No more water running from the tap, operating rooms that cannot be used, locks that no longer open or close, or problems with the energy supply. Problems that may arise when operational technology (OT) is hit by cyber-criminals. Problems that sometimes cause even more social disruption than when the IT side is hit. Industrial Control Systems (ICS) are used for, inter alia, the production of medicines, the transport of water, the production of oil, the security of buildings, and they are also used in the foodstuffs industry. It regards measuring and control systems that are used within the vital and industrial sectors for the monitoring, performance, and control of physical processes.
Ever more often, these systems and building management systems appear to be accessible from the internet. What are the potential consequences of this? What measures can you take as an organisation to gain more control over this? These questions are answered in this article.
ICS / SCADA and building management systems
ICS or industrial control systems are important to the manufacturing industry. ICS are measuring and control systems that are used within the vital and industrial sectors for the monitoring, performance, and control of physical processes. ICS usually also include building management systems. Think about camera systems (CCTV) and climate control systems (HVAC).
ICS are often used in combination with SCADA. Supervisory Control And Data Acquisition (SCADA) systems are computers with SCADA software. They are used for the operation and visualisation of industrial processes.
The collective name for matters like ICS, SCADA, and building management systems is operational technique (OT). Ever more of these systems are (in)directly connected to the internet so that the control of these systems can take place from a central location and processes are optimised. This means considerable gain when it comes to the deployment of available capacity, but simultaneously brings about a significant risk. Namely, many of these systems are insufficiently prepared or configured for this.
Why is it important to protect OT?
Systems that are being used for operational processes have an average life cycle of approximately 20 years. Compared to regular IT systems, which have an average life cycle of approximately 3 to 5 years, the life cycle of an OT system is therefore much longer. The updating and replacement of these systems appears to be quite costly in practice, also because it mostly regards customised systems that run 24/7. In most cases, discontinuing a production process for an update is not an option. As a result, you end up in a situation where, after a number of years, updates or patches are occasionally not even available for the relevant system anymore. This creates a high degree of vulnerability.
In the past, it was decided to isolate these systems from the internet. This no longer appears to be an option in today’s 24/7 economy. The associated risk is that these systems can be manipulated or taken over. A considerable risk when you consider that it involves systems that regulate, inter alia, the vital infrastructure in the Netherlands! If bridges or locks stay open, then this cripples the transport, and consequently the economy. This also results in considerable issues for the fire brigade, police, and ambulance service. Or what about a refinery that suddenly needs to discontinue the production process? A shortage of drinking water? All consequences that could happen when malicious parties take over or manipulate OT systems.
What measures can you take?
Vulnerabilities for ICS / SCADA and building management systems form a realistic threat with a potentially large impact. To increase the security, it is recommended to implement the following set of measures. That way the chance of a successful attack is reduced.
- Minimise the access to the internet
Limit the access of ICS / SCADA devices from the internet. This is possible by using, for instance, firewalls, Virtual Private Networks (VPNs), or Virtual Local Area Networks (VLANs). Only devices that require external communication to be able to operate can have a direct connection to the internet.
- Update very regularly
Check on a daily basis if new updates are available and install them in a timely fashion. When it is not (no longer) possible to update the software, make sure that the device cannot be accessed via the internet.
- Change TCP / UDP port numbers
To prevent ICS / SCADA devices from being found easily, the standard TCP / UDP port numbers of ICS should be changed. Although this recommendation does not render the findability of a device impossible, it does become more difficult for the attacker to retrieve information about the product.
- Minimise the internet traffic
Use techniques to limit the network traffic in relation to ICS / SCADA services. An example of this kind of technique is white-listing legitimate users. Limiting the traffic does not only offer protection against potential hacking attempts, but also against Denial-of-Service (DoS) and/or brute force attacks.
- Harden systems
Hardening of the device configuration takes place by switching off redundant functionalities and services. This process also includes removing unauthorised users, changing (having changed) standard passwords, and uninstalling unnecessary software and hardware modules. The objective of this is to reduce the potential attack surface.
- Maintain Configuration Management Database
Maintenance of a complete and correct Configuration Management Database (CMBD) is essential. This is a database of all software, hardware, and licences that are owned by an organisation. This way, it is easier to determine whether newly detected vulnerabilities represent a threat.
- Examine vulnerabilities periodically
Monitor and assess the online findability and vulnerability of the ICS / SCADA devices. Organisations that worry about their security should consider the regular use of professional “security red teams” that try to examine the vulnerabilities of devices within an ICS / SCADA infrastructure.
- Logging and monitoring
Keep a logbook, trace potential scans, and detect attacks at the earliest stage possible. Intrusion Detection Systems (IDS) and flow measurement systems are examples of systems that can be of assistance with this. This can also be an important measure when systems must run in order to continue business critical processes, these systems must be accessible via the internet, and updates are no longer being offered by the supplier.
Even if all these measures are taken, the chance still exists that an OT system becomes the target of a successful attack. This can, for instance, happen because of a previously undetected vulnerability, a so-called zero-day. The aforementioned measures can, therefore, not completely eliminate the chance of a successful attack; however, it can reduce it to an acceptable minimum.
It is very costly and probably not possible to implement all these measures simultaneously. That is why it is wise to first carry out a risk assessment and thus obtain insight into the most important matters of concern. Then, it can be determined what the so-called “quick wins” are. All these data combined offer handles to apply a risk-based approach in order to minimise the impact on critical business processes.