The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure.
In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.
Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk.
The Need to Exchange Files
Even in air gapped OT environments, files must be exchanged with the outside world. Some examples include software patches, and files from third parties like system integrators, contractors, etc. An adversary can take advantage of this by tricking employees into installing fake software updates and patches, or transferring files that will introduce malware into industrial networks. Earlier this month, ransomware authors distributed a malicious file called ‘Allenbradleyupdate.zip’ that was masquerading as a legitimate update from Rockwell Automation. The ransomware, if successfully installed, keeps the victim’s computer and its contents hostage unless a ransom is paid to the attackers. The threat of control system owners and operators being tricked into installing malware and compromising the ICS network is very real.
Compromised Personal Devices
Many employees connect personal devices to the ICS network, whether it is to charge a mobile phone or transfer files using a USB. Compromised personal devices can introduce malware and expose the network to cyber threats. In a 2011 study, DHS staff deliberately dropped data disks and USB drives in federal agency and contractor parking lots. According to the report, 60 percent of those devices (which could have easily contained malicious code) were inserted into company or agency computers.
In a more recent example, Nintendo issued a limited release of the popular "Pokemon Go" app. Exploiting pent-up demand for the app, attackers seeded third-party app stores with fake versions of the app that took control of the victim’s device. ICS employees are not immune from downloading fake apps and then connecting their infected personal devices to the network, enabling malware to spread and compromise additional assets.
Vulnerabilities and Human Error
Like all networks, ICS environments are susceptible to software and hardware vulnerabilities, as well as design flaws. Since they were not designed with security in mind, they may be at even greater risk than IT networks. Newly discovered vulnerabilities in operational technologies are routinely reported by vendors and security researchers. Yet in most ICS networks, systems aren’t regularly patched.
In some cases, flaws in the network’s architecture or configuration create vulnerabilities that can be exploited by hackers. For example, a temporary remote access connection established for an integrator, if left open, poses a serious security risk. In addition, employees that need to remotely connect to ICS networks, but are not provided with a secure access mechanism, may resort to “creative alternatives” to get their work done. These unintended connections can become infiltration points and expose the industrial network.
The Insider Threat
Since there is no authentication or authorization within ICS networks, trusted insiders (employees, integrators, contractors) within the network have unfettered access to its critical assets. Whether they commit unintentional errors or are disgruntled and willfully cause disruptions, the results can be just as damaging as threats posed by external adversaries (maybe even more so). Even if a network is completely isolated by an air gap, it is not immune to insider threats. The only way to secure this attack vector is through continuous monitoring and better access control.
Connected Technologies and IIoT
As we advance into the next phase of modern manufacturing, connected technologies are increasingly being deployed in the manufacturing sector. Sometimes called the industrial internet of things (IIoT), connected technologies offer many benefits. Smart sensors are being used to automatically improve performance, safety, reliability and energy efficiency. These technologies enable operational managers to check on machines, schedules, inventories, etc. at any time, no matter where they are. This is especially valuable for remote locations, subcontracted manufacturing plants or suppliers’ factories. To take advantage of connected technologies, facilities operators must open their networks, which eliminates the air gap and exposes them to external threats.
Whether ICS networks are air gapped or not, they remain vulnerable to security threats. The single biggest roadblock to ICS security today is the lack the visibility and control into activity that is occurring at the control layer, namely access and changes made to industrial control devices. To detect and respond to security incidents in operational systems before damage can be done requires a new class of monitoring tools that are purpose-built for ICS, not IT, environments.