Competitors are becoming increasingly intelligent and efficient, and are also becoming more adept at infiltrating industrial networks. Recent survey data from Booz Allen Hamilton reinforces this fact. The company surveyed 314 companies globally that operate industrial control systems (ICS) and found that 34% experienced more than two data breaches within a year. In 2015, the number of security incidents reported by ICS operators to relevant U.S. agencies was higher than any previous year.
The threat landscape faced by today’s ICS operators is unprecedented in its severity. The scale, type, and severity of targeted threats are rapidly increasing. Many industrial operators have found that cyberattacks have caused damage to their systems, with some cases even resulting in physical destruction.
Securing industrial networks is no easy task. This is mainly because most industrial networks were built before the emergence of network threats and do not have built-in external security controls. Understanding the primary threats these networks face today is the first step in improving their security posture.
1. External Threats to Industrial Networks—APT, Targeted Attacks, and Others
External cyberattacks on ICS networks may be supported by political interests (nation-states, terrorist organizations, or radical hackers), but they may also partly stem from industrial espionage. Depending on the attackers’ motivations, the purposes of such attacks vary widely. For example, if politically motivated, the targets are more likely to cause operational disruption and physical destruction, while industrial espionage attacks are more focused onstealing intellectual property. Today, most industries, especially those involving critical infrastructure, are more likely to be targeted by politically motivated attacks, aimed at causing operational disruption and physical destruction.
Even those companies that are not in critical infrastructure sectors and do not worry about APT or targeted attacks are vulnerable to collateral damage. This is because the exploit tools used in politically motivated ICS network attacks aimed at causing operational disruptions target technologies used across all industrial sectors. Such attacks inevitably affect non-target companies and their ICS networks.
Take the Stuxnet worm targeting Iran as an example. Siemens claimed that Stuxnet infected at least 14 factories, including the American energy company Chevron and a Russian civilian nuclear power plant.
2. Internal Threats—Malicious Employees and Contractors
There has been much commentary on internal threats to IT networks, but the risks associated with industrial networks are comparable. Those with legitimate access to ICS networks include employees, contractors, and third-party integrators. Because most ICS networks lack any authentication or encryption measures to restrict user activities, any insider can move freely across devices on the network. This includes monitoring and data acquisition systems (SCADA) and key controllers responsible for the entire industrial process lifecycle.
A well-known case in this regard is the incident involving an employee at the Maluqi wastewater treatment plant in Australia. This employee had worked for the company that installed the SCADA system in Queensland’s Maluqi County. After he unsuccessfully applied for a position at the county’s municipal service agency, he harbored resentment and used (possibly stolen) equipment to issue unauthorized commands, resulting in 800,000 liters of untreated sewage spilling into local parks, rivers, and even the floor of a Hyatt hotel. The environmental damage was extensive.
3. Human Error—Perhaps the Biggest Threat to ICS
Human error is unavoidable, but it can lead to costly consequences. For many companies, the risks associated with human error may be more severe than internal threats. In some cases, human error is considered the greatest threat to ICS systems.
Human errors include incorrect settings, configurations, and programming errors in programmable logic controllers (PLCs), which can lead to hazardous changes in workflows. Vulnerabilities that can be exploited by external adversaries may also be caused by human error. Common examples of human error include situations where temporary connections set up for integrators remain open after project completion.
Some human errors occur when employees use “innovative methods” to get the job done. For instance, when employees need to remotely connect to the ICS network without a secure channel available, they may establish their own unauthorized remote connections. Such unapproved connections can become leakage points and expose industrial networks to external attacks.
Security Challenges
Due to the lack of any authentication or authorization procedures in many ICS networks, protecting ICS networks from external and internal threats has become a significant challenge. Moreover, most ICS networks also lack controls for implementing access policies, security policies, or change management policies, and do not have audit trails or logs to capture modifications and activities to support forensic investigations.
Therefore, when operational disruptions occur, it is difficult to determine whether they are caused by cyberattacks, malicious insiders, human error, or mechanical failures. The lack of visibility and control measures limits operational staff’s ability to respond to incidents in a timely manner, leading to increased overall costs of operational disruptions and recovery efforts.
Guarding ICS Networks
Real-time visibility into industrial networks is key to ICS security. To prevent damage from external threats, malicious insiders, and human errors, industrial enterprises must monitor all activities—whether executed by unknown sources or trusted insiders, authorized or not.
Monitoring control layer activities, which refers to engineering changes made to industrial controllers—whether done over the network or directly on the devices—is the most effective way to detect unauthorized activities triggered by ICS threats. New specialized ICS network monitoring and control technologies can provide deep real-time visibility to identify malicious or suspicious activities and take preventive measures to control or prevent damage.
---
WeChat Latest Version, long press the public account to “Top”
