What is ICS, and how can you secure it?

Business Special Projects

Cybersecurity month is drawing to a close, but that does not mean that we should just forget about the importance of staying up to date with cybersecurity news and trends. In this post we will focus on industrial control systems: why it is important to know what they are, and also why we need to secure them.Hacking electricity, water, and food

We have written a few posts on ICS topics, but I wanted to take a look at the subject in a way that puts the whole picture into better perspective for a broader audience. To do that, I sat down with Matvey Voytov, a critical infrastructure protection business development expert at Kaspersky Lab.

What is ICS?

ICS stands for industrial control system. Basically it’s an umbrella term that comprises different information systems and technologies — such as supervisory control and data acquisition (SCADA), distributed control systems (DCS), programmable logic controllers (PLC), and more — with one main goal: to provide management and control of industrial processes. Conventional information systems (ERP, collaboration, mail server, OS, etc.) manage information; ICSs manage physical processes. That is why such systems are also referred to as cyberphysical systems. ICSs are widely used in many industries — oil and gas, power grids, manufacturing, smart buildings and cities, and more.

What is the worst that could happen?

The worst-case scenario is about disruption of industrial processes. Depending on the criticality of an industrial object, it can result in loss of money (think about downtime at manufacturing facility) or even lead to real-world, physical damage. That happened in Germany in 2014: A hacker attack at a steelmaking facility disrupted a blast furnace’s controls. And in Ukraine in 2015 and 2016, attacks on power substations caused electricity outages for thousands of consumers.

Which industries should be particularly concerned about their information security, and why?

When we talk about ICS protection, we should say “cybersecurity” instead of “information security,” because in most cases, we mean the protection of cyberphysical processes or assets, not information.

All critical infrastructures are at risk, but especially electric power generation, transmitting and distribution, all kinds of utilities, all streams of oil and gas. In addition to such sensitive infrastructures, “noncritical” industrial organizations are also suffering from cyberattacks enabled by high connectivity to external networks. Our recent research shows that 54% of industrial organizations have had more than one cyberincident in the past 12 months.

What are the attack vectors or types of attacks?

In general, ICS has two major attack vectors. Cybercriminals can access industrial infrastructure via boundary external networks (e.g., a corporate network with ERP that exchanges data with industrial networks for predictive maintenance) or they can try to infiltrate an ICS domain directly, using employee carelessness or bribing an insider. For example, an engineer can bring an infected USB stick or personal device right into an air-gapped network. It’s important to realize that these days very few truly air-gapped networks still exist, even in critical infrastructures. Industrial networks owe some of their increased connectivity to misconfigurations and to low employee awareness — staff can unintentionally bridge air gaps. Infrastructure modernization plays a role as well: The so-called Industrial Internet of Things assumes external availability of industrial networks even at the level of field devices.

There are four possible incident enablers in an ICS environment:

  • Generic malware that gets inside an industrial network and hits legacy Windows computers. For example, recent epidemics of WannaCry and ExPetr ransomware incidentally damaged lots of industrial floors around the world.
  • Targeted attacks such as Stuxnet, Havex, or Industroyer, malware platforms, and kill chains specifically designed to hit ICSs.
  • The fraudulent actions of insiders that damage their industrial organizations without using any hacker techniques, just their ICS knowledge. This is quite often the case in the oil and gas sector.
  • ICS software/hardware errors and misconfiguration.

What are the solutions?

The first and crucial step is to raise cybersecurity awareness among industrial floor workers. In most cases, attacks start with these people. Cybersecurity and safety training is a must for any industrial company.

From a technology perspective, it’s important to recognize that conventional IT security solutions are not suitable for industrial networks. Conventional solutions are designed with a high tolerance for false positives, notable consumption of resources, and constant Internet connection as essential requirement. These aspects don’t fit into ICS specifics, which means that installing conventional endpoint protection to an ICS environment can actually be dangerous — it can lead to disruption of industrial process.

That’s why it is so important to use only specialized industrial cybersecurity solutions. They include hardening of industrial endpoints (application whitelisting is a must here) and passive monitoring of industrial network that includes industrial deep packet inspection (DPI) capable of finding anomalies inside industrial process command flow. Of course, they should be certified by industrial automation vendors — companies such as Siemens, ABB, and Emerson.

If you would like to learn more about how Kaspersky Lab secures ICS, please visit our Industrial Cybersecurity page.