Narong Jongsirikul - Fotolia

UK institute seeking better cyber defences for ICS, says director

The UK needs to develop awareness of the vulnerability of industrial control systems to cyber attack and technology-specific security systems, says researcher

Industrial control systems (ICS) are just as much at risk of cyber attack as enterprise IT systems, according to Chris Hankin, director of the Institute for Security Science and Techonology (ISST).

“Almost every component of such systems now has fully functional computing capability and most of the connections will now be Ethernet, Wi-Fi or using internet protocol,” he told the cyber threat intelligence conference at the  Security & Counter Terror Expo in London.

This is of particular concern to the ISST, because critical national infrastructure (CNI) protection is one of the main areas of research, and industrial control systems are widely used in CNI.

Hankin, who is professor of computing at Imperial College London, said it is tempting to think that quite a lot is known about IT security and that this knowledge can simply be applied to ICS.

“While there has been a convergence between the two worlds, particularly in the past five years, there are major differences, such as the fact the ICS tend to have to operate in a time-critical way, they have to operate around the clock, and edge clients such as sensor and actuators are becoming much more important,” he said.

Hankin said that, while cyber security specialists tend to understand IT, they are much less equipped to understand the complex interactions that happen between IT and the physical processes in the world of critical infrastructure.

Read more about industrial control systems security

Competing priorities

Other differences between IT and ICS include the fact that, in the ICS environment, there are far greater constraints on resources such as memory and battery life.

“For these reasons, security is often seen as being quite expensive from the point of view of those sorts of resources, and many control engineers will disable the resource-hungry security functions of the systems they deploy,” said Hankin.

Another big difference between IT systems and ICS, he said, is that the latter are typically required to function for 20 or more years, resulting in “huge legacy issues”. While data loss confidentiality is a top concern for IT security, in the ICS world, the CIA triad is turned on its head: availability is paramount and the integrity of data is important – while confidentiality is less of an issue, (except for where the ICS interfaces with the enterprise IT system, where there might be valuable process control data being shared).

According to Hankin, cyber attacks on ICS typically involve a compromise of the IT layer – such as networks, operating systems and IT applications – which is then propagated into the ICS layer where attackers can take over the human-machine interface, controllers, sensors and actuators, to make an impact on the physical layer.

Sharp rise in ICS attacks

The threat is real and increasing he said, with the US ICS-CERT reporting just nine incidents in 2005 and fewer than 50 in 2010, rising sharply to 295 in 2015.

“The two areas under consistent attack in the past few years are critical manufacturing and energy; and in the European context, with the roll-out of things like Industry 4.0, we can expect to see critical manufacturing continuing to be a major attack surface,” said Hankin.

Analysis of cyber attacks in 2013 and 2014 by the ICS-CERT, he said, revealed the benefits of various strategies in protecting ICS environments.

The study showed that application whitelisting would have prevented 38% of the incidents; configuration and patch management would have prevented 29%; while building more defendable systems would have eliminated 9%; and better use of authentication systems would have prevented 4% of incidents.

“One of the biggest problems is that many industry control systems are never patched, because patching changes the system and therefore undermines safety – which, in the ICS world, typically trumps security,” said Hankin.

UK ICS research programmme

In terms of the real-world damage caused by cyber attacks on ICS, he said one of the best examples to date is the attacks on electricity distribution companies in the Ukraine in December 2015 that plunged around 75,000 homes in Ukraine’s Ivano-Frankivsk region into darkness for several hours.

“An interesting aspect of this attack is that it was followed up by a denial of service attack on the telephone system, so that people affected by the power outages were unable to report the fact to the energy provider,” said Hankin.

“The threat to ICS arises from the increasing commoditisation and digitisation of these environments. With the internet of things (IoT) and the growing number of cyber-physical systems, this situation is not going to change,” he said.

As a result, and as part of the National Cyber Security Programme, the UK government established a research institute in trustworthy industrial control systems.

“I have the privilege of being the director of the institute which, although it is hosted at Imperial College London, is actually a network of five universities,” said Hankin.

The other participating universities are: City University London, Lancaster University, Queens University Belfast and the University of Birmingham.

Need to develop threat awareness

The institute, he said, is working to address the questions of how cyber threat translates into physical harm; how to communicate the ICS cyber risk to the C-suite in businesses; and how to develop novel, effective and efficient interventions.

“Operational technology, or industrial control systems, is very like IT – but different because there is a shift in threat, from espionage to sabotage with the aim of causing physical harm to the system. There is a lack of awareness of these issues at the C-level in many companies, and therefore we need to develop that awareness as well as develop operational technology-specific security solutions,” said Hankin.

Read more on Hackers and cybercrime prevention