Internet of Things (IoT) or connected devices/technology is the recent trend prevailing from home to business. The inclination is to automate every process, from buildings to office, medical to automobiles. New technologies, improved connectivity, and standard networks increase the dependency on IT systems. Business needs demand more interactions between information technology and operational technology and use of Internet-enabled technologies for communication, remote monitoring, and control. Increasing connectivity and improving technologies increase the efficiency of the system, but also create opportunities for cyber attacks
Initially, cybercrimes were focused only at corporate IT solutions because industrial control systems (ICS) have dedicated networks and use proprietary protocols and custom-built software. Based on Frost & Sullivan research, the first ICS cyberattack was reported in 2010 in Iran’s Natanz nuclear plant after its system was infected with a malicious code. The entire automation industry immediately realized that cyberattacks can cause serious physical damage. An attack on a German steel mill that stopped closedown of a blast furnace and attacks in the Ukraine that caused power blackouts are other examples of cyberattacks on ICS.
Not all cyberattacks are reported due to lack of regulations for revealing personal information. Though end users understand the importance of cybersecurity, they are uncertain about the level of impact. Importance of security in ICS is not often understood because, initially, it was not easily accessible. The primary focus while designing ICS was to obtain efficiency, not security. Implementation of security features in any operational technology is difficult because of the different requirements when compared to that of information technology.
Top Threats in ICS Security
- Device that is insecurely connected to the network: This is considered to be one of the major threats for ICS by customers. Any device, such as USB, CD/DVDs, and hard drives should be scanned for viruses and worms.
- Internal threats: These are threats that come from employees, ex-employees, and third parties. Some examples are opening malicious mails, loss of laptop or portable devices, etc.
- External threats: Threats arising from criminal organizations, state-sponsored actors, and hacktivists.
- Ransomwares and financially motivated crimes: These threats are malware that block access to the system until payment of ransom. This threat type has increased during the past 2 years and it is estimated that more than $1 billion is paid annually. This is due to integration of ICS with OS-based systems.
According to Frost & Sullivan’s understanding, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has come up with seven strategies for prevention of cyberattacks in ICS. Adoption of these strategies can result in avoiding 98% of attacks.
- Application whitelisting (AWL):
Implementation of AWL helps in detection and prevention of malware execution uploaded by cybercriminals. The operator has to clearly specify the applications permitted on a computer system to vendors.
- Patch/configuration management:
This involves safe introduction and application of authentic patches that enable the safety of control systems. This is expected to be difficult in OT environments, especially with older systems.
- Minimize attack surface area:
Ensure secure connection between the ICS network and office networks by use of firewalls that layer these networks and offer only real-time connectivity to external networks.
- Network segmentation:
Segmentation of networks with the purpose of creating “logical enclaves” and curbing host-to-host communications paths can help in minimizing access to cybercriminals.
- Managing authorization:
Cybercriminals are concentrating more on obtaining genuine authorizations from highly privileged accounts. Implementation of multi-level authentication and reduction of privileges to necessary personnel only helps improve ICS security.
- Remote access management:
Providing operator-controlled and time-bound remote access enables security and avoids cyberattacks by acquisition of remote access to the systems provided by compromised vendors
- Audit ICS networks
To enhance the security of ICS networks, customers should practice safety measures, such as monitoring IP traffic for suspicious communications within control network/other networks, using host-based products to identify malicious software and attack attempts, using login analysis to find stolen credentials or improper access, and observing account/user administration actions to spot access control manipulation.
Increasing automation in various fields increases the efficiency and productivity of the system. However, even systems with proper security are vulnerable to risks from various cybercrimes. According to our study, in spite of the increasing awareness towards cyber threats, the implementation of security features in ICS is still low. Investments in security are expected to increase as the system demands Internet-based applications for real-time connectivity and remote applications. In the future, implementing security along with automation can help customers obtain the necessary throughput. Hence, to combat cybercrimes, it is essential to increase investments on cybersecurity and follow the seven strategies by ICS-CERT.