For those coming from IT, securing ICS systems can be frustrating at the beginning. This is because the technologies used and the ways of working are very different when it comes to OT systems. The objectives pursued in these two areas are also divergent. How so? Let’s find out.
When securing IT systems, the main focus is on protecting data – such as intellectual property (IP), credit card numbers, emails and Personal Identifiable Information (PII) – thus trying to prevent hackers from gaining access to what, for a company, may be a great part of its assets.
This is in sharp contrast to what happens with ICS systems, where the main objective is to protect the process, as they are designed for continuous processing. In some cases, following an unplanned shutdown of a plant, it can take days, weeks or even months for it to restart, causing significant damage. And it is not just an economic loss.
Take, for example, an ICS system that controls power generation and distribution, or drinking water and wastewater systems: besides great inconvenience, their breakdown can also have serious consequences on people’s health, as well as deeply impact the society . Without going too far back in time, just think of the 2021 ransomware attack on Colonial Pipeline that halted plant operations for six days, leading to a fuel crisis and increased prices in the eastern U.S.
In traditional IT systems, we are used to working with protocols such as TCP, IP, UDP, DNS, DHCP, etc. Most ICS systems use one of over 100 dedicated protocols, some of which are proprietary. The most popular on the market are Modbus, DNP3, ProfiNet/Profibus, OPC and others.
ICS systems base its operations on the Programmable Logic Controllers or PLCs. These are used for almost any type of industrial control system, be it production, oil refining, power generation, water treatment, etc. PLCs are comparable to industrial computers, with their own proprietary Operating System. They use programming languages derived from the world of electromechanical logic, such as Ladder Logic, to control sensors, actuators, valves, alarms and other devices. Hacking ICS systems often requires familiarity with the programming of such PLCs.
Although availability is one of most important concepts within information security, ICS systems take it to another level. As mentioned above, here the attention is on protecting the process, rather than the data. For this reason, applying a software patch and rebooting the system may often not be an option, except for discrete time intervals, such as annual or quarterly maintenance shutdowns. This means that operating systems and applications remain unpatched with known vulnerabilities for months or even years. Therefore, SCADA or PLC engineers should carry out adequate compensatory checks to prevent intrusions, unlike an IT security administrator who would be able to apply security patches more frequently.
With a few exceptions, in traditional IT security, the technical team has direct physical access to system components. In ICS systems, these components may be spread over hundreds or thousands of metres (e.g. pipelines, power grid, etc.), thus making the implementation of security controls even more complicated. For example, remote field stations can become an access point to the entire ICS system.
Recently, especially with the advent of Industry 4.0, many ICS systems have been progressively connected to the Internet via a direct TCP/IP connection. While the internal communication can still be managed with proprietary networks, remote access allows continuous monitoring by plant managers. However, there are still exceptions, such as some dams and other public infrastructure systems which are still off-line to protect them from the clutches of cyber attackers .
For years, these systems benefited from security through obscurity. What does it mean? They were somehow safe because few people knew of their existence and even fewer understood their technologies: the protocols used were only known to technicians in the industry who had gained first-hand experience with SCADA, PLCs and HMI terminals.
This is turning out to be a weak point, as they are being exposed on the network without having the most basic security measures implemented. An example is what happened in 2016, when the independent researcher Karn Ganeshen managed to break into a Schneider Electric building automation system by exploiting a 0-day vulnerability and gaining root access to the server.
With the advent of reconnaissance tools like Shodan, these systems will no longer rely on security through obscurity. The industry is only now beginning to implement modest security measures, but one of the biggest challenges that it’s facing is that many standard IT security products do not provide the same level of protection when it comes to industrial protocols. In most cases, firewalls and IDSs have to be customised to make them compatible and applicable to OT.
Considering different length of the IT and OT system lifecycles, and the sensitivity and safety-relevance of the OT systems and automation tools, the approach to security usually requires a combination of security technologies and services, including:
Download our brochure to discover Sababa Security’s portfolio dedicated to Industrial Security or request a call with our OT security specialists.
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|