ICS Security Trends

Wednesday, December 2, 2015 @ 09:12 AM gHale

By Heather MacKenzie and Jeff Lund
Cyber security has been increasing in importance in industrial facilities since the discovery of Stuxnet in 2010. Now along comes the IIoT (Industrial Internet of Things) with its increased numbers of connected devices and links to the Internet and business systems.

More IIoT-related entry points to industrial communications infrastructure means more cyber risk, not only from intentional attacks but also from unintentional sources such as device failure, operator error and malware. In manufacturing and process control environments this means higher risk to physical devices and processes and the possibility of physical, not just digital, damage.

Detection Strategies for Securing Wireless
Securing a Wireless Application
Viewing a System with NMS
How to Start Up ICS Security

What does this imply for ICS security going forward? Let’s look at three trends: More advanced security-focused products, security as an attribute of all Ethernet devices, and further adoption of the Defense in Depth best practice.

Advanced Industrial Security-Focused Products
One trend is increased cyber security risk is leading vendors to develop advanced technologies that deal with the particular challenges of control system security. One aspect of these challenges is the widespread use of ICS communication protocols not designed with security in mind. Securing them without impacting their control functionality requires advanced technology.

An example is the Deep Packet Inspection (DPI) capability. On the one hand, Intrusion Detection Systems (IDS) monitor only for broad categories of basic attacks. On the other hand, most firewalls use Access Control Lists or stateful firewalls to either allow or block all messages of an industrial protocol like Modbus TCP.

DPI, however, digs deeper to understand what the protocol is being used for and provide protection, not just detection. DPI does this, for instance, by determining if a Modbus message is read or write and dropping all write messages, or only allowing writes of particular registers. This allows the protection to be exactly tailored to the application, allowing essential control messages to communicate as required while blocking potentially dangerous or inappropriate messages.

Security Built-in to Ethernet Networking Devices
When you think about it, Ethernet networking devices such as industrial routers, switches and firewalls are at every connection point of the ICS network. This makes them ideal security sentinels to identify and control traffic entering and leaving at all points of the communications infrastructure.

Furthermore, studies show most industrial cyber incidents are unintentional, occurring due to human error, a software or device flaw, or an inadvertent introduction of malware infection. This means ICS security needs to protect from “friends and neighbors” as well as “enemies.”

For these reasons, there needs to be a focused effort to evolve all Ethernet devices to play an active role in their own security.

Further Adoption of Defense in Depth Best Practices
We have been a long-time proponent of Defense in Depth, as per ISA IEC 62443 (formerly ISA 99).

The principles of Defense in Depth have been well understood and readily adopted into many perceived “high risk” applications. However, in both the installed base of control systems as well as new deployments, many industrial networks still do not follow these principles.

Perhaps this is because many industrial engineers and operators have viewed cyber security as being relevant only for protection from intentional attacks from hackers. You may view your systems as being of low interest and therefore at low risk of targeted attacks. But studies show most industrial cyber incidents are unintentional. Human error and device flaws can happen to anyone; they don’t only target high profile systems.

Defense in Depth is as much about enhancing system reliability and resiliency as it is security. As this realization spreads, the adoption of Defense in Depth practices will increase.

Good cyber security is an ongoing process. That means vigilance where users monitor communication systems for unusual activity or configurations changes and investigate alterations and anomalies. Get started on better cyber security today and make it a focus area for continuous improvement.

Heather MacKenzie is with Tofino Security, a Belden company. Jeff Lund is responsible for Belden’s product initiatives related to the Industrial Internet of Things. Click here to view Heather’s blog.