Protecting your industrial control systems from cyber risk
It is important to understand that hacking of Industrial Control Systems (ICS) may cause injuries, loss of life, material damage or business interruption. A Denial of Service (DoS) attack or a ransomware spreading across your organization can make production systems unavailable or misbehave.
Important to understand the risk of Industrial Control Systems
Industrial Control Systems are most typically found within manufacturing and utility production, but similar challenges exists in other embedded systems. Examples can not only be found in utility companies or the manufacturing industry (PLC, DCS, SCADA) but also in retail, logistics, healthcare, etc.
Consider for example the use of Building Management Systems (BMS), Warehouse Management Systems (WMS), Medical Scanning Devices (MSD), or common equipment such as elevators, locking systems, domestic heating, air compressors etc. All this equipment is vulnerable to cyber-attacks if connected to a network for example for reporting, controlling or updating.
It is important for all of us to understand the risks of our industrial control systems and the obligation to build and operate them in such a way that they offer maximum protection against an attack.
We have been studying industrial control systems for several years now.
Incidents resulting in large losses
As an insurance company we have been studying ICS risks for several years now. Recently we have seen many incidents at major industries resulting in large losses, adding up to hundreds of millions. Hereby malicious software gained access to the business network and encrypted all data. More sophisticated versions made an inventory of all data repositories including on-line back-ups first, before starting their destructive work. Without their data victims were paralyzed, and their options were limited to paying the ransom and hoping for the best or re-building their systems from scratch using off-line back-ups, if available.
Ransomware can spread rapidly
Because ransomware can spread rapidly, a global company network could be affected within minutes. So far, the preferred response has been to cut all connections, effectively shutting down the network. And in today’s world, enterprise resource planning systems are key and without them business operations are impossible.
Even when industrial control systems are not compromised themselves all activities will stop sooner or later as in manufacturing plants production numbers and demands for raw materials are no longer processed. In hospitals, patient data is no longer available and findings can’t be reported.
In distribution centres it’s no longer possible to find pallet locations, to print address labels or to complete forms for customs. However, with the ICS themselves not being compromised they will operate as planned. They would shut down safely without physical loss. In the insurance business this is therefore commonly referred to as non-physical risk.
The hacking of ICS is considered a physical risk
However, the hacking of ICS is considered a physical risk as it may result in injuries, loss of life or material damages! Examples are less known to the general public and include events such as hacking into the controls of a New York dam (2013), setting a German steel mill on fire (2014), breaking down the Ukraine power grid (2015), compromising the safety of a refinery in the Middle East (2017), and the attacks on the Russian power grid (2019).
These examples may seem a little extreme for an average organisation as they involve state-sponsored hackers and high-profile targets. But make no mistake! As it happened with malware targeting common IT systems we have no doubt that the tools used in the above attacks will trickle down and become available for use by common criminals.
For ICS, Integrity is key!
Integrity is key
For ICS, integrity is key! Processes must be completed in a strict order depending on input provided by sensors. Users can select the order required using a Human Machine Interface (HMI). For example, a manufacturer of paper cups will have a strict order for producing their cups, which should always have the same appearance.
Should they want to produce another product they must select different parameters. Within the production process the users may have a bandwidth to adapt the process because they are using a raw material that may differ in quality. However, the ICS will control the upper and lower limits to prevent, for example, overheating.
When we visit organisations as part of our risk management surveys we find that automated solutions are replacing part of the human workforce. This takes away the possibility for human intervention in case the process order is disrupted. We also see a lot of system integration. Where we used to have multiple machines on multiple lines, today a single more complex machine is combining their activities.
With the equipment becoming more complex, the number of people understanding them is reducing. Finally, we see that safety systems, which used to be independent (mechanical) devices, are moving along the same lines and sometimes are even merged with the very systems they are supposed to protect!
Our recommendations
We recommend
- When working with connected ICS make sure the control network infrastructure design addresses cybersecurity. For an example, please see SANS ICS 410 illustration. (pdf, 70 KB, new window)
- Make sure you know what equipment is connected, what software you’re running and keep your access control up-to-date with access granted only on a need to know basis.
- Assess vulnerabilities in ICS systems regularly by scanning assets for vulnerabilities or conducting a penetration test on networks.
- Back up all key systems regularly and store at least one recent, complete, backup set in a remote site.
- Consider deploying an ICS-aware Intrusion Detection / Prevention System (IDS/IPS) or Next Generation Firewall (NGFW) to gain visibility and control on your production network segments
- Protect critical information in your ICS from unauthorized access and keep off-line copies and backups.
- Create visibility of your network and maintain routines and capabilities to act in case of a disruption.
Ask these questions
To protect your organisation from future cyber-attacks causing loss of life or material damage we believe it is very important to keep a grip on the matter. We propose you start asking the below questions;
- Are our operations dependent upon the operation of machines or equipment connected to IT systems or networks?
- Could a disruption or manipulation of our operations’ IT systems or underlying networks result in loss of life or physical damage to our products, goods, machines or facilities?
- Are our operations’ IT systems connected to the company network or accessible remotely over internet by employees or third parties?
- Have we conducted a recent security test of our operations’ IT systems and associated network connections?
- Could a disruption or manipulation of our operations’ IT systems or underlying network result in any form of business interruption?
Erik van der Heijden
Senior Risk Engineer, If