The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

ICS Vulnerabilities - Staying Vigilant!

image credit: © Leowolfert | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

Asset stakeholders need to review the cybersecurity posture of their facilities, and immediate attention should be given to assessing security for Industrial Control Systems (ICS). Traditionally, ICS were isolated systems used to control and manage industrial assets, machinery and systems. However, that is changing as we enter the age of Fourth Industrial Revolution or the Industry 4.0 era. The convergence of Operational Technology (OT) and Information Technology (IT) impacts the security of ICS and supervisory control and data acquisition (SCADA) systems. As the air gap is removed, the systems are exposed to an expanding threat landscape; they become targets for hackers involved in terrorism, cyber warfare, and espionage. Vulnerabilities that come embedded into the ICS components have much more exposure to known and unknown cyber threats.

As detailed in Kaspersky's "Threat landscape or industrial automation systems H2 2018", 20% of vulnerable ICS devices are being impacted by critical security issues. Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7, which are designated to security issues that are considered high or critical risk levels.  This fact demands that asset stakeholders remain keenly vigilant of their IT/OP environments and their security posture.

To facilitate an understanding of security postures, cybersecurity risk assessments of industrial control systems (ICS) are recommended. Ideally, this understanding will help reduce risk and improve the security of ICS and their components. The primary goal of the cybersecurity assessments is to improve the security of the critical infrastructure by delivery of a report of all security problems found during the assessment along with associated recommendations for improving current levels of security.

ICSs are made up of process equipment, process control hardware, network devices, and computers. Vulnerabilities in network devices and protocols, the operating systems, ICS software, and other software running on the ICS computers could allow an attacker to gather information, disrupt, or manipulate ICS operations. Out of all vulnerabilities identified by Kaspersky, 46% could lead to remote code execution, as well as provide unauthorized control of the compromised ICS device or allow potential attackers to trigger a denial-of-service (DoS) condition rendering the equipment unusable. "Importantly, most vulnerabilities can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.

Common security problems that can arise from an ICS configuration are:

  • unpatched operating system, application, and service vulnerabilities;
  • failure to configure and implement applications and services securely (i.e., selecting security options and protecting credentials);
  • changing all default passwords;
  • setting password policies to require strong passwords;
  • limiting user accounts, applications, and services to only the required permissions;
  • installing or enabling security features correctly; and
  • restricting unnecessary connections.

Today, widely available software applications and internet-enabled devices are integrated into most ICS, delivering many benefits, but also increasing system vulnerability. Sophisticated malware that specifically targets weaknesses in ICS is on the rise. ICS software mainly suffers from the lack of secure software design and coding practices. ICS network protocols and associated server applications are prone to “Man in the Middle Attack” data viewing and alteration as well as compromise through invalid input. This lack of security culture contributes to poor code quality, network protocol implementations that rely on weak authentication and allow information disclosure, and cause vulnerable custom ICS Web services.

ICS software generally uses third-party applications such as common web servers, remote access services, and encryption services. Many out-of-date and vulnerable third-party software applications and services are identified on new ICS versions; this indicates that the ICS vendor is not supporting third-party patch management for their software.

In order to reduce the risk of a damaging attack against an ICS, the likelihood of a high impact incident can be reduced by implementing as many perimeter protection and vulnerability reduction strategies as possible (aka defense-in depth). A mitigation strategy should not be chosen from a list of possible mitigations for a given identified or possible vulnerability, but rather as many mitigation techniques as reasonably possible should be employed to stand in as a line of defense and prevent access to vulnerable components and network traffic. The probability that an attack is able to defeat or circumvent security defenses is increasingly reduced as the number of security measures are implemented and gaps are filled in the line of protection formed by the other security features on the ICS.

Security should be designed and implemented by qualified security and ICS experts who can verify that the solutions are effective and can make sure that the solutions do not impair the system’s reliability and timing requirements. Given the nature of the vulnerabilities found in ICS, energy asset owners cannot always directly fix them. Thus, as these owners wait for vendor patches and fixes, the design and implementation of defense-in-depth becomes a security strategy that aid in protecting the ICS from attack and is part of an effective, proactive security program. Such a program is a necessity because attack strategies are constantly evolving to compensate for increased defense mechanisms.  The nature of this vulnerability requires energy stakeholders to be fully engaged with companies which can assess for them their vulnerabilities, develop a mitigation program to address the threats, and ensure that the assets owned and operated by the stakeholders can maintain continuity of operations.

Keith Paige's picture

Thank Keith for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 29, 2020 4:16 pm GMT

Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7, which are designated to security issues that are considered high or critical risk levels.  This fact demands that asset stakeholders remain keenly vigilant of their IT/OP environments and their security posture.

Do you think this is mostly a factor of complacency, lack of understanding on how to address them, or lack of investment available to implement the necessary solutions?

Keith Paige's picture
Keith Paige on May 4, 2020 7:50 pm GMT

I believe all three play a part, but I suspect lack of understanding is the largest culprit. That being said, I believe that most organization understand the security implications at an anecdotal level, but generally lack understanding of what's going on at a technical level. Most organization lack  the information that would be available following the completion of a security gap analysis. This analysis will help them understand the security posture and vulnerabilities associated with their enterprise. Without the gap analysis, organizations know that they have a problem, but don't necessarily have the tools to address/ fully understand the problem.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »