chungking - Fotolia

Cyber security in industrial control systems poor, says Crest

A lack of standards-based technical security testing is putting industrial control environments and critical national infrastructure at risk of cyber attack, a report reveals

There is a pressing need to improve cyber security in industrial control system (ICS) environments, according to security certification body Crest.

Improvements are necessary to avoid breaches that could affect critical national infrastructure (CNI), concludes the Crest report, which says there is strong evidence that CNI is a target not only of adversarial states, but also of determined and skilled criminal attackers.

The report highlights a number of challenges and says more technical security testing has a significant role to play in ensuring that higher levels of security assurance are met.

The report is based on research that looked at the main challenges and possible solutions for protecting ICS environments, many of which are based on legacy technologies.

The research reveals that many organisations with ICS environments are unclear what level of threat they face or whether they have already been breached.

One of the key findings in the report is the absence of periodic standards-based technical security testing that is commonplace in many other industries. Because of this, ICS environment owners and operators have no objective way of knowing whether cyber risk is being managed adequately.

Technical security testing specialists regard inadequate management support  as the most important factor affecting the ability to secure ICS environments and undertake technical security testing activities.

The report also notes that there is currently no definitive standard for testing ICS environments that is mandated by regulatory bodies and that the fact that ICS environments are changing rapidly leads to a higher degree of exposure.

“ICS environment owners require assurances that risk is being identified, assessed and evaluated,” said Ian Glover, president of Crest. “Above all else, they need to know that there are appropriate measures in place to manage and mitigate risk.”

Read more about ICS security

Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach, said Glover.

“Organisations should consider how this could add value and protection,” he said, adding that it is clear ICS environments are more sensitive than conventional IT environments and that any penetration testing of systems must be planned and undertaken with a high degree of trust, skill and caution.

The report recommends that multidisciplinary testing teams should be assembled for ICS technical security testing, consisting of members with different testing skills, knowledge and perspectives on risk management, and that technical security testing approaches should be intelligence-led, threat scenario-based, draw on well-established technical security testing principles and, where possible, use red teaming concepts.

Glover said the report supports the work Crest is doing in many parts of the critical national infrastructure in the roll-out of intelligence-led penetration testing.  

A spokesman for the UK National Cyber Security Centre (NCSC) said the report provides “a valuable contribution to the current thinking on this challenging topic”, adding: “We look forward to working with Crest, as well as ICS operators and the cyber security industry, to make the UK the safest place to live and do business online.”

The report is for organisations in both the private and public sectors and is targeted mainly at IT managers, information security managers and technical security testing specialists, but will also be of interest to process engineers, safety specialists, business managers, procurement specialists and IT auditors.

Crest is now looking to expand on this initial ICS research to develop detailed guidance material that can be used by specialists to help secure ICS environments and, in particular, those that make up the critical national infrastructure.

In April 2017, a report by security firm FireEye said manufacturers invest heavily in ICS to operate industrial processes efficiently, reliably and safely, but board members, executives and security officers are often unaware that the technology at the core of business operations invites undetected subversion.

The report identified six key weaknesses that an adversary can use to undermine an industrial plant’s operation:

  • Unauthenticated protocols
  • Outdated hardware
  • Weak user authentication
  • Weak file integrity checks
  • Vulnerable Windows operating systems
  • Undocumented third-party relationships

Read more on Hackers and cybercrime prevention