What is ICS?
An Industrial Control System, ICS, is a generic term covering several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC).
What are the risks?
Over the years the attack surface has increased mainly down to an increase in the connection of ICS environments into corporate networks and the use of more conventional IT technologies to lower costs associated with support and maintenance.
The Stats (CREST ICS Study)
- 32 % of the studies participants had been in infiltrated or infected at some point;
- 34% had been breached more than twice in the past 12 months;
- 15% reported needing more than a month to detect a breach;
- 44% were unable to identify the source of the infiltration
However the truth is with these stats the majority of ICS incidents go unreported, generally for commercial or national security reasons but it also makes it more difficult for security professionals to accurately asses the risk.
The Issues
- There is a reluctance from ICS environment and process owners to allow security people access to ICS environments for security testing.
- Lack of qualified and experienced ICS testers.
- Things are no longer ‘air gapped’ as ICS environments are connected to regular environments using anything from RF to Ethernet.
- It is sometimes difficult to obtain log data for analysis or incident response.
- A lack of information about the assets in an environment, some laws stipulate you must keep an asset list which is created during installation but these are rarely ever filled in and when they are, they are often not complete or up-to-date.
- Lack of modern security protections in devices, like ASLR/NX etc.
- The market is dominated by a small number of vendors who don’t have the best reputation for security.
- Insufficiently protected, often blind environments targeted by very capable adversaries.
Some of these one can understand, for example one must proceed with a high degree of caution during technical security testing of ICS environments because a wrong move here may end up costing peoples lives.
The Solution
There is a lot that can be done, from training and education for security testers working in ICS environments to technical innovations in the areas of ICS control systems, testing tools and environment architecture.
This is why I joined Insinia Security, to focus on innovation, research and solutions for critical environments, the task ahead is not easy but it’s one we are confident we can solve.
