Why Relying on IT Security Strategies Puts ICS Environments at Risk

Written by Dean Parsons, Principal Instructor SANS Institute, CEO ICS Defense Force

The rise of Industry 4.0 has ushered in a new era of cyber risk for Industrial Control Systems (ICS) and Operational Technology (OT). From power grids and water treatment facilities to manufacturing plants and transportation systems, today’s increasingly digitalized ICS environments are the lifeblood of our modern world. The importance of these engineering environments, coupled with their heightened interconnectedness, has placed them in the crosshairs of highly sophisticated cyberattacks, including some from advanced nation-state adversaries. Last year, at least 68 attacks caused physical consequences to OT networks at more than 500 global sites, causing anywhere from $10 million to $100 million in damage. Dragos’ 2023 OT Cybersecurity Year in Review Report found a 50% increase in ransomware attacks against industrial systems, and a notable increase in the number of reported incidents and the use of extortion tactics.

This issue isn’t just a matter of financial losses or bad press for the average enterprise. It’s a matter of safety for both people and the environment. ICS/OT attacks pose serious risks to the critical infrastructure that powers our way of life, with the potential to cause severe harm or death. The myriad of high-profile ICS-related events over the years has helped raise awareness about the importance of prioritizing ICS environments. However, ICS/OT security maturity is still lacking today. According to SANS Institute research, only 52% of ICS facilities have a documented, tested, and up-to-date ICS/OT-specific incident response plan.

Related:Linux Ransomware Threats: How Attackers Target Linux Systems

A common error is the assumption that protecting ICS environments encompasses the same IT security principles and controls. Security leaders must recognize that these two domains differ significantly in their core purposes, risk surface, mission, protective controls, required skillsets, vulnerability landscapes, attack techniques, technological infrastructure, and consequences of an incident. For example, IT infrastructures handle a wide array of traditional information computing tasks and manage business support data flows. These systems prioritize securing data in and data at rest for business support needs. The IT environment is composed of traditional operating systems familiar to most business users.

In contrast, ICS environments serve a markedly different purpose. ICS/OT systems are tailored for specific industrial applications and designed to monitor, alter, and engage with the physical world such as heat levels, quantities, and force measurements. They manage, monitor, and control real-time engineering systems for physical input values and control output for physical actions. The main priority in ICS/OT is the safety and reliability of operations. In addition, ICS environments contain far more targeted devices running non-traditional operating systems, relying heavily on specialized hardware components and custom software applications that interface directly with an array of sensors and mechanical actuators. 

Related:Introduction to IT Disaster Recovery Planning

The stark contrasts between these two technological domains underscore the need for security strategies that respect the unique characteristics and requirements of each environment. Due to their divergent challenges and priorities, safeguarding each environment demands tailored approaches and specialized knowledge. Simply copying and applying IT security controls, workflows, skills, detections, and incident plans into an ICS environment can lead to severe safety and operational impacts, as well as a false sense of security. 

The first step towards bolstering defenses against malicious cyber threats lies in acknowledging and embracing the fundamental differences between IT and ICS/OT. Moving forward, safeguarding ICS environments will require more organizations to develop tailored strategies that account for the unique characteristics and complex requirements of their facilities. 

Related:History of Cybersecurity: Key Changes Since the 1990s and Lessons for Today

Implementing the Five ICS Critical Controls

Five critical controls can place organizations on the path to building ICS/OT security maturity. Building an ICS/OT security framework around these controls will enable organizations to design their defenses around the intricacies of their unique risk profile.

1. ICS incident response: Develop an ICS-centric incident response strategy that prioritizes system integrity and rapid recovery. This plan should be tailored to the unique challenges of operational environments, reducing the complexities associated with cyberattack responses. Regular drills should reinforce risk scenarios specific to the organization's security landscape, with actions prioritized based on potential operational impacts. The plan should also outline methods for maintaining system functionality during an attack and facilitate a comprehensive analysis of potential failure points, enhancing overall operational resilience.

2. Defensible architecture: Implement a robust ICS defensible architecture that supports key security functions including comprehensive visibility, thorough log collection, accurate asset identification, effective network segmentation, deployment of industrial demilitarized zones, and strict enforcement of process communication protocols. This architectural approach is a crucial link between technological systems and human operators, minimizing risks through intelligent design while optimizing security team workflows.

3. ICS network visibility monitoring: Given the intricate, interconnected nature of ICS environments, it's vital to implement continuous network security monitoring. This should utilize protocol-aware tools capable of analyzing interactions across the entire system of systems. Such monitoring capabilities can provide invaluable insights to operations teams, highlighting potential vulnerabilities that need addressing and contributing significantly to overall system resilience and recovery capabilities.

4. Remote access security: Securing remote access has become a critical priority due to the widespread adoption of cloud-based hybrid work models. Cybercriminals are increasingly exploiting remote access points to penetrate ICS/OT networks. While the primary attack vector historically involved breaching an organization's IT network, threat actors can now potentially leverage vulnerabilities across the entire supply chain. Consequently, implementing and maintaining robust remote access security measures has become an absolute necessity for contemporary industrial operations.

5. Risk-based vulnerability management: Establish a program that enables the organization to identify and prioritize ICS vulnerabilities based on their potential risk impact. The focus should be placed on vulnerabilities that could grant attackers access to ICS environments or introduce functionalities that might lead to operational disruptions, such as loss of visibility, control, or safety within industrial settings. Effective risk-based vulnerability management requires implementing controls and device operating parameters that support risk-informed decision-making across all stages: prevention, response, mitigation, and recovery actions.

The Role of Versatile Practitioners 

Alongside those five controls, organizations must field security teams of versatile practitioners with granular skill sets and a deep understanding of ICS/OT security.  These defenders must have adequate, engineering-specific insight into ICS terminology, SCADA systems, PLC capabilities, industrial real-time network commands, and remote terminal unit (RTU) and other intelligence electric device (IED) operations and functionality. In addition, they need detailed knowledge of ICS architectures, and technologies or industrial protocols used in ICS/OT environments, such as Modbus, Profibus, Ethernet/IP, PROFINET, DNP3, OPC, IEC61850, IEC104, and more. 

Organizations should also promote synergy between ICS/OT practitioners and IT professionals. It's crucial to maintain the leadership of engineers in control system operations, and IT personnel should not attempt to oversee or implement IT-centric procedures in ICS/OT domains. Nevertheless, both groups should strive for mutual support and complementary operations. This approach will help bridge the knowledge gap between IT and ICS/OT domains, fostering a more cohesive and effective cybersecurity strategy for industrial operations.

To effectively protect critical infrastructure systems, Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) must prioritize the integration of ICS/OT security into their strategic planning and risk management frameworks. This necessitates substantial investments in ICS-specific employee training, ongoing security assessments, and collaborative partnerships with IT departments, industry peers, engineering vendors, and government agencies – all with the prioritization of safety. By taking these proactive steps, organizations can bolster their resilience against an evolving landscape of cyber threats.

About the Author

Dean Parsons is a SANS Principal Instructor and CEO of the ICS Defense Force. For more insight on the importance of ICS/OT security in 2024, download the SANS ICS Strategy Guide.