An Industry Control System (ICS) component is a device, such as a digital controller, that accepts input, performs a specific function and provides output. For example, a digital controller in an HVAC unit might monitor ambient air temperature and tell the system to turn on or off based upon its settings. The definition of such a controller can be extended to modern-day connected infrastructure that includes smart buildings, home automation, video surveillance systems and unattended vehicles such as drones.
The recent Industrial Control Systems (ICS) threat landscape report from Kaspersky Lab paints a grim picture of ICS security. Researchers found nearly 190,000 hosts worldwide with ICS components that could be remotely accessed via the Internet. In other words, a hacker could locate these devices on the Internet, and attempt to take control of them.
The security of these components is weak. Among the exposed ICS hosts identified by Kaspersky Lab, 92 percent have vulnerabilities, including 87 percent with medium-risk vulnerabilities and 7 percent with critical vulnerabilities. The most vulnerable ICS components are human machine interfaces (HMI), electric devices, and supervisory control and data acquisition (SCADA) systems.
Multiple ICS components work together to serve a particular purpose with little to no human intervention. These systems support critical infrastructure in energy, utilities, transportation and aerospace, and are used in sectors such as chemicals, automotive and manufacturing, food and service, government, financial services and healthcare.
Imagine the damage that could be done if a cybercriminal took control of such components in a connected world. Service disruption for even a short period of time could threaten lives and have severe consequences for entire communities and the environment.
Historically, ICS components were interconnected using private-line networks. In recent years, however, public utilities have led the transition to TCP/IP networking, with ICS connections increasingly moving to the public Internet. These efforts are essential to the modernization of critical infrastructure, but leave components and systems vulnerable. More than 90 percent of all externally available ICS devices use weak Internet connection protocols, which opens the opportunity for attackers to conduct man-in-the-middle attacks and other exploits.
The risks to ICS have been highlighted by national and international incidents, and various government entities have initiated programs to address the security of ICS and the Internet of things (IoT). For example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a report in September 2016 recommending a defense-in-depth strategy incorporating physical and environmental security, host and network security, monitoring, risk management, vendor management, and policies, procedures and training. These elements should work in concert to reduce the risk of direct access to Internet-connected ICS components, remote access via stolen user credentials, malware and attacks exploiting system vulnerabilities.
The European Union Agency for Network and Information Security (ENISA) has also published an “Analysis of OCS-SCADA Cyber Security Maturity Levels in Critical Sectors” that suggests high-level and context-specific recommendations for decision-makers.
Despite the availability of security frameworks and best practices, few organizations are effectively addressing ICS risks. Most are struggling to grasp the scope and gravity of the threat, and are unsure how to begin incorporating effective ICS security into their operational processes.
Lack of definition scope and boundary often leads to sluggish or absent methodologies that will effectively identify the threats and likelihood of these threats. Assessment of risk in a proactive manner in these situation is often confusing.
Context plays a critical role in determining the risk profile of an ICS component or system. In our next post, we’ll discuss the application of context in ICS threat and risk assessment, and the role of identity management in ICS security.
Arun Kothanath, Chief Security Strategist for DIT, presented on “Contextual Risk Assessment of Industrial Control Systems: A Practical Approach,” at RSA Charge in New Orleans, on Oct. 27