For many years security experts have recognized that an industrial control system (ICS) has a fundamental design that makes it particularly susceptible to a cyberattack. Unlike IT systems designed to manage data/information, these ICS systems also bridge the digital and physical world and are created to “move molecules.” The consequences of a cyberattack, compromise, or disruption of these systems have the potential for catastrophic real-world, physical, and sociological impacts.
Although some components of the overall ICS loosely resemble IT assets, the design and deployment of ICS have over the years not been looked at for or been required to include cybersecurity resiliency. The traditional functional and security concerns were twofold:
- Do the basic job: Ensure the control system gets carefully engineered and deployed to safely complete specific tasks.
- Reliability: Uptime, and availability were paramount. Loss or malfunction of a control system can cost millions of dollars. Design the system to ensure reliability is more consistent than a typical “IT” computer network.
From a functional perspective, even though whole systems are carved into “layers” (see ISA/IEC 62443, ISA 99, and Purdue Model) and “control loops,” these networks are mostly “flat” and, for the most part, are non-conducive to applying a zero-trust architecture strategy.
For these same functional requirements, the OT systems are very trusting – if the security team issues a legitimate command, in the protocol expected, it will do exactly what the team tells it to do. Once on a network, security pros can issue commands from virtually any device to the control system – these systems do not authenticate either the source of the command or the command itself. This freedom of command and control is excellent for those concerned only about reliability without the threat of cyber-attack. The team can build redundancy into the system and leverage multiple points of entry in case of a problem.
However, the freedom of command and control add significant risk when considering a cyberattack. Once an attacker gets on a network and understands how the control systems work, they can get it to do virtually anything they wish.
So why isn’t zero-trust, the capabilities that are so common in the IT world, a viable option for ICS?
The zero-trust security framework requires all users and critical system entities, whether in or outside the organization’s network, to stay authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero-trust relies heavily upon identification and authorization management (IAM) attributes for basic functionality. While IAM gets used on some layers of ICS, unfortunately, this capability is not inherent to all ICS components. Often the use of IAM credentials is counter-intuitive to safely controlling processes.
Think of a control room scenario to better understand IAM: in these environments, every operator in the control room needs to see systems to orchestrate the overall process. The act of logging on and off subsystems with unique user IDs creates an unacceptable and unsafe blind spot. Similarly, machine-to-machine communication restrictions would also limit options in flexibility, functionality, and performance that may endanger the safety and consistency of processes.
Despite these obstacles, there are a few actions at specific layers that can be taken to apply zero-trust principles. Security teams must pay specific attention to any introduction of latency and the effect on underlying production resources. The Purdue Enterprise Reference Architecture (PERA) Model for ICS Security was developed as a model for ICS network segmentation that details the levels of ICS networks, what they contain, and how to secure them. PERA was created in 1990 prior to today’s era of an increase on business’ reliance on production data and the IIoT, so many of the recommendations are undoubtedly a bit obsolete. However, operators can still use it as a jumping off point and adapt many of the same principles, coupled with the ISA/IEC 62443 standard to secure their networks.
Sorting industrial systems and IT systems into separate layers still works as a valid method for determining what the company has and what it needs to secure. But first and foremost, to adopt the principles of PERA and apply any aspect of zero-trust segmentation, enterprises must achieve comprehensive visibility into their assets and consistently monitor performance. If organizations don’t know what they have, they can’t secure it in the first place.
To accommodate a change to incorporate the IAM and network segmentation necessary to execute zero-trust across all layers of PERA, industrial control system vendors will need to spend hundreds of millions of dollars (each) to “start from scratch” and completely redesign their control systems.
Once this gets done, owner-operators will then need to spend hundreds of millions (and for a large company, even billions) of dollars on upgrading the current infrastructure to a newly designed system. Even accounting for technical debt management and the natural attrition of systems, many control systems today have a life of 10 to 30-plus years. Even if the industrial control system vendors completely redesign their systems (which has not yet been done), it will take a long time to “rip and replace” to a more secure system.
The recent announcements of the Pipedream/Incontroller cyber incidents highlight these issues. These attacks are not malware; they are a set of tool kits that leverage known control system protocols that attackers can use to take command of these systems. Control engineers have been building similar tools for years to improve operational reliability; it’s not surprising that our adversaries are leveraging this knowledge in their attack strategy.
As a result, we must recognize that industrial control systems are vulnerable, and that the threat will not go away anytime soon. Resiliency has become critical, and strategies are available to help mitigate the effect of an attack to minimize damage to the enterprise and restore operations within a reasonably acceptable time.
Edward Liebig, global director of the cyber ecosystem, Hexagon ALI