The main challenge for industrial control systems is that the processes that control those systems are connected to critical infrastructure such as power, water, gas, and transport. This means they require high availability, and it is not easy to interrupt those systems to apply security updates. Effects of any downtime means that it can affect business and millions of people, e.g. in case of an outage. Organizations cannot risk any downtime if security updates could cause these systems to shut down or restart. Many systems running in industrial organizations are between 10-20 years old. These legacy systems were not mainly built with connectivity and security in mind. Replacing these systems is not easy, and persuading organizations to spend money on new systems is difficult, especially when they see legacy systems are running fault free from decades ago. Organizations sought to standardize and cut the costs by using commercial off-the-shelf (COTS) products. This means greater exposure to the threats with connections outside the industrial plants when industrial systems are connected to enterprise systems. There are good reasons to connect them, but they also involve risk of maintaining and securing these products. Some organizations are still running products that are not supported by vendors anymore, such as Windows XP and operating systems even earlier than that. Organizations are not willing to update them not only because of costs and downtime but also because they will need to recertify the whole system to comply with industrial regulations. Another challenge is the segregation of IT (information technology) Security and OT (operational technology) departments as well as a difference of skill sets between OT and IT. Traditional management of both sides now appears to be outdated. IT department and security teams are rarely involved in ICS procurement, installation, and maintenance. ICS systems are commonly acquired along with the equipment they control, so they are mostly installed, configured, and run by plant engineers on site, not IT. This means IT does not know what control systems are being used, and there is rarely a reliable inventory. The velocity of change in the technological environment has been pushing the two ‘sides’ together, and most importantly, the threats emerging in the cyber security space are forcing them to collaborate with increasing urgency. OT is more concerned with safety than security, and IT with security than safety. Undoubtedly, the bridge between skill sets need to be minimized to protect the processes in ICS. As Professor Chris Hankin (Imperial College) rightly said, “There needs to be an understanding that a system cannot be safe it is not also secure.” We have to recognize that challenges in ICS are different from those of the common information systems. Many security incidents involving ICS are never talked about. According to Kaspersky Lab, such attacks are becoming increasingly common. This is underlined by the fact an ICS decoy set up by the firm attracted 1,300 attempts to gain unauthorized access in one month. Of these, 400 were successful, including 34 connections to integrated software development environments (IDEs), seven downloads of programmable logic controller (PLC) firmware, and one case of reprogramming a PLC with the hacker’s software. Kaspersky Lab said this is especially worrying in light of the fact that researchers have found lot of examples of industrial control systems connected to the internet. Isolation of industrial network can no longer be considered an effective protective measure, and with an increasing number of these systems connected to corporate and IT networks, they need better understanding of the nature of the threats. As David J. Meltzer (CTO at Tripwire) rightly said:
IT Security could have ignored the OT network as it being disconnected, air-gapped, proprietary, and not subject to the same sort of threats and attacks in the past, but this mindset is no longer effective. Cooperation on a consistent security strategy across both IT and OT is essential for the future.
Though organizations are aware of threats, perceptions, and responses to them and are therefore putting solutions in place, they still need to better manage risks, follow strong processes and guidance, and properly implement enterprise solutions. To find out more about how Tripwire solutions help protect industrial control systems, click here.
