Targeted attacks on computer industrial control systems (ICS) are the biggest threat to critical national infrastructure, according to security firm Kaspersky Lab. But what are the unique security challenges?
The main challenge is linked to the fact these systems typically control physical processes that relate to power, transport, water, gas and other critical infrastructure.
This means almost 100% availability is required, which in turn means it is very difficult and costly to interrupt these systems for things like security updates.
Because the output of ICS relates to physical processes, the effects of any downtime – such as a power outage – can affect millions of people.
For this reason, organisations that support critical infrastructure cannot risk downtime by allowing automatic security updates for ICS that could cause systems to restart or shut down.
Nuclear reactors, for example, typically run on 18-month cycles and any downtime is costly at around £33,000 an hour in fines from the industry regulator.
Information security manager at Electrabel in Belgium Franky Thrasher said this makes it extremely difficult to justify taking such systems offline.
“While cyber security needs to be taken into account, an entirely different approach is required for ICS,” he told the Information Security Solutions Europe (ISSE) 2014 security conference in Brussels.
More on critical national infrastructure IT
- Government considers future of national infrastructure strategy
- UK finally launches national cyber emergency team
- UK takes cyber threats to infrastructure seriously
- UK infrastructure needs better security controls on suppliers, says ISC
- GCHQ launches pilot to share cyber threat intelligence
It is not uncommon for organisations responsible for critical infrastructure to continue running control systems even though a malware infection has been detected.
With only five minutes a year downtime allowed for many ICS, collecting forensic evidence for investigating potential security breaches or malware infections is also extremely difficult.
This is exacerbated by the fact ICS typically run on small processors with limited computing capabilities, which also means many ICS cannot run basic antivirus software.
Maintaining ICS security on legacy systems
The second major security challenge for ICS is while new systems are relatively easy to secure, many systems running in Europe and the US are between 15 and 30-years old.
“Securing and maintaining security on these legacy systems that were designed to communicate point to point is one of the biggest challenges,” said Thrasher.
Because these systems were installed in the pre-internet era, they are not designed for connectivity and typically have no means of authenticating commands received.
Group head of cyber security at Zurich-based automation firm ABB Markus Braendle said rip-and-replace is not an option, and the challenge is to find ways to increase security for new and legacy systems.
“However, it is often difficult to persuade organisations they need to spend money on legacy systems that have been running fault-free for decades,” he said.
Using insecure operating systems to cut costs
The third major challenge is as higher-level management systems have evolved, organisations have sought to standardise and cut costs by using commercial off-the-shelf (COTS) products.
This has resulted in the introduction of operating systems such as Linux and Microsoft Windows, and enabled connections between enterprise networks and management systems for ICS.
“This means greater exposure to the threats associated with these operating systems and the threats associated with connections outside the industrial plant,” said Braendle.
“While there are good reasons to connect ICS to enterprise systems, organisations need to be very careful about how they do this,” he said.
This move to commercial operating systems also brings the security risk of organisations failing to update to the latest, most secure versions.
“Some organisations we have spoken to about moving off Windows XP because it is no longer supported by Microsoft have admitted they are still running even earlier versions,” said Braendle.
“Organisations are often unwilling to update any systems, not only for cost reasons, but also because any change requires them to recertify the whole system to comply with industry regulations,” he said.
Braendle believes regulators should make it easier for organisations to keep their systems up-to-date for security reasons.
Greater ICS connectivity requires improved security
The drive to the most cost-effective, best-of-breed systems has also resulted in heterogeneous environments in many organisations providing critical national infrastructure.
IT is often in the dark about what control systems are being used and where, and there is seldom a reliable inventory
Franky Thrasher, Electrabel
The shift to trading energy like commodity in Europe has also driven the need for connections between ICS and traders.
There is also greater connectivity with suppliers for remote access to enable cost-effective maintenance and monitoring. Again, the lack of authentication mechanisms in legacy ICS is a challenge to security.
“In reality, there are very few systems supporting critical infrastructure that are air-gapped, because of the business need for connectivity,” said Braendle.
Despite the recent media focus on the topic of security and ICS, Braendle said it has been a topic of discussion in the energy sector for much longer.
“Public discussion of the topic has emerged only relatively recently, driven mainly by privacy concerns around the roll-out of smart meters to people’s homes.
“The publicity around the computer worm Stuxnet also made more people aware of ICS and how attacks on them can bring about physical consequences,” he said.
Stuxnet has also prompted more questions about security from organisations running ICS. “But Stuxnet is really the least of their worries as most have still not taken care of the basics,” said Thrasher.
“Stuxnet is a distraction from the real issues of gaping holes in their cyber defences, and most need to deal with these and other threats from vulnerabilities such as Heartbleed and Shellshock,” he said.
But questions around vulnerability to attacks exploiting Heartbleed and Shellshock have underlined how little awareness there is about what systems organisations are running, said Braendle.
“Many organisations are not even able to assess the risk because they do not know if they are running the software containing the flaws attackers are exploiting,” he said.
Another challenge in securing ICS, said Thrasher, is IT departments and IT security teams are rarely involved in their procurement, installation and maintenance.
“ICS are commonly acquired along with the equipment they control, so they are mostly installed, configured and run by plant engineers on site, not IT.
“This means IT is often in the dark about what control systems are being used and where, and there is seldom a reliable inventory,” he said.
ICS risk management
Risk management is also extremely difficult in this environment, said Braendle, because every risk has a high cost attached and there are no reliable statistics to assess the likelihood of something happening.
“This means risk-management strategies used in the typical enterprise environment cannot be applied. The challenge is tailoring risk-management strategies to the energy sector.
“This presents the challenge of finding security professionals with a good understanding of ICS and the industry, or training someone who is able to conduct meaningful risk assessments,” he said.
Most security incidents involving ICS are not talked about, but we need to discuss this more to address the challenges
Markus Braendle, ABB
Braendle believes there needs to be a joint effort by all stakeholders to address the security challenges around ICS, particularly as these are set to become even greater with the move to cloud and wireless technologies.
Braendle would also like to see security becoming a more important factor in the procurement process, with a greater demand for inherently more secure systems from suppliers.
“Although organisations are asking more questions about security, cost and other factors usually hold more weight when it comes to making the purchasing decision,” he said.
Braendle sees positioning security as an enabler as being one way of encouraging organisations to invest more heavily.
“It is important for everyone to understand the benefits of the smart grid can only be reaped if it is done properly, and it is security that will enable that,” he said.
Braendle is also an advocate of greater open discussion. “Most security incidents involving ICS are not talked about, but we need to discuss this more to address the challenges,” he said.
According to Kaspersky Lab, such attacks are becoming increasingly common. This is underlined by the fact an ICS decoy set up by the firm attracted 1,300 attempts to gain unauthorised access in one month.
Of these, 400 were successful, including 34 connections to integrated software development environments (IDEs), seven downloads of programmable logic controller (PLC) firmware, and one case of reprogramming a PLC with the hacker’s software.
Kaspesrky Lab said this is especially worrying in light of the fact researchers have found lots of examples of industrial control systems connected to the internet.