Top Ten Security Issues Facing Industrial Control Systems

Author | Green Alliance Technology
With the continuous advancement of strategies such as Germany’s Industry 4.0, America’s Industrial Internet, and China’s Manufacturing 2025, along with the integrated development of new generation information technologies like the Internet of Things, cloud computing, big data, and 5G, industrial production networks are gradually interconnected with office networks, the Internet, and third-party networks. This breaks the originally closed and trusted industrial production environment, exposing it to threats from viruses, Trojans, hackers, and hostile forces.In recent years, ransomware attacks on industrial production enterprises have become more frequent, such as the 2018 TSMC WannaCry incident and the ransomware attack on Colonial Pipeline, the largest refined oil pipeline operator in the U.S., in May this year.Moreover, industrial control systems themselves have some security issues, making it possible for threats like viruses, Trojans, hackers, and hostile forces to exploit these vulnerabilities to attack industrial production environments.
So, what security issues exist in industrial control systems?

1. Industrial control systems generally lack security design

Industrial control systems primarily consider system real-time performance, reliability, and stability during design, often sacrificing security for real-time performance. Control devices, programming software, configuration software, and industrial protocols typically lack security features such as identity authentication, authorization, and encryption.

2. Industrial control systems have numerous vulnerabilities and backdoors

According to CNVD statistics, the distribution of vulnerabilities in industrial control systems from 2000 to 2020 and the statistics of newly added vulnerabilities in 2020 involving vendors are shown below:

Top Ten Security Issues Facing Industrial Control Systems

(Data source: National Local Joint Laboratory for Industrial Control System Security)

Top Ten Security Issues Facing Industrial Control Systems

(Data source: National Local Joint Laboratory for Industrial Control System Security)
The statistics show that the number of vulnerabilities in industrial control systems has surged in recent years, involving mainstream industrial control vendors such as Schneider, Siemens, and Advantech.
As of September 6, 2021, the number of vulnerabilities in industrial control systems had reached 3,100, and the number of vulnerabilities known by various security vendors and hackers far exceeds the number reported by CNVD.
On the other hand, key equipment such as industrial control devices (DCS, PLC), industrial applications, touch screens, and industrial switches are primarily imported from abroad, and these devices often have “backdoors” left intentionally, which can be exploited to steal, eavesdrop, or even launch destructive attacks on production data at critical moments.

3. Chaotic device networking and lack of security protection

For the convenience of production, more and more intelligent sensors, devices, machines, and application systems are being connected to networks in industrial production environments, gradually connecting with office networks and third-party networks on the Internet. Moreover, during daily maintenance, enterprises often connect personal laptops, mobile phones, and other devices to production networks in violation of regulations, and even illegally connect to the Internet via mobile hotspots, making network boundaries increasingly blurred while lacking necessary security protection measures or finding it difficult to implement such measures.

4. Industrial hosts running with “holes” and “diseases” has become the norm

Looking at security incidents related to industrial control system attacks both domestically and internationally, industrial hosts (operator stations, engineer stations, OPC interface machines, historical servers, etc.) have become the primary targets of attacks, which are then used as springboards to attack control devices, production equipment, and processes. The reasons for this can be summarized in two points: first, it is technically easier to attack industrial hosts than to directly attack control devices; second, industrial hosts have more security issues and are easier to exploit.
Common security issues of industrial hosts include:
1) The operating system versions of industrial hosts are outdated, most are Windows XP or earlier versions, which have many vulnerabilities, and patches are difficult to update, companies are often reluctant or unwilling to update; on the other hand, Microsoft has long ceased to provide patch updates;
2) Security configuration baselines are not hardened, most industrial enterprises have not hardened the security of industrial hosts, commonly having weak passwords, not deleting unnecessary expired accounts, enabling shared desktops and high-risk ports (such as 139, 445, 3389, 5900, etc.), and installing unrelated software such as Sunflower, VNC, TeamViewer, and instant messaging tools;
3) Weak prevention against malicious code, industrial hosts generally lack protection against malicious code; some enterprises have installed antivirus software (McAfee, 360 Antivirus) on industrial hosts, but these programs are often not compatible, leading to false positives, compatibility issues, and outdated virus definitions;
4) Control over mobile storage media is lacking, in some industrial production environments, there are zero control requirements for mobile storage media, which are used freely between production environments and the Internet; although some enterprises use management policies and physical blocking methods to control media, management loopholes still exist, leading to recurring incidents of viruses, Trojans, worms, and other malicious code programs entering industrial production environments via mobile storage media.

5. Unclear industrial assets

Industrial control systems generally operate for 10-20 years, and a production line or workshop is usually constructed by multiple equipment manufacturers and integrators, relying heavily on third-party maintenance. Asset lists (hardware, software, network topology, configuration, etc.) are distributed among different vendors and personnel, lacking a complete asset list. When changes occur in device and network connections and configurations, they are often not updated, leading to significant discrepancies with existing records (completion handover documents), which is a major headache for enterprises.

6. Lack of necessary monitoring and early warning measures, poor visualization and readability

There is a lack of necessary security monitoring and early warning mechanisms in industrial control systems, with no real-time monitoring and early warning mechanisms for the entire industrial network’s operating status, asset conditions, abnormal behaviors, threat intrusions, and security incidents.
On the other hand, domestic security vendors have not considered the perspective of industrial users when designing security products. Most security products (such as situation awareness) do not consider the habits of industrial users in terms of visualization and readability. For example, when security incidents occur, security perspectives often look at issues based on event type, level, corresponding IP/MAC, server, and business application; while industrial users tend to look at issues in the order of which factory, which workshop, which production line, which system, which device, and what fault. In other words, security products do not integrate with business but instead look at issues in isolation. This leads to some security product alerts being unreadable, ignored, or unwanted by industrial users.

7. Industrial data faces security risks of theft, tampering, and loss

In the industrial production environment, there is a vast amount of operational data, process formula data, production operation data, production management data, as well as research, design, procurement, order, and customer information. These data have potential value for mining, analysis, and utilization.
With the integrated development of new generation information technologies, this data flows across systems, organizations, and regions, posing risks of being stolen or tampered with by hacker organizations, industrial spies, and hostile forces.

8. Inadequate security management systems in industrial enterprises, poor management, and unclear responsibilities

In many large and medium-sized industrial enterprises, IT management systems and production management specifications are generally in place, but the information security management systems and measures for industrial control systems are not sound and lack a systematic approach. There is a lack of management systems and methods covering the entire lifecycle from planning, construction, operation, maintenance, to decommissioning, with no designated information security management personnel, no established security coordination group, and no designated security positions and personnel.
Additionally, in some industrial enterprises, the aggregation, core switches, and boundary protection devices such as firewalls or gateways are often in a “no-man’s land.” On one hand, these devices are usually purchased by production departments (or support departments or instrumentation departments) and have ownership, giving production personnel absolute say over these devices, but they lack network and security professionals. On the other hand, these devices are in production environments, and IT personnel inherently have a certain reverence for production operations, often enabling all-access policies or neglecting operation and maintenance to meet the needs of industrial production. Over time, the security configurations, account passwords, etc., of these devices are not backed up or recorded, creating a “no-man’s land” situation.

9. Inadequate security operation and maintenance management, incomplete emergency response

Most industrial enterprises entrust the operation and maintenance of assets in industrial production environments to equipment manufacturers, system integrators, or third-party service providers. For on-site operation and maintenance methods, most enterprises adopt a rough management approach, merely registering, recording, and leading personnel to the site without paying attention to the operation and maintenance process of personnel, being unaware of behaviors such as unauthorized USB insertions, illegal external connections, and data theft. For remote operation and maintenance, most enterprises use remote desktop methods like Sunflower and VNC without strict locking policies, lacking monitoring and auditing of violations, errors, and data theft during the operation and maintenance process, making it impossible to locate and trace incidents afterward.
On the other hand, in most industrial enterprises, IT security emergency response and industrial security emergency response are two separate systems. IT emergency responses often do not consider the needs of production environments, lacking “specific remedies” for network security incidents occurring in production environments; while industrial security emergency responses often deal with production safety incidents, without considering network security incidents, leading to a lack of emergency plans and response processes for relevant network security incidents.

10. Insufficient investment in industrial control system information security, poor personnel awareness

Overall, in the domestic security market, the entire network security investment accounts for less than 2% of IT investment, while the investment in information security for industrial control systems is less than 20% of IT security investment. Additionally, the annual budget execution for information security in industrial control systems is often minimal. Therefore, insufficient investment makes it challenging to ensure comprehensive protection.
On the other hand, the overall security awareness of industrial production personnel is weak, lacking security education and training. Some managers, technical supervisors, and frontline operators believe that their industrial control systems are not connected to the outside world, and that the industrial production network is secure; they also think that since the production system has been running for many years without any network security incidents, it will not happen in the future.
However, today is different from the past, and no resistance can stop the progress of productivity. Currently, the fourth industrial revolution is underway, and China is taking this fast train, fully utilizing the advantages of new generation information technology to change the situation of China’s manufacturing industry being large but not strong. Therefore, industrial production networks are also facing new transformations. Is your industrial production network still safe?
With the successive implementation of laws and regulations such as the Cybersecurity Law, Data Security Law, and the Regulations on the Protection of Critical Information Infrastructure Security, industrial control systems are widely used in key infrastructures involving the core of the national economy, such as energy, transportation, municipal, aerospace, and military industries. Once a security incident occurs, it can have catastrophic consequences for enterprises, society, and the nation. Therefore, a number of key information infrastructure industrial control systems are scheduled for rectification and construction.
So, how should we address these issues, or what are the solutions?
The security solution ideas are based on the background of the Cybersecurity Law, Regulations on the Protection of Critical Information Infrastructure Security, and other laws and regulations, and based on the design standards of the Basic Requirements for the Protection of Network Security Level and the Guidelines for Information Security Protection of Industrial Control Systems. By building a security technology system and a security management system, a trustworthy, controllable, and manageable dynamic defense system can be constructed.
First, through security assessment services, identify and sort out the assets (hardware, software, network topology, configuration, etc.) in the industrial production environment, and improve the enterprise asset ledger; based on assets, conduct non-intrusive vulnerability scanning, baseline checks, and other vulnerability identification, sorting, and analysis; based on assets, network traffic, business, logs, etc., conduct threat identification, sorting, and analysis.
Second, based on the results of the security assessment, conduct targeted protection from aspects such as architecture optimization, secure communication, boundary protection, access control, secure access, identity authentication, monitoring and auditing, industrial host protection, secure operation and maintenance, and monitoring and early warning, implementing security policies and establishing a security technology defense system.
Finally, establish a scientific and complete security management system, comprehensively build from security policies and systems, management institutions and personnel, security construction and operation and maintenance, forming first-level documents for enterprise policies, objectives, strategies, and management responsibilities, second-level documents for various management measures and systems, third-level documents for operational specifications and key security management measures, and fourth-level documents for management processes, operational processes, and various management forms that are compatible with the system, establishing a security management system.
At the same time, by leveraging the security operation platform, build a practical operation system that integrates industrial asset management, security awareness, risk situation, security assessment, emergency response, emergency command, notification and warning, and security training, implementing security operations to ensure the safe and stable operation of industrial production networks.

Original source:Critical Infrastructure Security Emergency Response Center

“Submission Contact: Sun Zhonghao 010-82992251 [email protected]
Top Ten Security Issues Facing Industrial Control Systems

Related posts

  1. Repair Case: ZX7-250 Single Board Machine No Load
  2. When The Steel Industry Meets ‘5G + Industrial Internet’ Black Technology
  3. Beware of Malicious Software Infiltration! Adding a ‘Safety Lock’ to Children’s Smartwatches
  4. The Role of Sensors in the Internet of Things
  5. Collection of Automotive Electronic Circuit Designs
  6. How Much Do You Know About 3D Printing?
  7. Design Revolution of Edge AI Driven Chips
  8. Analyzing IoT Sensors: Key Elements and Design Considerations
  9. Comprehensive PCB Wiring Knowledge
  10. Understanding Sensor Classification and Pre-Determination
  11. Basic Knowledge of LCD Screen Repair
  12. Embedded Security: Establishing Trusted Computing Systems Based on Intel Hardware
  13. Siemens PLC Cybersecurity Strategies: Key Measures to Protect Industrial Control Systems
  14. Understanding the Lifecycle of Embedded System Development
  15. AI Proliferation Brings New Challenges to Embedded Designers
  16. Analysis of Firmware Loading Address Security
  17. Overview of Industrial Control System Security
  18. Overview Of Seven Major Process Industry Instrument Control Systems
  19. Vulnerabilities in Industrial Control Systems

Leave a Comment