Industrial Control Systems (ICS) are the heart of your operations. They are the link between the physical and digital components of your industrial system, and handle the process via the control of switches, pressure motors, valves, turbines, etc. Downside: they become tempting targets for many Advanced Targeted Attacks (ATA).
Why is ICS cybersecurity so essential?
Although these systems may be very complex, many reports show they are still vulnerable and can be exposed to a significant number of high risk exploits. According to Kaspersky Lab, half of the companies surveyed experienced 1 to 5 IT security incidents in 2017. And these incidents have a direct effect on business – costing industrial organizations approximately $500K per year on average.
This is unfortunately only the beginning, as more and more ICS become connected, and as attention to these systems grows. Much like winter, the worst is coming. Cybersecurity is an effective answer to reduce the attack surface, thus strongly limiting the impact of a very large part of malicious behaviors.
When ICS are not connected, are they safe?
It’s one of the questions we’ve heard the most. And let’s be honest: Do you really think that there is a strong gap between your ICS and the rest of the world? An ICS is by definition the interconnection of several components (PLCs, HMI, Engineering workstation, etc.), and can most of the time be totally autonomous. But each component will be, from time to time, exchanging data with coming from or going to somewhere outside of the ICS. Connectivity is the mechanism of introducing new data to a system.
Reducing or controlling the connectivity will of course reduce the exposure to threats. But as the following examples show, you can’t totally be unconnected.
- With regular need for maintenance, troubleshooting and updates, the ICS will get locally connected.
- Depending on your infrastructure, you may also have remote connections from a subcontractor or a central control room.
- Shit happens. So do human mistakes. Leaving a remote connection opened is to be considered.
- An employee can breach the system on purpose.
- Social engineering and spear phishing can target a specific computer within the same network, which will then be used to attack the ICS.
- Wireless industrial networks can allow somebody to connect to the network from outside of the building.
- Plugging in a USB key and transferring data either to or from counts as connectivity.
With so many ways of creating connectivity, your ICS can be exposed to threats even if they’re considered offline. The most famous example of an offline ICS was the target of the Stuxnet attack, in which its air gap was compromised with a simple USB key.
Why would you consider your ICS to be not connected? Why would you consider your ICS out of the threats range? Threats are everywhere, and the most numerous, yet the easiest to fight against, are the non-targeting ones.
Can using legacy systems be the answer?
Another way of asking this could be: “Should I shelter my infrastructure and remove every single connection?“. Unfortunately, this is not possible and should not even been considered.
- In the cybersecurity industry, we learned that the number of threats grows with the age of a system, therefore legacy systems are weaker and weaker as time passes.
- The digital industry improves as time goes, today’s legacy systems are less efficient than today’s needs.
- One of the drawbacks of the digital industry is the warranty time. Since things move fast, systems become obsolete quicker than the industry can afford, making maintenance more and more difficult.
- The digital industry is mostly built upon the concept of “planned obsolescence”, which makes it increasingly expensive to maintain and keep it functional.
- New systems are more efficient and faster.
- New systems are more reliable.
We believe that most of the industry will move from legacy systems towards new digital ICS. One of the benefits is increased productivity through the computing of large amounts of data coming from connected objects (such as the IIOT – Industrial Internet Of Things). But as connectivity expands, threats and risks expand too!
ICS and IT: is it the same?
ICS and IT convergence is on its way, but so are the threats against these systems: industrial espionage, sabotage, state attack, mafia attack, mass attacks, etc. But there are some differences: sabotage is mostly against ICS whereas mass attack will mainly target IT.
The consequences of a successful attack are also different: data theft and reputation impact for IT; human, environmental, production and industrial secret theft for ICS.
Protection against these threats are therefore close but have specificities, and must take into account business constraints. Integrity and data protection for IT systems; availability and safety for ICS.