The IT versus OT Conundrum Brings New Cybersecurity Challenges for Connected Industrial Control Systems

The Industrial Internet of Things (IIoT) has been hailed as the next evolutionary step for industrial control systems (ICSs) and quite possibly the next phase of the massive industrial revolution on the horizon. A breadth of new technologies has entered all related ICS verticals (e.g., manufacturing, critical infrastructure, nuclear power, industrial processing, etc.) including advanced analytics, cloud computing, machine learning, and even artificial intelligence (AI).

The traditional “air-gapped” mentality of control systems in industrial environments, which forced a lockdown in communications between different systems as an added form of security, has deteriorated over the past few years, giving way to the IIoT revolution. But here is where this concept becomes interesting: would organizations invest and upgrade their billion-dollar industrial infrastructure without comprehending basic cybersecurity principles? The answer, unfortunately, is an emphatic “yes.”

ICS includes everything from the humble sensors and actuators at the lowest level all the way to supervisory control and data acquisition (SCADA), and currently ICS is upgraded to meet the demands of IIoT. Two of the core premises of the IIoT are a) increased interaction of ICS with internet-based protocols, and b) increased interconnectedness of all involved devices, users, and systems. However, it is mandatory that cybersecurity technologies and procedures are part of the equation. To put it bluntly, the process of connecting everything to each other and adding a direct link to the internet simply does not work if security is an afterthought. Industrial cybersecurity is so severely lagging behind that in some cases even the term “hacking” might be too linguistically charged to describe it.

An example related to this involves the use of hypertext transfer protocol (HTTP) and web apps in order to control Modbus-based operations inside the operational technology (OT) environment. Programmable logic controllers (PLCs) are at the very core of OT and ICS: they control the industrial machinery and can be programmed to provide instructions for entire assembly lines if needed. However, besides the standard Modbus industrial protocol, PLCs can now also make use of transmission control protocol/Internet protocol (TCP/IP) or HTTP to provide remote access via web browser applications. Further, the majority of the communication channels are insecure, allowing even the average internet user to access some of them since their IP addresses can be easily found online. More advanced users able to write simple scripts for Modbus can remotely alter and control said PLCs on the factory floor, causing major disruptions or even damage. Even a simple search on Shodan, a service dedicated on uncovering insecure IP addresses, is enough in some cases to reveal exploitable flaws.

In the past few years, while industrial players and vendors were waging their own battle over proprietary protocols and market shares, cyber attackers managed to spread chaos in industrial facilities across the globe by causing disruptions in production, the destruction of industrial equipment, and in some unfortunate cases even human casualties. The United States, India, the United Kingdom, China, Israel, and Germany have topped the list of victims of such cyberattacks almost every year according to companies operating in the ICS cybersecurity space like Kaspersky, Dragos, and CyberX Labs.

The aforementioned attack involving PLCs is not specific to Modbus-based systems, as proprietary protocols are not out of bounds either. Cyber attackers adapted their strategies and attacked products of industrial giants like Siemens, Schneider Electric, and OMRON, causing OMRON to start investing more into cybersecurity industrial operations. The attacks are not restricted to PLCs, either. For example, Human Machine Interfaces (HMIs) and industrial PCs running obsolete versions of Windows (usually Windows XP but in some cases even Windows ’98!) for which Microsoft (perfectly justifiably) does not provide further support are highly susceptible to similar attacks. Even after cyberattacks like Industroyer/CRASHOVERRIDE, Triton, Sauron, BlackEnergy, and many others, the Industrial market is rather sluggish to adopt proper information technology (IT) security technologies. On the other hand, what makes sense in IT seems quite disruptive to operations. This is because OT has completely separate objectives focused on operations, uptime availability, and efficiency rather than security and confidentiality which are the main goals of IT. It would appear that the IT versus OT conundrum is still a pervasive threat in security operations for ICS and one that, unfortunately, is rather difficult to bridge. ABI Research’s upcoming analysis report AN-2484 will shed more light on the threats and opportunities of cybersecurity operations in industrial control systems.