Industrial Control System Design Flaws Have a Profound Impact on Security Posture of Operational Networks
It’s a generally known fact that most Industrial Control System (ICS) environments were not built with cyber security in mind because they were designed before the cyber threat existed. For decades these networks were protected by an air-gap, disconnected from the outside world. With the introduction of commercial off the shelf (COTS) technology in the 1990s (which replaced proprietary, purpose-built industrial hardware and software) and the increasing connectivity to corporate networks and the Internet, these systems have become more exposed to cyber threats and the risk of compromise.
The impact of vulnerabilities and design flaws
Like IT networks, ICS environments are susceptible to software and hardware vulnerabilities. In recent years there has been a significant increase in the number of ICS vulnerabilities reported. Even though such vulnerabilities can pose exceptional risk to industrial control systems (like one discovered in Schneider Electric Unity Pro software), an attacker can still compromise an ICS network and cause disruptions to operations without exploiting them. The focus on the large number of ICS vulnerabilities routinely reported obscures a very important point: even when an industrial organization has mitigated all vulnerabilities, there are still design flaws that cyber attackers can easily exploit to compromise an ICS.
ICS networks have become easy targets because they lack basic security controls such as authentication, and do not support encrypted communication. In IT security terms, this represents a major design flaw that adversely impacts the overall security of the ICS environment. This means that anyone with network access can make changes to controller logic and configuration which can severely affect operations and have a catastrophic impact on plant safety and reliability.
Visibility and control in ICS networks
ICS networks suffer from a lack of visibility which prevents engineering and security staff from identifying a malicious actor compromising critical assets, or a contractor that may be making an unauthorized change to the configuration of a controller. Not knowing with certainty what’s happening in these networks severely impacts the staff’s ability to detect and respond to incidents, whether caused by cyber threats or human error.
Due to this lack of security controls, anyone with access to ICS networks can – maliciously or unintentionally – make control-plane engineering changes to the controllers which manage industrial processes. Control-plane changes to the controllers, like code updates and configuration changes, are very difficult to identify. It can take days or weeks to identify changes and most importantly, it is difficult to respond to incidents and revert the system back to its original state. These factors significantly increase the potential for operational disruptions and makes threat mitigation a complex process that is resource intensive and time consuming.
When an organization has the ability to track all activities occurring in their ICS network in real-time, they can quickly identify incidents, pinpoint their cause, and respond to malicious or erroneous activity.
As long as security controls aren’t available to prevent unauthorized/malicious changes, the design flaws of ICS will continue to affect their security posture and put them at a high risk of compromise. No amount of vulnerability remediation can prevent access to the controllers on ICS networks or mitigate the risk of compromise resulting from a lack of security controls.