For those coming from IT, securing ICS systems can be frustrating at the beginning. This is because the technologies used and the ways of working are very different when it comes to OT systems. The objectives pursued in these two areas are also very different. How so? Let’s find out.

Data protection vs. process protection

When securing IT systems, the main focus is on protecting data - such as intellectual property (IP), credit card numbers, emails and Personal Identifiable Information (PII) - thus trying to prevent hackers from gaining access to what, for a company, may be a great part of its assets.

This is in sharp contrast to what happens with ICS systems, where the main objective is to protect the process, as they are designed for continuous processing.. In some cases, following an unplanned shutdown of a plant, it can take days, weeks or even months for it to restart, causing significant damage. And it is not just an economic loss.

Take, for example, an ICS system that controls power generation and distribution, or drinking water and wastewater systems: besides great inconvenience, their breakdown can also have serious consequences on people’s health, as well as deeply impact the society . Without going too far back in time, just think of the 2021 ransomware attack on Colonial Pipeline that halted plant operations for six days, leading to a fuel crisis and increased prices in the eastern U.S.

Technologies

In traditional IT systems, we are used to working with protocols such as TCP, IP, UDP, DNS, DHCP, etc. Most ICS systems use one of over 100 dedicated protocols, some of which are proprietary. The most popular on the market are Modbus, DNP3, ProfiNet/Profibus, OPC and others.

ICS systems base its operations on the Programmable Logic Controllers or PLCs. These are used for almost any type of industrial control system, be it production, oil refining, power generation, water treatment, etc. PLCs are comparable to industrial computers, with their own proprietary Operating System. They use programming languages derived from the world of electromechanical logic, such as Ladder Logic, to control sensors, actuators, valves, alarms and other devices. Hacking ICS systems often requires familiarity with the programming of such PLCs.

PLC Schneider Electric serie compatta

Availability requirements

Although availability is one of most important concepts within information security, ICS systems take it to another level. As mentioned above, here the attention is on protecting the process, rather than the data. For this reason, applying a software patch and rebooting the system may often not be an option, except for discrete time intervals, such as annual or quarterly maintenance shutdowns. This means that operating systems and applications remain unpatched with known vulnerabilities for months or even years. Therefore, SCADA or PLC engineers should carry out adequate compensatory checks to prevent intrusions, unlike an IT security administrator who would be able to apply security patches more frequently.

A different access to components

With a few exceptions, in traditional IT security, the technical team has direct physical access to system components. In ICS systems, these components may be spread over hundreds or thousands of metres (e.g. pipelines, power grid, etc.), thus making the implementation of security controls even more complicated . For example, remote field stations can become an access point to the entire ICS system.

Sicurezza attraverso l’oscurità

Recently, especially with the advent of Industry 4.0, many ICS systems have been progressively connected to the Internet via a direct TCP/IP connection. While the internal communication can still be managed with proprietary networks, remote access allows continuous monitoring by plant managers. However, there are still exceptions, such as some dams and other public infrastructure systems which are still off-line to protect them from the clutches of cyber attackers.

Sicurezza ottenuta tramite una protezione “air gap”

For years, these systems benefited from security through obscurity. What does it mean? They were somehow safe because few people knew of their existence and even fewer understood their technologies: the protocols used were only known to technicians in the industry who had gained first-hand experience with SCADA, PLCs and HMI terminals.

This is turning out to be a weak point, as they are being exposed on the network without having the most basic security measures implemented. An example is what happened in 2016, when the independent researcher Karn Ganeshen managed to break into a Schneider Electric Building Automation system by exploiting a 0-day vulnerability and gaining root access to the server.

With the advent of reconnaissance tools like Shodan, these systems will no longer rely on security through obscurity. The industry is only now beginning to implement modest security measures, but one of the biggest challenges that it’s facing is that many standard IT security products do not provide the same level of protection when it comes to industrial protocols. In most cases, firewalls and IDSs have to be customised to make them compatible and applicable to OT.

Cyber terrorism and cyber warfare have never been more crucial than in recent times, the protection of ICS systems is crucial. Since 2010 they have become the first targets targeted not only by criminal hackers but also by governments, as in the case of Stuxnet or the Russian targeting of the system electric Ukrainian during their conflict.

Stay safe, stay free.