Virtually every industrial sector is digitally transforming. As more connected devices are introduced to work environments, this poses a greater cyber risk to the Industrial Control System (ICS). The challenge is that ICS components are not suited for communication over the Internet. Making matters worse, the operating technology and software that industrial operators use don’t receive enough patches for threat protection—out of fear of downtime.
These ICS security challenges are all compounded by the fact that many communication protocols used in industrial settings are insecure. Needless to say, the industrial control system environment presents a ripe opportunity for threat actors to steal production data or take command of machinery.
In this article, you’ll get a fleshed-out guide on everything ICS cybersecurity, including the following takeaways:
- What an ICS is and the components that are integral to the system
- What ICS security is and the business goal of its application
- Common ICS protocols that are vulnerable to a cyberattack
- Biggest threat actors of industrial control systems
- How the ICS is attacked
- Best practices to secure ICS endpoints and networks
An Industrial Control System (ICS) refers to the various hardware and software used to manage, regulate, and automate industrial processes. The ICS extends to physical devices, networks, systems, and other industrial instruments. These systems are essential in manufacturing, transportation, water and energy utilities, and other critical sectors. The ICS is the nucleus of mission-critical operations, providing greater autonomy over machinery and industrial processes.
The major components of an ICS system include the following:
- Supervisory Control and Data Acquisition (SCADA) systems efficiently manage and control dispersed industrial equipment.
- Distributed Control Systems (DCSs) are similar to SCADA systems in that they control and monitor industrial assets and processes.
- Programmable Logic Controllers (PLCs) are considered one of the most important components of the ICS environment. They have widespread usage in automating industrial processes and collecting data for analysis and industrial optimization.
- Human-Machine Interfaces (HMIs) are graphic user interfaces with which humans can interact with ICS devices and processes.
- Sensors are used to measure parameters, such as temperature, pressure, humidity, flow rate, and other vital industrial variables.
- Actuators receive data sent from sensors to PLCs and other devices in the ICS and then control physical processes based on the processed data sent back to them.
The figure below, created by ABI Research, depicts the ICS environment.
ICS security is defined as the organizational efforts to protect the devices, components, and networks used in an industrial control system from cyberattacks. Every connection within an industrial control system, from a handheld Internet of Things (IoT) device to a smart sensor, introduces another potential entrance into the ICS. ICS cybersecurity best practices involve a range of hardware and software solutions that make it far more difficult to infiltrate the system and notify personnel when a breach has occurred.
Something to be mindful of is that many ICS-particular protocols are highly vulnerable to cyberattacks. These protocols were not developed with security in mind, so they offer an excellent way for threat actors to infiltrate the ICS network.
ABI Research has identified the following commonly used protocols as being susceptible to ICS security breaches:
To find out why these protocols are vulnerable to ICS attacks and what solutions are being implemented to harden these protocols, download the report.
Phishing, malware, ransomware, and other cybersecurity attacks on an ICS can come from a wide range of sources.
- Internal threats to the industrial control system could stem from employee negligence, poor ICS cybersecurity training, and suppliers/contractors.
- External threats to ICSs come from nation-states, hacktivists, cybercrime groups, and competitors.
Regardless of who the threat actor is, they know that hitting the ICS could result in operational downtime—and subsequent loss of productivity. If the attack is on a utility provider, the result could be power outages or heat loss in people’s homes.
While a state-backed attack on an ICS may be motivated by geopolitical tensions, other attacks are often financially motivated. This can come in the form of ransoms or damage to a competing company’s brand reputation.
An ICS attack can target a variety of components of the system, beginning with the network or endpoint devices at the highest level.
- Attack on the Network: When critical infrastructure is the prime target, the cybercriminal will attack the connection residing between ICS devices and the SCADA system. Alternatively, the attacker might try to intercept data in motion. As a few examples, this kind of ICS attack could mean the attacker eavesdrops on network traffic, impedes network communications, or takes advantage of the vulnerabilities within switches, routers, or other network devices.
- Theft of Sensitive Information: A cyberattack on an industrial control system could also involve the theft of sensitive information, such as system configurations, production data, or personal information of employees and customers. The attacker would target the data stored within ICS systems to steal information.
- Exploitation of Endpoints: Virtually all ICS endpoints are potential attacker exploits. In this case, the attacker targets applications, systems, or devices connected to the industrial control network. Examples include PLCs, Remote Terminal Units (RTUs), HMIs, and SCADA systems.
Through industry interviews with industrial organizations and cybersecurity vendors, ABI Research has identified a multitude of ICS security best practices. The rest of this article provides some of the most effective ICS security measures.
In this section, I’ll explain some ICS hardening solutions that effectively protect ICS endpoints from cyberthreats.
Endpoint Detection and Visibility
Given the long life spans of an industrial control system, bolstering the security of legacy ICS equipment is paramount. But, as ICS cybersecurity research shows us, bolt-on security is more vulnerable to an attack than built-in ICS.
To secure legacy ICS network endpoints, industrial companies can use the following methods and strategies:
- Segment the legacy ICS by using firewalls, Virtual Local Area Networks (VLANs), and air gapping techniques. This will limit access to critical infrastructure.
- Shrink the attack surface by disabling unnecessary devices and network connection protocols.
- Improve authentication by implementing access control, strong passwords, or Multi-Factor Authentication (MFA) for questionable, unverified, or untrusted devices and platforms.
- Conduct regular security assessments for legacy ICSs to help identify weak points. That will enable you to apply appropriate security measures, including patching where possible.
Identity, Authentication, and Access Management Technologies
As critical infrastructure firms digitally transform their operations, digital Identity Access Management (IAM) technologies are gaining popularity for safeguarding industrial control systems.
Trusted Platform Modules (TPMs) are also a mainstay for ICS security. The usefulness of TPMs in industrial control system security is in their ability to store cryptographic keys securely. TPMs authenticate devices and verify that the firmware and software within the ICS environment can be trusted.
Proper Device Onboarding
Using the pre-configured credentials of ICS components presents a security vulnerability. If, for example, your organization receives a shipment of PLCs, be sure to change their credentials and configure them before putting them to use. Having stronger passwords is a critical enabler in protecting industrial control systems.
Proper device onboarding is also essential for integrations and functionality within the ICS. When devices are not adequately onboarded, there’s a greater risk of display communication hindrances with other devices in the ICS environment.
Patch Management and Hot Patching
With cyberthreats on the rise, updating and patching the devices and networks associated with your industrial control system is one of the best ways to circumvent attacks from malicious actors. You must:
- Identify where vulnerabilities lie in your ICS network.
- Conduct a detailed inventory of all ICS devices.
- Consider hot patching to avoid operational downtime when updating the ICS.
Securing the ICS at the Network Level
The following best practices will help ensure that your industrial control system network is secure in the age of Industry 4.0:
- Promote Network Visibility: Through various interviews with industrial stakeholders, ABI Research has learned that network visibility is the highest ICS security priority. Critical infrastructure companies can promote network visibility by mapping the network with port scanners and network mapping software to identify network topology, system configurations, and communication patterns.
- Monitor Network Data Flows: Monitoring data flows within the network is imperative to identify when malware has infiltrated the industrial control system. For example, the Stuxnet worm and the Havex Trojan malware both use data packets to attack ICSs.
- Set up Firewalls and Unidirectional Flows: Firewalls, such as Cisco’s Firepower Next-Generation Firewall and Adaptive Security Appliance (ASA), are an effective ICS security solution. Firewalls are an established market with many vendors offering ICS protection solutions. Moreover, unidirectional gateways provide better ICS security, but are substantially more expensive.
- Leverage Machine Learning (ML): Recent research into ML strategies for industrial control system security has shown promising results for intrusion detection and response in the ICS environment. This is particularly important in detecting cyberattacks in mobile cloud computing. ML-based intrusion detection and response schemes are reportedly a superior cybersecurity technique to current “rule-based” security schemes.
- Set Honey Pot Traps: In the context of ICS cybersecurity, a honeypot refers to a fake network that lures would-be attackers of the actual network. It’s important that the attacker genuinely believe the real ICS has been infiltrated. For example, the “honeypot” could pretend to be a Programmable Logic Controller (PLC) and enable the attacker to acquire control of it. This security best practice keeps the ICS safe by diverting the attacker’s attention from critical aspects of the system. Honeypots can either be low-interaction or high-interaction, with the latter requiring much more resources.
The Next Step in Your ICS Cybersecurity Strategy
As recent headlines allude to, industrial control systems are highly vulnerable to cyberattacks. As threat actors become smarter and more sophisticated, industrial companies and their cybersecurity service partners must leverage innovative solutions and proven ICS security best practices.
To help you on the journey, subscribe to ABI Research’s IoT Cybersecurity Research Service. Access to our global team of analysts means your organization will get its hands on Analyst Insights, various market forecasts, and long-form research reports that discuss the latest industrial security challenges, solutions, market outlooks, vendor profiles, and more.
- ICS Protection from Cyberthreats: What Will It Take? [Research Highlight]
- What Is Intellectual Property Theft, and How Can Manufacturers Prevent It? [blog post]