A tale of two houses: Securing industrial control systems

By Hank Hensel, CSC Cybersecurity

When the U.S. Industrial Control Systems (ICS) Cyber Emergency Response Team (CERT) confirmed in its newsletter that a U.S. public utility had been hacked successfully, many skipped the more important message made in that issue – that Internet-facing control systems are at risk!

To date, no major published standards or design models suggest that it is acceptable to directly connect IC systems to the Internet.

In fact, the mitigation methods for these risks are well documented:
• Protect all control systems assets behind firewalls; this includes separating them from the company’s business networks.
• Only allow secure remote access with methods such as Virtual Private Networks.
• Remove, disable or rename any default system accounts.
• Configure account lockout policies to reduce the risk from brute-force attempts.
• Implement policies that require strong passwords.
• Control and limit the creation of administrator-level accounts by support and maintenance personnel.

So why is this practice still occurring?

The answer seems to comes down to a quote from “A Tale of Two Cities,” by Charles Dickens, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness…”

Operational and IT Houses at Odds

No, wait… more specifically, how about… If a house with cybersecurity defenses is divided against itself, that house cannot stand? While that’s a bit of a paraphrase, you hopefully get my drift.

These “houses” I speak of are a company’s Operation’s ICS Engineering teams (“OT” for operational technology) and Information Technology (IT) teams.

Too often within a company these houses are, at best, tolerant of each other or, at worst, at odds. Each house has its core focus and practices, and mandates can be challenging to align with each other.

IT brings some of the best (and strongest) practices concerning cybersecurity.

OT has key operations imperatives on keeping ICS processing running with minimal (preferably, no) interruptions.  Not only is continuous production most important to OT, but typically OT must also be assured that an ICS system will not accidentally malfunction and cause threats to human and environmental safety.

Many OT support models do not or cannot collect data from some of the most critical supervisory control and data acquisition (SCADA) and ICS assets.  These same support models depend on trained staff, not tools, to detect and respond to issues.

Security, ICS and the Internet

At first, it seemed straightforward to allow IT to apply their cyber defensive processes to the OT’s ICS systems.  However, this is where things start to disconnect.  Setting aside the challenges to authority and responsibilities between these houses, the OT ICS systems often cannot support IT security technologies or defensive practices because they would diminish the ICS’ core production reliability.

This can apply to any OT supported system, but ICS system interruptions to the most important infrastructure sectors, such as energy, water and transportation, can have grave consequences.

Furthermore, it is difficult to patch ICS systems in a timely fashion due to the same possible risk to production continuity and safety.  It is not easy to pull systems from service.

Keep in mind also that ICS systems have a different lifecycle than IT’s typical systems.  Whereas ICS systems can have lifecycles of up to 15 or 20 years; IT systems will usually “aspire” for three to five years at most.  Just picture how fast an IT person would run screaming from the room if they were asked to provide state-of-the-art malware and host-intrusion detection to a Windows NT system!

Circling back to the ICS CERT’s confirmation that  a utility company’s ICS was compromised by remote access via the Internet. A default Web interface often can be found with administrative privileges and, by default, is active on ICS devices. Rarely does the end user ever disable it. There are usually two possible reasons for this “oversight:”
1. The ICS systems integrator is a contractor who doesn’t have a full understanding of the systems being installed.
2. The “Owner” of the ICS is unaware that there is a Web interface that is enabled by default from the manufacturer.

From years of experience, IT personnel have learned to look for this type of interface.  For OT personnel who just now have to deal with connecting their systems beyond their traditional boundaries, lessoned learned can be costly.

What’s the bottom line?  We’ve reached the point where we have to start bringing the IT and OT houses together.  IT can offer great solutions to better protect systems.  OT teams understand their unique system needs. By cross training, both houses will better understand system limitations and may even consider trying non-technical procedural changes to mitigate risks.

________________________________________________________________________

Hank Hensel PicHank Hensel, a partner with CSC’s Cybersecurity Consulting Practice and a Cybersecurity Industrial Control System Practice Coordinator, leads CSC’s ICS/SCADA industry program. With almost three decades of IT experience, Hensel provides advice and assistance as clients define and implement comprehensive, holistic security programs that protect their critical infrastructure.

Comments

  1. That was very well explained – thank you

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: