What Is Industrial Control Systems (ICS) Security?

INTRODUCTION

Everyone has had this thought while standing in a large, important, public area:

(scenarios from crazy “Die Hard” and “Mission Impossible” movies then follow).

The rule that “anything can be compromised will be compromised” is often repeated over and over again in cybersecurity. It is a common belief that this saying applies only to the protection of our personal data, networks, and systems that involve our computers, phones, and any other digital devices. However, while basic security hygiene and personal data protection still needs work, there are security threats on a more massive scale that go almost completely un-thought of.

Industrial Control Systems (ICS) security is an essential field within cybersecurity. Since everything is connected to the internet nowadays, everything is vulnerable. Our buildings, airports, stadiums, power-plants, (etc.) are all in dire need of protection from cyber attacks and coordinated assaults. In this post, we will discuss the basics of ICS security and the responsibilities of ICS security professionals.

WHAT IS ICS?

According to the Digital Guardian, the field of Industrial Control Systems is officially defined as

ICS security is focused on protecting critical infrastructure from being compromised. Before the internet, an individual control system did not use as much computing power as the complex industrial systems of today. Control systems were mostly kept separate from other control systems, and they were not as connected through telecommunications. However, our modern infrastructure is highly linked using IoT and networks. We can understand the high-connectivity of systems by imagining the internet as a road map:

Image Courtesy of prnewswire.com “Network Atlas Launches Map of Global Internet Infrastructure”

By looking at the map, we see that all roads are somehow connected. By going down one road, you essentially have access to the entire map. The internet is the same way. According to vox.com, there are more than 40,000 individual networks (or roads) that make up the internet today, and they are all connected by gateways (devices that connect multiple networks together). This fluency is what makes the interdependency of networks dangerous.

Since a power-plant network may be linked to an office building network nearby, a hacker can break into the office building’s network to gain access to the power-plant’s controls. This is why ICS security is partly so difficult to manage, for if everything is connected, there is no telling what a hacker can do with one vulnerable area of a system. Something as small as a sensor, control panel, or computer can give an adversary control over an entire building or several buildings.

EXAMPLES OF CONTROL SYSTEMS

The family of industrial control systems includes a variety of systems and physical places, but any hardware or software that uses network connectivity to support critical infrastructure can be classified as an ICS. Below are the main categories of ICS items:

• Supervisory Control And Data Acquisition (SCADA)

SCADA systems are software systems that gather information from industrial processes. Their main functions are to monitor and archive data, control industrial processes, and interact with human machine interface (HMI) software. SCADA software controls the sensors, pumps, motors, valves, and other components used to run an industrial process. Watch the video below for more information about SCADA systems:

• Distributed Control Systems (DAS)

The Distributed Control System is the “central brain” of an industrial plant. It is a system of computers, controllers, and sensors that control the entire plant. Components of the DCS are scattered throughout the plant and communicate with a central network computer. The DAS automatically adjusts the operations of each component based on different production scenarios.

• Industrial Automation And Control Systems (IACS)

IACS are control systems involving computers and robotics that perform a multitude of mechanical processes. In the past 30 decades, machines have been used to produce items at an easier, cheaper, and faster rate than human workers. In manufacturing sectors and assembly lines, industrial automation has become the norm.

• Programmable Logic Controllers (PLCs)

A Programmable Logic Controller is an industrial computer that controls one or a few production processes for an industrial plant. According to the controlstation.com blog, the PLC performs specific tasks such as controlling airflow of a system or maintaining liquid tank levels. A PLC is mainly used for manufacturing and automation processes.

• Programmable Automation Controllers (PACs)

Programmable Automation Controllers are industrial computers that control automation systems. A PAC is used for automated equipment with higher-level programming. Complex machines and robotics often require more sophisticated instructions than standard system components, so a PAC provides these services.

ICS INDUSTRIES

Industrial control systems belong to all industries, but are most typically the following:

• Energy

  • Coal, natural gas, and petroleum plants

  • Oil pipelines

• Transportation

  • Railways

  • Airports

  • Public transit systems (buses, subways, ferries, commuter rails, etc.)

  • Highways

  • Bridges

  • Tunnels

• Food and beverage

  • Meat Processing Plants

  • Dairy Processing Plants

  • Beverage Plants

*According to the U.S. Department of Agriculture, there are 36,486 food and beverage plants that are responsible for all food and beverage production, processing, and distribution in the United States. If an adversary wanted to, they could cause extreme chaos by compromising the food services of a country. Possible consequences include food shortages, poisoning, etc.

• Manufacturing

  • A mass collection of factories, robotics, and institutions that create products for everyday use by the public.

• Power

  • Electricity grids

  • Solar panels

  • Windmills

  • Dams

• Water & Wastewater

  • Water treatment plants

  • Sanitation facilities

CONSEQUENCES OF COMPROMISED INDUSTRIAL CONTROL SYSTEMS

The consequences of a compromised ICS can be severe, not only for the parties that control the system, but especially for the millions of individuals that rely on the ICS. Groups that want to target industrial control systems include terrorist organizations, black-hat hacker groups, government affiliated hackers, hacktivists, etc. Threat actors can inflict harm on industrial control systems in the following ways:

• Monetary Gain: hold an ICS for ransom.

Example: A hacker gains control over a crucial water treatment plant and disbands all activities of the plant until they receive a demanded sum of money. As long as water continues to go untreated at the plant, pollution and poor sanitation will increase and the population is vulnerable to contracting life-threatening diseases.

• Inflict Mass Damage: destroy ICS operations

Example: A hacker compromises an electricity grid and damages the controls from the inside. Based on the amount of time that passes for the system to be reconfigured, the population will go without electricity.

• Produce Chaos

Example: A hacker gains access to the LED traffic light system and controls roads at their own will. If an adversary wanted to, they could cause car accidents to happen by playing with traffic lights. They could shut down parts of the road system and cause wide-spread delays.

There are more ways for malevolent adversaries to compromise and exploit industrial control systems, but the few listed in this post are most well-known. In 2015, state sponsored hackers from Russia were able to shut down Ukranian power grids, causing nation-wide power outages in the country. This massive cyber attack on a Ukranian ICS drew more attention to the need to protect ICS systems.

ICS SECURITY PROFESSIONALS

Professionals working in ICS security are met with a demanding range of responsibilities. Not only must they ensure that critical infrastructure is operating reliably (as it is regularly supposed to), but they also must protect the systems from attacks. ICS professionals must work with the system to avoid unexpected outages and delays. Should an ICS be unavailable, risk management (practices and policies for addressing threats and vulnerabilities) is a key component that many ICS security professionals spend time on. Preparing for a catastrophic event (cyber attacks, natural disasters, etc.) or change management is an essential part of the ICS profession. ICS security professionals must also conduct security assessments of a system regularly.

CONCLUSION

There is no doubt that the consequences of a corrupted industrial control system are severe. In ICS security, the main goal is to ensure that all components of a system be safeguarded so that no adversary can corrupt it. It is a nearly impossible job, but one that is extremely necessary. When critical infrastructure is compromised, there are human lives at stake. The response time to get a system back up and running again is crucial; when the power is out or if water is not being treated, there is no telling what could happen. If an adversary wanted to, they could cause accidents, public unrest, and chaos to occur by taking over a critical system. Therefore, since the safety and prosperity of citizens is the number one priority for all nations, ICS security should be a vital part of every single sector.

SOURCES

• controlstation.com "What Is A DCS?"

• digitalguardian.com "What Is ICS Security"

• "Guide to Industrial Control Systems Security"