading event.

The ICS should also allow for graceful degradation such as moving from “normal operation” with full automation to “emergency operation” with operators more involved and less automation to “manual operation” with no automation.

Restoring the system after an incident.

Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly the system can be recovered after an incident has occurred.

To properly address security in an ICS, it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cybersecurity team should consist of a member of the organization’s IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum.

For continuity and completeness, the cybersecurity team should consult with the control system vendor and/or system integrator as well. The cybersecurity team should coordinate closely with site management (e.g., facility superintendent) and the company’s Chief Information Officer (CIO) or Chief Security Officer (CSO), who in turn, accepts complete responsibility and accountability for the cybersecurity of the ICS, and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents.

An effective cybersecurity program for an ICS should apply a strategy known as “defense-in-depth,” layering security mechanisms such that the impact of a failure in any one mechanism is minimized. Organizations should not rely on “security by obscurity.”

ICS Strategies

In a typical ICS this means a defense-in-depth strategy that includes:

Developing security policies, procedures, training and educational material that applies specifically to the ICS.
Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases.
Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning.
Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways).
Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks).
Ensuring that critical components are redundant and are on redundant networks.
Designing critical systems for graceful degradation (fault-tolerant) to prevent catastrophic cascading events.
Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation.
Restricting physical access to the ICS network and devices.
Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege).
Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts).
Using modern technology, such as smart cards for Personal Identity Verification (PIV).
Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS.
Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate.
Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS.
Tracking and monitoring audit trails on critical areas of the ICS.
Employing reliable and secure network protocols and services where feasible.