Industrial Control System (ICS) cyber security is weak and exploitable. As evidenced by STUXNET’s attack on the Iranian Natanz1 nuclear facility in 2010 and others since global critical infrastructure is in danger of cyber attack. The problem stems from the growth of industrial management systems over three distinct generations that moved process management systems from manual to fully networked controls and sensors. In many cases the transition has been poorly managed and proper IT management techniques were not employed. In others, the software and hardware systems are so fragile that any change or unexpected access can crash or otherwise render them useless. These instabilities, both caused by poor management and weak equipment open large security holes that allow hackers to exploit critical systems with potentially disastrous results. For example, a petroleum distillery could be made to vent and burn excess gas at a time where it could potentially destroy the facility or perhaps take down entire electrical grids, inconveniencing and possibly causing significant harm.
The approach to solving the cyber security problem is to apply common IT best practices to the current ICS space and address the network and application security problems in a manner similar to that being taken by the rest of the IT industry, both commercial and military—lockdown. The application of a solution requires techniques not common to the normal IT space, specifically, industrial control systems cannot be shut down for any length of time as doing so would “break” the processing flow and potentially cause damage to that being manufactured/processed/controlled or carry an unacceptable effect on profitability. For example an oil pipeline cannot be out of service for very long before it starts to cause underflows throughout systems, and similarly, a train track switching system cannot be taken offline for and expect to transport the required daily loads.
The key to the solution is to implement a process that allows a lockdown with minimal impact to executing processes for locking down control systems using best “least privilege” IT practices, implementing virtual machines, sophisticated white listing and finally enclosing them in a secure subnet where data can only flow outwards, provides a stable and secure environment for processes can execute without fear of attack or requiring systems to be changed enough to cause unexpected failures.
Industrial control systems (ICS) provide the critical infrastructure required by nations to support their populations and economies, and to do so in a safe manner. The computing systems responsible for managing critical processes however are extremely weak from a cybersecurity perspective. ICS networks have historically relied on a common defense in depth component called Security Through Obscurity2 meaning that if the hackers didn’t know they were there, they wouldn’t be attacked3. The explicit belief is a carryover from the early days of control system technology were manual or simple electronic switching systems were enclosed in “secure” facilities with no connection to the outside world. Current control system technology relies on newer, cheaper commercial off the shelf (COTS) equipment and the transition from closed, isolated systems to open, Internet connected systems left unforeseen gaps in the perimeter, leaving them open to attack. The U.S. Industrial Control System Cyber Event Response Team (ICS-CERT)4 and many other organizations around the world have been working the past several years to raise ICS cyber security awareness, but it wasn’t until recently that the industry and public learned there was a problem. The trigger event was the discovery of STUXNET in mid 2010. STUXNET is a weaponized computer worm that was specifically targeted at the Iranian nuclear power industry. What it did was to take over certain supervisory control and data acquisition (SCADA) systems that were responsible for managing specific programmable logic controllers (PLC) that ran specific devices, in this case industrial centrifuges used in the production of nuclear fuel, and attempted to destroy them and cripple the Iranian program. While STUXNET did manage to attack the Natanz nuclear facility, it failed to do the necessary damage. Regardless, STUXNET provided the world’s general public with two critical pieces of information:
From a cybersecurity professional standpoint STUXNET told of many other things including:
There are serious threats to global critical infrastructure that have been and are being exploited
Someone is willing to spend an enormous amount of money to create extremely sophisticated malware to exploit ICS
STUXNET provides a solid template for a weaponized worm that can be copied by the general cyber hacking community
There are several other similar examples5 in the wild that have been discovered though we don’t know what we don’t know and new malware can be lurking anywhere poised to attack