The internet of things has brought several security risks into the limelight -- from the use of default or hardcoded passwords on cameras to the inability of resource-constrained sensors to run security mechanisms, such as encryption.
One of the biggest security challenges, however, might be IT/OT convergence -- the merging of information technology with operational technology. IT teams are no strangers to infosec, but their OT counterparts working among industrial control systems (ICSes) have generally never worked in internet-connected networks. Yet, as the benefits of IoT and industrial IoT (IIoT) become apparent, more ICSes and OT environments are becoming connected -- bringing multiple benefits but also creating multiple security threats. Compounding the risk is that IT teams don't know how to handle threats in such environments, leaving many IT and OT teams unsure exactly where the security responsibility lies.
Here, Institute of Electrical and Electronics Engineers Inc. (IEEE) member Kayne McGladrey outlines the challenges of ICS security and explains how OT environments can counter such threats while still reaping the benefits of IoT.
Study after study predicts the most detrimental security attacks and issues in ICS environments. What are you seeing as the top OT security threats?
Kayne McGladrey: We're in the age of Pandora's box of OT security threats. For years, IT systems and professionals have been observing attacks against IT systems and building countermeasures, but no similar widespread effort has been made for ICS environments. As such, security researchers are regularly and consistently finding new and novel threats every time they open an OT environment up for inspection.
For example, one of the top threats cited across numerous reports is the lack of a device inventory. While IT asset management is not a new field for IT professionals and represents one of the Center for Internet Security's top 20 critical security controls, the push to have an automated inventory for OT and control systems is a comparably new phenomenon. It's not possible for an organization to defend what it can't see, and it's not feasible to deploy patches or run security audits against unknown and functionally invisible systems. This lack of visibility also means it's difficult to defend against configuration errors, sideloading of malware via technical attacks or command injection attacks by rogue network elements.
Why are ICSes so ill-equipped to handle such threats?
McGladrey: People and funding. Cybersecurity is driving headlines in national publications, which creates interest for new people to join the field and for venture capitalists to fund companies working on cybersecurity. OT and ICS security are comparably unheard-of fields by most people.
How are the ICS or supervisory control and data acquisition threats of yesteryear evolving in the wake of IoT deployments?
McGladrey: Stuxnet is a great example of a threat from the past, where a USB stick was used to deploy malware due to an air gap. IoT devices have no such air gap; rather, they're continually connected to the internet. Combined with the common lack of a device or sensor inventory, IoT devices make it easier for threat actors to establish persistent bridgeheads into target networks for data exfiltration, command injection, protocol manipulation and other technical attacks.
How is IT/OT convergence amplifying the need for enhanced ICS security?
McGladrey: The recognition that critical utilities, such as water and electricity, are becoming connected is driving the need for enhanced ICS security. A ransomware attack that shuts down the IT systems of an electrical company, as happened in South Africa this summer, affects the ability of consumers to pay their electric bills, which might lead to a subset of consumers losing power. An ICS attack on a power grid, as happened in Ukraine, could have a widespread devastating effect.
Is adversary behavior changing as ICS security threats make more headlines?
McGladrey: If anything, the increased exposure is causing threat actors to more aggressively attempt to establish persistence as part of battle space preparations now, before compensating controls for detection are in place. The 2019 UN push for cyber norms was an indirect acknowledgement that multiple countries have shells in each other's utilities.
In the wake of these issues, what are some best practices for building an ICS security framework?
McGladrey: To build an ICS security framework, start with the basics of active and passive inventory gathering. Also, be sure to patch systems that can be patched and apply consistent configurations to those systems. Finally, gather network data to set a baseline of what 'normal' traffic looks like for future analysis and to detect abnormal activity.