ICS – Control System is the Technology which encapsulates the several types of control systems or network associated with Instrumentation and used in Industrial Processes. The Industrial control system (ICS) is a general term that encompasses several types of control systems, including SCADA systems, DCS, and other control system configurations such as PLC often found in the industrial sectors and critical infrastructures. (NIST)
Before Understanding ICS Security let’s talk about few other technologies like PLC – Programmable Logic Controller, PLC’s are controller used in Instrumentation and acting as digital computers with multiple I/O and used for Automation of Small & Heavy Industrial systems. SCADA – Supervisory Control data acquisition is a control system that uses Systems, Networks, and GUI for running efficient processes of Industry to monitor and control Infrastructure of Industry. SCADA & PLC’s are utilized and used in small-scale within the industries like chemical, Paper, power generation, telecommunication and much more as they are cost effective. More complex architectures can be developed by the communication of other internal devices and controllers.
Few other examples are DCS (Distributed Control System) – It’s a hierarchical control system with distributed elements across a facility via communication technologies, IED (Intelligent Electronic Device) – A Microprocessor-based controllers device for controlling power systems equipment. Major of the industries like Chemical, Gas, Energy, Transportation, Manufacturing, Production and many more are nowadays implementing and utilizing this technology.
Mentioning the small brief below.
SCADA
- SCADA are highly distributed Geographically separated assets
- Centralized data acquisition and control are critical
- Oil and gas pipelines
- Electrical power grids
- Railway transportation systems
- Field devices control local operations
Distributed Control Systems
- Supervisory control of multiple integrated systems responsible for a local process
- DCSs used extensively in process-based industries
- Examples:
- Oil and gas refineries
- Electrical power generation
- Automotive production
- Feedback loops maintain set points
- Programmable logic controllers used in the field
Programmable Logic Controller
- Computer-based solid state devices
- Control industrial equipment and processes
- Regulate process flow
- Automobile assembly line
Differences for above all:
- Location
- SCADA – geographically dispersed
- DCS and PLC – factory centered
- Communications
- SCADA – long distance, slow speed
- DCS and PLC – LAN, high speed
- Control
- SCADA – supervisory level
- DCS and PLC – closed feedback loops
Hacking Industrial Control System
Almost 40 percent of all ICS and critical infrastructure faced a cyber-attack at some point in 2017. Most of the Systems either logically or physically impacted by Cyber Attacks like Ransomware, Trojans, Malicious Insiders, Malware, and other Hacking methods. More than 300 Attacks were noted in 2015 increased in 200 % since 2010. Many companies, especially in Asia, are running Windows XP which are already not supported and out of Market and possess thousands of vulnerabilities.
There have been enormous development and distributions of hacking tools on the Internet which can easily scan this type of networks, systems through which vulnerabilities can be found and exploited and meanwhile the whole Network of Industry can be brought down in a couple of minutes.
Stuxnet was the major first worm impacted Nuclear Power Stations and was developed to attack Iran’s Nuclear Power Plant. It exploited 2 known windows vulnerabilities and had infected 2, 00, 000 computers and ruined almost one-fifth of Iran’s Nuclear Centrifuges. Later, Stuxnet origin Duqu, Flame, Triton were the major malware discovered which were exploiting the vulnerabilities of components of ICS.
Given below are the Major Threats for Critical Control Systems.
- Network Access – All the Internet accessible devices are mapped by multiple tools and search engine like Shodan, Google etc., Moreover Attacker will get to know the technology been used and version of same.
- Governance – There have been always lack of security policies implemented and understood at ICS environment. Assets in ICS if not standardized and not maintained can be a threat to the ICS.
- Physical Security – Attackers can easily target the ICS Assets where physical controls are not in place and without proper monitoring can be stolen.
- Cyber Actors – Script Kiddies, disgruntled employees, foreign intelligence, Insiders, Contractors/vendors could also be a major threat to an ICS.
- System Management – Delays in Upgrades and Updates could also be harmful and cause a threat, No DLP, Antivirus, Firewall on a system can be crucial and the system could be hacked within no time, Physical Media movement is also a part of the concern.
- Supply Chain – Third-party vendors and contractors can be attacked in order to target indirectly to an ICS. Even Third party Hardware & Software data can be breached or attacked through various vulnerabilities existing prior to being installed in ICS environment.
Compromising ICS can result in:
- Unavailable systems
- Compromise of sensitive production data
- Impact delivery of materials/parts/weapons
- Impact integrity of the part being produced/repaired
Securing Industrial Control Systems
The industry’s spotlight is on Cyber Security of Critical Infrastructure. It is not possible to prevent all incidents from happening; we can identify the risks and mitigate the threats with some new technologies emerging. The tailored security solution is always trustworthy and advised to be implemented. Moreover, Standards are been developed and deployed on Infrastructure critical resources but again it is not advised as there are a bundle of technologies, tools, instruments, networks and software’s are been used hence it is critical to rely upon one particular standard.
Following are the Controls and measures to be taken to Secure ICS
- Risk Assessment: Conducting Security Assessment of the Infrastructure of ICS based upon relevant standard to be implemented VS the Security Best practices.
Identification of the controls and implementation of same for the Systems Security, Reviewing Network Architecture, Software & Hardware used.
- Conducting frequent Vulnerability Assessment & Penetration Testing: Internal & External VA should be conducted and proper testing should be conducted to identify known vulnerabilities.
- SOC & NOC to be properly set up to monitor the network and infrastructure. Moreover, International Standards/Compliance are defined which could be implemented depending on the type of Industry.
- Board-room Training from the Management to Employees to be organized in order to avoid the Social Engineering attacks and minimizes the risks of human errors.
- Licensed, Updated and Patched OS and software to be used
- Updated Antivirus, Unified Threat Monitoring Systems, Industrial Firewall, Data Diodes, IDS.
- BCP & DRP in place
No such 100 % Security can be achieved but it’s all about the Risk Reduction, Impact Mitigation, Operational & Functional Security.
About the Author
Falgun Rathod is the Managing Director of Cyber Octet Private Limited. He has nearly one decade of experience in Industry. Falgun is specialized in Cyber Crime Investigation & Infrastructure Security. He is also a renowned Cyber Security Consultant and listed in Top ten Ethical Hackers of India & Top Ten Cyber Cops of India. Falgun had delivered over 100+ seminars & trainings in various colleges and corporates across India. He has been known for his distinguished contribution to the society for cyber security awareness and has also assisted State & Central Government for many projects & cases.
Falgun is a member of ICTTF – International Cyber Threat Task Force, CSFI – Cyber Security Forum Initiative & Chapter Leader of OWASP for Gandhinagar Region. . He is committed towards delivering an aim of Securing Digital Boundaries of India by contribution of his knowledge, skills and consistently trying to minimize the gaps between academics and Industries.
