ICS Security: What It Is and Why It’s a Challenge for Organizations

Industrial control systems (ICS) are specific kinds of assets and associated instrumentation that help to oversee industrial processes. According to the National Institute of Standards and Technology, there are three common types of ICS. These are supervisory control and data acquisition (SCADA) systems, which help organizations to control dispersed assets; distributed control systems (DCS), which control production systems in a local area; and programmable logic controllers (PLCs), which enable discrete control of applications using regulatory control.

In this capacity, industrial control systems are essential to the operation of critical national infrastructure (CNI) such as transportation networks, water treatment plants, and power grids. The U.S. Department of Homeland Security (DHS) describes CNI as “physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” As such, CNI helps to support the overall functioning of American society.

Why Are Attackers Targeting Them?

A contributor to the State of Security wrote the following back in 2016: “If these ISC devices were to be compromised, regular service could be disrupted, proprietary data could be lost, and significant harm could occur.”

This statement raises the question: Why would someone want to disrupt ICS? Some malicious actors could use the threat of an ICS disruption as a means of extorting an industrial organization’s operations. Those attackers might do so in the belief that the victim will be more inclined to pay (and quickly) to avoid adversely affecting a nation’s security or public health.

Take the Colonial Pipeline attack, as an example. Back in the beginning of May, the Colonial Pipeline Company announced on its website that it had taken several systems offline to “contain the threat” posed by a successful ransomware infection. All pipeline operations temporarily ceased following that decision, leading to gas shortages and panic buying along the East Coast.

During the recovery phase, Bloomberg reported that Colonial Pipeline had paid a ransom of approximately $5 million to digital criminals just hours after discovering the attack on its systems. The U.S. Department of Justice ultimately recovered $2.3 million of that ransom payment after using a private key to hack into a bitcoin wallet address. As of this writing, Colonial had not recovered the rest of its payment.

ICS disruptions aren’t useful to only extortionists, either. They’re also handy to state-sponsored actors, especially those who are intent on attacking a perceived adversary. Back in 2015, for instance, a power company in western Ukraine reported an outage affecting the regional capital of Ivano-Frankivsk. A subsequent investigation revealed that unknown actors had used the BlackEnergy malware to disrupt some of the company’s systems.

As we noted at the time of the attack, some suspect that Russia created BlackEnergy and used it to target entities in Ukraine as part of an ongoing interstate conflict.

Not every threat actor is interested in disrupting industrial control systems, however. Others might be interested in conducting reconnaissance of an organization’s industrial network and feeding their findings to a host government. Others still might elect to sell that same information to a competing organization so that they can obtain a business advantage. And then there are those that just want to sell that data on the dark web to the highest bidder.

What Do These Attacks Consist of?

Many ICS attacks now leverage the convergence of organizations’ information technology (IT) and operational technology (OT) environments to their advantage. Specifically, malicious actors are counting on organizations to connect their OT assets to wireless sensors and other IT systems. The resulting union of processes, software, data, and physical devices might help organizations to optimize their industrial workflows as part of their ongoing digital transformations. But it also helps to expand the industrial attack surface by creating new vectors through which nefarious individuals can gain access to their ICS.

Indeed, the security community witnessed someone misuse the IT-OT convergence to their advantage in a digital attack against the City of Oldsmar, Florida. That incident began when an operator at a water treatment plant in the City noticed someone controlling their mouse cursor. They then witnessed their mouse cursor change the setting of sodium hydroxide within the water from 100 parts per million (ppm) to 11,100 ppm—a potentially dangerous level.

The Pinellas County Sheriff launched an investigation into the attack. In the process, they learned that someone appeared to have compromised and misused the water treatment plant’s TeamViewer account. The facility had that software in place for the purpose of allowing supervisors to connect in remotely and troubleshoot issues when necessary.

Investigators dug deeper into the attack and learned that a Florida water utility contractor was hosting malicious code on their website as a means of targeting water utilities, reported Security Week. Someone in the City of Oldsmar visited that website on the same day as the unauthorized access, leading the municipality to fall victim to what’s known as a watering hole attack.

What Is the State of These Attacks?

ICS attacks are on the rise. As we recently reported, researchers found that the digital attacks targeting organizations ICS and OT assets increased by over 2,000% between 2018 and 2020. Many involved malicious actors’ efforts to exploit vulnerabilities affecting SCADA assets. They also included efforts to conduct password spraying attacks via brute force login techniques.

Ransomware attacks against organizations’ ICS are particularly widespread. They accounted for 23% of security incidents in the industrial sector for 2020. As noted by Industrial Cyber, ICS vulnerabilities were also 49% more prevalent in 2020 than they were the year before.

Why Are ICS Difficult to Secure?

Legacy systems make it difficult for organizations to secure their ICS. This has to do with how IT and OT environments uphold different security priorities when it comes to the CIA triad. IT values confidentiality first and foremost, for instance, but OT looks to something else. Paramount to OT professionals is availability (and safety), for disabling certain systems could cause others to malfunction in a way that endangers the lives of ordinary people. In OT environments, uptime and the lack thereof have real-world consequences. As a result, OT takes an interest in integrity and confidentiality only after availability is ensured.

If they’re primarily concerned with ensuring their OT assets’ availability, many organizations aren’t interested in taking their assets temporarily offline for an update and/or replacing them. Industrial organizations therefore end up using the same ICS systems for years if not decades. Those legacy systems lack security patches and are thus unprepared to withstand the IT security threats of today’s world.

That’s a concern given organizations’ lack of network visibility. Many industrial organizations just don’t have the necessary technologies to gain visibility over their networks. As a result, they don’t know necessarily know what to protect or what’s happening on their systems, thus minimizing their ability to protect their assets.

What Can Organizations Do in Response?

Industrial organizations can protect their ICS systems by focusing on the security fundamentals. One of the ways they can do this is by investing in a security solution that empowers them to discover and profile all their industrial assets, monitor the status of their network and systems, harden those assets against plant disruptions, and conduct granular vulnerability assessments to gauge their ICS cybersecurity on an ongoing basis. Learn how Tripwire can help.