Power outage or Water pollution?
It’s not just fiction
Security of Industrial Control Systems (ICS) and public utility services should not be discussed only among IT Professionals.
At the beginning of last century, in June 1903, innovator Guglielmo Marconi was ready to publicly demonstrate his new wireless communication system, set to serve as a long-distance secure messaging service.
While the audience waited in London, G. Marconi was situated in the South of England. From a few hundreds of kilometres away, he wanted to send a message to British metropole during his colleague’s lecture.
However, the receiver surprisingly woke up earlier than expected and began tapping out a message in morse code. It was evident that somebody interfered with Marconi's message to hold him up to ridicule.
Somebody has apparently hacked into the system for secure communication. As it later came out, Nevil Maskelyne, innovator and a competitor, with whom Marconi had previous patent disputes, was behind the attack. Maskelyne wanted to disprove Marconi’s system security claims.
Nowadays, proving the loophole in the Marconi’s telegraph is arguably seen as the first ever hacking attack. It was probably also the first ‘hack’ of equipment from so-called critical infrastructure operated by telecom operators, water companies, oil refineries, energy and transport enterprises as well as factories from various industries.
All these organisations have one thing in common. For Infrastructure Management- whether these are machines, pumps, generators or entire assembly lines- they use Industrial Control Systems.
These so-called Operational Technologies (OT), unlike information and communication technologies (ICT), have not been exposed to cyber risks much in the past because they were not connected to the outside world.
The root of the problem
In recent years, however, these systems were getting out of isolation. This is due to gradual digitalisation, appearance of the internet of things, but also due to the effort to streamline their management and maintenance through remote access. However, many Industrial Control Systems are also dated and have not been updated in years.
Additionally, with Operational Technologies, there was always an emphasis on Control systems functionality and maintenance, which are supposed to assure availability of critical services. They were not designed and considered with security in mind, like IT, therefore they are more vulnerable.
It is then, not surprising that in recent years, there have been often reported incidents and attacks targeting industrial technologies. Perhaps, the most famous one is the sophisticated Stuxnet malware attack on Iranian nuclear facilities in 2010, which was supposed to damage uranium enrichment centrifuges.
Another attack, targeting Ukraine’s power grid, left nearly a quarter of a million people without electricity. Similarly, the incident at the beginning of 2021, in which the attacker has gained access to Florida water treatment control system and briefly increased the concentration of sodium hydroxide by more than 100 folds.
An organisation Claroty has confirmed the increased risks for critical infrastructure operators. According to the company's findings, there has been an increase in reported vulnerabilities in control systems in the second half of last year by 25 %. These are not trivia. Three -fourths from them have ‘high’ or ‘critical’ CVCC score, which assesses the severity of vulnerabilities and two-thirds are exploitable remotely.
The key for better protection of critical infrastructure is to realise that a large proportion of security incidents come from the IT Environment. From there, the attackers usually gain access to less secure Industrial Control Systems.
The problem, however, is not just in operation technology’s weak spots and security loopholes, underestimating risks or inappropriate and missing security strategies, but also in humans.
Professionals who understand Industrial Control Systems, usually don’t understand cyber security threats and don’t know how to protect against them. On the other side, neither IT professionals nor Cyber security specialists understand Industrial Control Systems.
In an effort to better protect Industrial Control Systems, it is therefore essential not only to consider the technology dimension, but also human aspects and equipping employees with the right tools. It is even more urgent than in traditional IT security.
5 basic steps for ICS systems security
- Do a network segmentation and implement quality firewall.
- Identify all OT devices connected to the internet and unplug all systems, which don’t need internet connection.
- Secure all allowed remote access and accounts, such as through regular strong password actualisation, Two-factor authentication and VPN access.
- Identify all communication protocols across OT networks and introduce passive security monitoring for cyber-security threats and anomalies detection.
- Strengthen the network security in OT environment and deploy virtualisation (for example for operator stations).