Industrial Control Systems, Cyber Security and Hygiene

SamSam, Shamoon, Stuxnet and Triton are just some of the popular viruses that have been targeted at Industrial Control Systems (ICS). They have caused a lot of damage. Triton’s purpose was causing loss of life; now, that is serious. In the IT security environment, we do not hear about cyberattacks causing loss of life but in an operational environment it is different.

In the IT security world, we follow the confidentiality, integrity and availability (CIA) triad but in the operational technology (OT) security world this is reversed to availability, integrity and confidentiality (AIC). Availability of the control systems is an absolute priority. By having these control systems ‘talking’ and controlling one another ensures assets can maintain the safety of the equipment, while making sure the production is run with minimum intervention. The industrial control systems successfully run the national infrastructures, manufacturing units, energy, communications etc.

The US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) responded to 290 incidents reported by asset owners and industry partners in 2016. Out of these, 59 incidents were energy industry-specific and this number has been increasing year-on-year. The scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to both business and control system infrastructure. Many more attacks occur, but companies are reluctant to report or share that information because of the real fear of the loss of customer confidence.

What are the biggest threats and where do they come from? A threat requires both intent and capability to be credible. The biggest threat facing industry right now is employee awareness – around phishing emails, removable media usage, network segmentation, personal device usage, the control systems engineer’s knowledge of cyber security, the security engineer’s knowledge of control systems and how to protect them.

Lastly, external threats like hackers, terrorists, competitors, criminals and spies. Their intention might be to hold you to ransom, steal your Intellectual property, cause financial loss, reputational damage, or loss of life.

How do you protect your assets? Anyone that works in ICS cyber security will tell you that it is very different from conventional IT cyber security. For example, you cannot simply quarantine a file in the SCADA (supervisory control and data acquisition) system. That might bring the whole asset to a standstill and the cost of downtime will be a lot higher than the cost of recovery. The key here is prevention: preventing cyber incidents is the most effective way to secure ICS.

Here are five simple steps to protect your company assets:

1. Identify critical information: This is the first and best step to start protecting your ICS environment. Identify your systems, network diagrams and perform an asset inventory exercise. Collect data of the employees who have access to these systems, including their emails, work schedules and list of usernames. Are employees adhering to your social media policy or posting sensitive data online.
   
   
2. Analyze the threat: Ask yourself the following questions: Who are your adversaries? Do they have the capability to inflict damage? What do they already know about your asset(s)? What do they need to know to launch a successful attack? Where would they look for the information they need?
   
   
3. Analyze the vulnerabilities: The single biggest vulnerability is the inadequate training of employees, followed by publishing vendor names and systems that are designed without security in mind. Look at the indicators to spot the vulnerabilities.
   
   
4. Assess the risk: Risk is the function of consequence here as opposed to the asset value. This thinking will allow for easier calculation of risk in control system environments. A simple equation for risk is Threat x Vulnerability x Consequence = Risk. The absence of any one of these three factors will lead to minimal or zero risk.
   
   
5. Apply countermeasures: Train your workforce. Let the users have minimum access privileges to perform their job. Install security software like anti-virus, firewalls and intrusion detection systems, where possible. Segregate the operational technology (OT) network from the IT network. Keep a backup copy of the system settings.

The Author
Managing director Jai Aenugu established The TechForce shortly after being named Entrepreneurial Supporter of the Year at the 2016 Elevator Awards, following a career as IT manager for an Aberdeen-based oilfield services company. The TechForce provides email phishing and security awareness training, next-generation antivirus software, vulnerability management and cyber essentials consulting for medium-to-large businesses. It was recently awarded Approved Cyber Essentials Practitioner (Advanced) status and secured a place on the Government’s G-Cloud 11 procurement framework for cyber security services.