There is a great article from Trend Micro on why attackers target Industrial Control Systems (ICS) and how the Industrial Internet of Things (IIoT) will affect it. This is worth knowing as ICS is used to describe dissimilar types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in almost every industrial sector and critical infrastructure from manufacturing, transportation, energy, and water treatment to running the power grid, regulating energy use in a building or managing the process of brewing beer.
At a presentation I gave at Cyber Security 2017: Securing the Smart City of the Future I spoke about the anatomy of an attack but didn’t get into the details as to the motivation or technicalities. ICS have been with us for more than a few years but recent modernization has created new ways for these systems to communicate with their controller. This has improved overall productivity but not security. New security issues have arisen that can be exploited by cybercriminals including:
- Components that were not meant to be for public access are now accessible via the Internet.
- Security and privacy features that were not considered by solution architects and engineers at design time.
- Threat modelling not conducted either by the component manufacture or the solution provider.
- Products that are not required to be fully tested or assessed to provide a minimum level of assurance or security.
- Installations that were not formally evaluated for cyber risk prior to deployment.
- An implicit trust at the systems operational level that all components are safe.
Increased aggressive targeting of these will impact many areas including smart cities, smart manufacturing, smart infrastructure projects and even our soon to be smart homes and cars unless we can get control of these issues. In many cases of these attacks data risk is the least of our worries as they could potentially result in injury or death. To deal with this comprehensively everyone in the product and service chain must play their part:
- Manufacturers need to ensure that their products are designed with security, privacy and safety in mind. This includes a multitude of aspects depending on the product being developed. Only through comprehensive threat modelling at design time will they fully understand how attacks can happen in the field and the necessary controls that will be required.
- Implementers need to conduct security testing and evaluation at all stages of the project to ensure that systems are not misconfigured or prone to attack once in the field.
- Customers whether they are a city manager, a building manager or an information security manager need to better understand the risks to their specific deployments including how to perform Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs).
Always remember that security is more than a technology you can just implement. Attempting to protect bad coding and engineering practices with a badly configured firewall will just end up in an attack succeeding.
Lastly, the authors of the article reference the NIST Security Guide for ICS, I would recommend that you also look at IEC 62443. Why? It was written so that an ICS company (vendor, implementer or purchaser) could be evaluated and tested against stringent controls for risk. This wide series of standards covers the breath of deployment and in-field issues that need to be considered and assessed against. It forces all parties involved to get their act together and ensure they have important aspects such as integrating activities across the Software Development Life Cycle (to help discover and reduce vulnerabilities early and build security in) and operational security policies and procedures. You might be surprised how many don’t.