In-Depth Analysis of Information Security Protection in Industrial Control Systems

Abstract: The development of information technology in industrial control systems has gradually highlighted the security risks of industrial control networks. Since the “13th Five-Year Plan,” cybersecurity has risen to a national strategic level, and industrial control systems, as national-level critical information infrastructure, have crucial information security needs. This article analyzes the existing risks in industrial control system information security and proposes protection solutions based on policies, regulations, evaluation standards, lifecycle security management of industrial control systems, reliable industrial control information security products, and computer security.

Keywords: Industrial Control Systems; Cybersecurity; Security Protection

1

Introduction

Industrial Control Systems (ICS) are widely used in energy, manufacturing, aerospace, military, and other major infrastructures that are core to the national economy. They generally refer to automated control systems composed of computers and industrial process control components. Traditional ICS are divided into five layers from top to bottom, with the bottom layer being the field layer (various sensors or valves) communicating data through serial ports; L1 is the control layer, consisting of Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), and Remote Terminal Units (RTU), responsible for logical remote control of bottom-layer devices; L2 is the monitoring layer, which collects and monitors data through Supervisory Control and Data Acquisition (SCADA) systems; L3 is the management layer, where Manufacturing Execution Systems (MES) provide functions such as production scheduling, manufacturing data management, and human resource management; L4 is the enterprise layer, which provides decision-making tools for the enterprise decision-making level and employees.

Early ICS operated on relatively isolated networks with lifecycles lasting 15 to 20 years, involving a variety of industrial protocols with high latency requirements, thus designed with high availability, efficiency, and real-time performance as core principles, lacking considerations for security. With the continuous development and integration of computer technology in the industrial field, ICS have become targets for network attacks. As the core component of ICS, once the network is maliciously attacked, it can lead to production paralysis or even harm national interests, making its security particularly important. The development of the domestic industrial internet has started simultaneously with developed countries, and with the continuous promotion of strategies such as Industry 4.0, Internet Plus, and a strong manufacturing nation, the rapid development of industrialization and informatization has brought great opportunities, but also significant challenges to the security protection systems of ICS. In response to ICS information security, multiple policies, regulations, and guidelines have been introduced to standardize industrial systems. In 2017, the state issued the “Cybersecurity Law of the People’s Republic of China,” which clearly requires the implementation of an information security grading protection system. In May 2019, based on the new situation and development needs of the network system, the Ministry of Public Security released the second version of the National Information Security Grading Protection Standards, officially entering the grading protection 2.0 era. Compared to grading protection 1.0, grading protection 2.0 has significantly improved the scope of protected objects, fully including big data centers, cloud, and ICS, and incorporated requirements for security detection, emergency response, and incident tracing into the grading protection system, standardizing domestic network security. This article will first analyze the current security status of ICS, and then propose a protection solution for ICS information security in the context of the industrial internet based on policies, regulations, evaluation standards, lifecycle security management of ICS, reliable industrial control information security products, and computer security.

2

Current Status of ICS Information Security Risks

2.1 Misconceptions and Insufficient Skills in Security Awareness

There are some misconceptions in industrial control security protection, such as deploying security network products equating to having security protection for ICS; one-way communication can guarantee 100% security, etc. In reality, unreasonable security policy configurations, improper selection of security functions, incorrect product combinations, and non-standard network structures of industrial systems will lead to the security network products introduced being ineffective. Regarding personnel skills, there is excessive reliance on suppliers, but actual manufacturers have varying levels of awareness of industrial system vulnerabilities and different technical support points, resulting in limited means of addressing vulnerabilities even when recognized. Security protection is not a one-time effort; it needs to adapt to changes in the industrial system environment, requiring regular checks, updates, and maintenance of network security products and ICS, which places certain demands on personnel skills.

2.2 Incomplete Institutional Framework

Security threats to ICS do not solely come from external sources; the completeness of internal systems also directly affects the attack resistance of ICS. The inadequacy and inapplicability of ICS network security systems lead to chaos and non-standard practices in data management, asset management, outsourcing service management, skills training management, and security operation management. In production environments or during operation management, the absence of institutional constraints and norms allows for arbitrary use of external USB drives, mobile hard drives, and other portable storage media, arbitrary connection of operation terminals to the industrial control network, and even opening debugging ports directly to the internet for convenience, all of which pose threats to ICS and provide strong channels for the spread of viruses, Trojans, and other malicious software. The lack of training for emergency response plans directly leads to helplessness when facing network threat attacks.

2.3 Vulnerabilities in Control Systems

Since 2010, the number of vulnerabilities has rapidly increased. As of September 1, 2020, according to the National Information Security Sharing Platform (CNVD), 2805 industrial control vulnerabilities have been disclosed. On one hand, malicious attacks such as “Stuxnet,” “Duqu,” and ransomware have caused significant losses, raising awareness of vulnerabilities in control systems. On the other hand, as ICS transition from closed to open systems, the localization of industrial information security has led various network vendors, information vendors, and established industrial control manufacturers to increase their R&D investment in industrial control security, resulting in a rapid increase in publicly disclosed vulnerabilities. Due to the gap between domestic security technology and advanced foreign technology, currently, 80% of important control systems still use foreign products and technologies, and nearly 95% of high and medium-risk vulnerabilities come from these products, directly becoming the breakthrough point for malicious attacks.

2.4 Host and Application Security Risks

In the production control area, servers and network devices exhibit numerous weak passwords, unreasonable user permissions, and difficulties in upgrading and hardening host systems, leading to a large number of outdated operating systems (Windows XP, Windows 2003) within ICS, as well as situations where system patches are not updated or are updated late. Insufficient host protection exists, with instances of antivirus software not being installed or installed but with outdated virus definitions, resulting in a lack of effective defenses against malicious code.

2.5 Lack of Network Audit Monitoring

The industrial control network lacks a unified analysis system for abnormal traffic or logs, failing to monitor the health of network operations and detect potential threats. Many security products do not support the parsing of industrial control protocols, making it impossible to identify malicious attacks targeting industrial control protocols. Some products even lack security audit functions, missing records of operations such as maintenance and configuration, making it impossible to trace the origin of unauthorized operations, violations, or security issues.

2.6 Ambiguous Network Structure

Due to the continuous expansion of ICS business, the network structure has changed significantly, and early industrial system networks lacked long-term planning, resulting in non-standard network structures with unclear boundaries. The internal industrial control network has not undergone necessary security zoning and isolation based on business and functional requirements, and there are even phenomena of mixing production areas and office areas. Once malicious code or viruses invade, they can quickly infect and spread throughout the entire network.

2.7 Limitations in Network Access Control

The introduction of networking and wireless technology has brought convenience to ICS and reduced costs. However, there is a general lack of network access and control mechanisms, leading to a lack of identity verification for access, communication, and control between upper and lower machines, boundary entrances, and different business areas, coupled with plaintext transmission of information, significantly lowering the threshold for network attacks. At the boundaries of the industrial control network, including some hosts and network devices that can connect to ICS, there is a lack of necessary access control authorization, leading to phenomena such as unauthorized terminal access and illegal external connections, thus creating security risks.

3

ICS Information Security Protection

Figure 1 shows the factors required for ICS information security, relying on internal management and technical support, while also combining external policy and regulatory requirements and standards for security assessment of system information security. Internally, ICS needs to adopt secure industrial control devices and computer equipment, along with a comprehensive lifecycle security management system and reliable information security products to achieve safety in production and management. Keeping pace with policy trends, actively responding, and collaborating with professional evaluation agencies to conduct testing and inspections based on relevant standards. Timely addressing management loopholes, technical gaps, and other high and medium risks identified in evaluation results to form a closed-loop security protection system. The network security grading protection system has undergone three stages, from the 1994 State Council Order No. 147, which mandated the implementation of security grading protection for computer information systems, to 2007, when the Ministry of Public Security, the National Confidentiality Bureau, the National Cryptography Administration, and the former State Council Information Office jointly issued the “Administrative Measures for Information Security Grading Protection” (Gong Tong Zi [2007] No. 43), marking the formal implementation of the grading protection system, and then to 2017, when the “Cybersecurity Law of the People’s Republic of China” was officially implemented, establishing the grading protection system as a fundamental system for network security.

In-Depth Analysis of Information Security Protection in Industrial Control SystemsIn-Depth Analysis of Information Security Protection in Industrial Control Systems

Figure 1 | Five Elements of ICS Information Security

As a comprehensive and crucial computer information system, the policies, regulations, and requirements for ICS are continuously being issued, updated, revised, and expanded. From the “13th Five-Year Plan for National Economic and Social Development” released during the 2016 Two Sessions, to the State Council’s issuance of the “Guiding Opinions on Deepening the Integration of Manufacturing and the Internet” (Guo Fa [2016] No. 28) at the end of the year, and then to the end of the year when the State Council issued the “National Informatization Plan for the 13th Five-Year Plan,” which proposed guiding opinions for the deep development of industrial information security. In 2017, the Ministry of Industry and Information Technology formulated and issued the “Action Plan for Information Security of Industrial Control Systems (2018-2020),” which pointed out the direction for enhancing industrial information security protection and promoting industrial informatization. Combined with the comprehensive upgrade and release of grading protection in May 2019, the full implementation of grading protection 2.0 standards provides clear guidelines for the construction, grading assessment, security testing, and security rectification of ICS information security. Its overall idea is “one center, threefold protection,” ensuring that the security management center is the core, following the principle of simultaneous planning, construction, and use of security technical measures and security management, ensuring regional boundary protection, computing-level network protection, and communication network security.

3.1 Lifecycle Security Management

In security protection, relying solely on technical defenses without institutional constraints can easily lead to management chaos. The implementation specifications of grading protection 2.0 set lifecycle security management requirements for five aspects: company management systems, management organizations, management personnel, system construction management, and system operation and maintenance management. Security systems should be targeted, operable, and comprehensive. In response to insufficient personnel awareness and skills, a dedicated network security task force should be established, and the system should clearly specify security training and skills training plans, which should be implemented in practice to strengthen security prevention and improve professional skill levels. For dedicated network personnel, regular assessments are required, and emergency drills should be organized to ensure prevention before incidents, response during incidents, and summary after incidents. A security operation and maintenance team should be formed, or collaboration with qualified security teams for outsourced operation and maintenance services should be achieved. Internal media and asset management should be unified under the management of asset administrators, with strict closed-loop regulations for the use, maintenance, and destruction of media. Operational requirements should be standardized, strictly controlling the use of operational tools, prohibiting arbitrary connection of private USB drives and mobile hard drives to operational systems. The system and process should be improved to audit and approve the access of external personnel’s operational tools, prohibiting illegal operational means and recording remote operational processes. The system should clearly specify the opening of temporary interfaces and temporary permission accounts.

Tangible assets such as servers and data centers should not only have good physical protection measures to ensure lightning protection, moisture resistance, and fire resistance but also require security prevention, with designated personnel on duty 24/7 throughout the year, combined with monitoring technology to ensure that assets are protected from damage or theft. For external personnel, a complete approval process is required, with relevant responsible personnel accompanying them throughout the visit, and complete records should be kept before and after the visit to ensure the safety of assets and systems.

3.2 Reliable Industrial Control Information Security Products

Based on the requirements of the “Cybersecurity Law of the People’s Republic of China,” information security network products in China are subject to a sales licensing system, requiring all products to undergo security testing by authorized agencies according to relevant national or industry standards, with only qualified products receiving sales licenses. In the statistical analysis of industrial information security products, it was found that there are relatively few formal standards for industrial information security products, with only a few categories such as industrial control security management platforms and industrial system IDS. Most other products applicable to industrial information security are based on standards with added support for industrial control protocols, weakening or removing items not applicable to industrial control systems. Industrial control information security products can be roughly divided into three categories based on their protected objects and functions:

(1) Boundary Protection Products

Boundary protection products are typically deployed in series between the industrial control Ethernet and the enterprise management network, between different industrial areas, and between the control layer and device layer. By configuring access control policies, they protect system boundaries and area boundaries, preventing bypass access. Industrial control network isolation and industrial firewalls belong to this category of products, which have traffic cleaning and violation blocking functions, and their performance requirements are high, as product failures directly impact the normal operation of ICS.

(2) Audit and Monitoring Products

Audit products mainly include industrial control audit products, industrial control intrusion detection products, industrial control vulnerability scanning and mining products, and industrial control security management platforms. By accessing mirrored traffic data packets or logs in the network environment, and through vulnerability databases, security event databases, or custom abnormal behavior, they analyze audit data to promptly detect anomalies and trigger alarms. Most audit products do not have blocking functions and are deployed in a bypass mode in the network environment, so their own failures do not affect the industrial control system.

(3) Host Protection Products

Host protection products mainly include whitelist products and antivirus software, which monitor the status of host processes, service statuses, network port statuses, and external device statuses through the installation of host hardening software, providing comprehensive protection for host resources. By configuring whitelist policies, they prevent the opening of illegal processes, the opening of illegal ports, and the connection of USB devices, thus cutting off the pathways for virus and Trojan propagation.

3.3 Technical Prevention Solutions

Based on regulations and existing industrial control information security products, corresponding technical planning and network optimization solutions should be developed. Effective rectification and reinforcement should be made in response to the existing information security vulnerabilities, following the overall principle of “prevention before incidents, response during incidents, and tracing after incidents.”

3.3.1 Standardization of Network Structure

The design of the ICS network architecture should follow the principles of “security zoning, dedicated networks, horizontal isolation, and vertical authentication.” For the already complex industrial control network, the first step is to sort, count, and assess business resources, then conduct effective risk assessments of the network structure, optimize the network structure, or even reconstruct the network structure, defining boundaries and configuring protection strategies. Figure 2 illustrates the integrated security defense structure of industrial control, where the division and zoning of security areas are fundamental to the industrial control network. The entire system should be divided into different security areas based on business, physical location, and network requirements, such as production management areas, process monitoring areas, control area 1, control area 2, etc., to avoid cross-interaction between different areas. Horizontal isolation serves as a horizontal defense line in the same-level network protection system, requiring the use of different levels of security isolation devices. For important industrial control production areas such as control areas, deploying conventional firewalls does not meet security needs, as most of these firewalls do not support parsing commonly used industrial protocols such as OPC and Modbus. Therefore, the firewall in the network needs to be upgraded to an industrial control firewall to achieve deep parsing of industrial control data flows and prevent various illegal operations. Compared to monitoring areas, the security protection level of control areas is prioritized, so data transmission between centralized monitoring areas and control areas requires deep content parsing, and compliance operations should be allowed based on whitelist policies, while non-compliant operations should be promptly and effectively blocked.

In-Depth Analysis of Information Security Protection in Industrial Control SystemsIn-Depth Analysis of Information Security Protection in Industrial Control Systems

Figure 2 | Integrated Security Defense Structure of Industrial Control

3.3.2 Protection of Computer Devices

In ICS, computer devices mainly protect operator stations, engineer stations, and data servers by installing host hardening software, using whitelist technology to monitor the status of host processes, service statuses, network port statuses, and external device statuses, providing comprehensive protection for host resources. By configuring whitelist policies, illegal processes, illegal ports, and USB device connections are blocked, thus cutting off pathways for virus and Trojan propagation. For the protection of mobile media, file filtering technology is utilized to make corresponding configurations based on system characteristics, filtering all suspicious files. Internal USB drives are managed uniformly, implementing identity authentication, configuring corresponding permissions (read, write, use, etc.) based on different identities, and conducting log audits of operational behaviors to eliminate potential security threats that may arise during USB usage, such as BadUSB attacks and LNK attacks. Attention should be paid to vulnerabilities in the host system, with regular vulnerability scanning and patch updates for computer devices.

3.3.3 Access Control at Regional Boundaries

Vertical regions should employ identity authentication, communication encryption, and access control technologies to ensure the confidentiality of data transmission, compliance of remote access, and resource access, preventing unauthorized access. When configuring access control policies, a whitelist model should be used to allow only designated users, with source and destination IP access or industrial control protocols permitted, while all other communications should be denied by default. External terminal devices need to undergo access identity authentication through network access protocols (such as 802.1x) in conjunction with switches, and security scans should be conducted before terminal access. Those without antivirus software or with outdated virus definitions should be uniformly denied access to the network and assigned to isolation zones for security upgrades. For remote access, internal resources should not be directly exposed to the internet; instead, remote secure access products such as Virtual Private Networks (VPNs) should be used to authenticate access users and grant them necessary permissions. Operation and maintenance bastion hosts should be deployed at the production layer to centrally open operation and maintenance accounts for operation and maintenance personnel, achieving centralized management of operations, single sign-on, and auditing of operational processes. Real-time monitoring of operational processes should be conducted to block unauthorized operations and provide irrefutable evidence for post-incident tracing. Strengthening password management in network security devices and computer devices is essential to avoid the use of default usernames and weak passwords, enabling password complexity policies and regularly changing system passwords. Access accounts and permissions should be strictly controlled, following the principle of least privilege, and ideally, no super administrator accounts should remain. However, for situations where default accounts cannot be deleted, their passwords should be modified and kept by relevant responsible personnel.

3.3.4 Security Monitoring

In the process monitoring layer, intrusion detection, industrial control audit detection devices, and industrial security management platforms should be deployed to monitor the operational status of computer network devices, external intrusion events, and the unified management of industrial network security products. Industrial control audit devices should be connected in a bypass mode to the mirror ports of switches, such as core switches of monitoring systems and business switches of scheduling data networks, to deeply analyze communication traffic based on industrial control protocols, monitoring in real-time and triggering alarms for malicious code or attacks exploiting vulnerabilities. Coupled with intrusion detection systems, proactive interception of malicious attack behaviors should be conducted to protect components of industrial control systems from harm and prevent computer devices and application servers from crashing.

4

Conclusion

As the industrial brain, once ICS are compromised, the consequences extend beyond immediate losses, directly affecting the daily lives of citizens and potentially causing casualties and social instability. Only by constructing a secure industrial information protection system, through policy and regulatory constraints, evaluation and testing, and continuously improving the necessary security technologies and management systems for production, can we effectively resist external attacks, eliminate current internal threats, and achieve the goal of industrial information security protection.

★Funding Project: Research and Demonstration of Key Technologies for Mutual Recognition and Evaluation of Intelligent Connected Products (2018YFF0215601-3).

· Author Information ·

Sun Tianning (1994-), male, from Haining, Zhejiang, research intern, Master of Engineering, currently employed at the Third Research Institute of the Ministry of Public Security, with a primary research focus on industrial control network security.

Zou Chunming (1979-), male, from Shanghai, associate researcher, Master of Engineering, currently employed at the Third Research Institute of the Ministry of Public Security, with a primary research focus on industrial control network security and grading protection.

Yan Yixin (1991-), male, from Shanghai, assistant researcher, Master, currently employed at the Third Research Institute of the Ministry of Public Security, with a primary research focus on industrial control network security.

References

[1] GB/T 22239 – 2019. Information Security Technology Basic Requirements for Cybersecurity Grading Protection [S].

[2] Kang Tianjiao, Zou Chunming. Research and Analysis of Industrial Control System Network Security Products [J]. Cyber Space Security, 2020, (01): 34 – 38.

[3] Huang Haifang. Application of Security Protection Technology in Industrial Control Systems in the Power Industry [J]. Cyber Space Security, 2018, (03): 14 – 18.

[4] Wang Ying, Xu Jianxin. Analysis and Countermeasures of Security Risks in Industrial Control Systems [J]. Automation Review, 2018, 76 – 82.

[5] Xia Chunming, Liu Tao, Wang Huazhong, Wu Qing. Current Status and Development Trends of Information Security in Industrial Control Systems [J]. Information Security and Technology, 2013, (02): 13 – 18.

Excerpted from “Automation Review” January 2021 issue and “Special Issue on Information Security of Industrial Control Systems (Volume 7)” • end •

Disclaimer: This article was first published by the WeChat public platform of the Industrial Security Industry Alliance (WeChat ID: ICSISIA) and is not for commercial use. For reprints, please contact for authorization.

In-Depth Analysis of Information Security Protection in Industrial Control Systems

If you need cooperation or consultation, please contact the small secretary of the Industrial Security Industry Alliance WeChat ID: ICSISIA20140417

Previous Recommended Reads

Essentials | Evolution and New Challenges of Domestic Power Monitoring Network Security

Attention | The first IETF national secret standard has been officially released, accelerating the application process of national secret algorithms

Recommended Read | Intrusion Detection Method for Urban Rail Transit Signal Systems Based on Deep Learning

Ministry of Industry and Information Technology: List of Key Technology and Platform Innovation Demonstration Projects for the Internet of Things for 2020-2021 Announced

Public Welfare Lecture | Changyang Technology’s Wang Yizhou: Current Status and Prospects of Industrial Safety Standards (PPT + Live Replay)

Report | The China Academy of Information and Communications Technology jointly released the “Research and Testing Report on Domestic Network Security Information and Event Management Products (2021)”

Notice | Three departments issued the “Guidelines for the Construction of National Vehicle Networking Industry Standard System (Related to Intelligent Transportation)”

Original | Analysis of Urban Water Supply and Drainage Control Systems and Application of Multi-layer Industrial Control Information Security Protection

Attention | The China Academy of Information and Communications Technology has completed the first international standard in the field of industrial internet networks

Security Standard Committee: Issued the “2021 National Standard Project Application Guidelines for Cybersecurity”

Essentials | Brief Analysis of Industrial Internet Security: Proactive Protection of Edge Endpoints

CCID Released: “2021 Trends in the Development of Industrial Internet Platforms”

Two Sessions Discuss Security | Summary of Proposals on “Vehicle Networking Security,” “Artificial Intelligence Security,” “Data Security,” “Network Security,” and “Information Security”

Ministry of Industry and Information Technology: Announced the List of Key Laboratories of the Ministry of Industry and Information Technology for 2020

Report | “2020 Report on the Development of Cybersecurity Industry and Financial Cooperation”

Two Sessions Discuss Security | Summary of Proposals on “Network Security,” “Information Security,” “Artificial Intelligence Security,” and “Data Security”

Overview | Top 10 Most Concerned Topics in Industrial Security in February

Recommended Read | Security Risk Assessment Model Targeting the Tobacco Industry

Attention | The Ministry of Industry and Information Technology: Coordinating Development and Security, Advancing the Construction of a Strong Manufacturing Nation and a Strong Cyber Nation to New Heights

Recommended Read | Ransomware Attack Trends and Response Strategies in the Industrial Sector

Essentials | “2020 Research Report on the Top Ten Directions and Technologies in Digital Security”

Report | “Analysis of the Situation of Industrial Information Security in 2020-2021”

In-Depth | Analysis of Security Technology Development Trends for Industrial Measurement and Control Equipment

Essentials | Network Security Protection Solutions for Wind Farm Power Monitoring Systems

Attention | Interpretation of the “Action Plan for the Innovative Development of the Industrial Internet (2021-2023)”

In-Depth Analysis of Information Security Protection in Industrial Control SystemsIn-Depth Analysis of Information Security Protection in Industrial Control SystemsIn-Depth Analysis of Information Security Protection in Industrial Control SystemsIn-Depth Analysis of Information Security Protection in Industrial Control Systems

Leave a Comment