Integrated Tactic to ICS Security

Wednesday, October 19, 2016 @ 04:10 PM gHale

By Robert K Bevis, John Livingston and Rick Kaun
Industrial Control Systems (ICS) that generate, distribute and transmit our electricity, operate our water systems, refine our chemicals and control our transportation systems are under threat for several reasons.

First, the potential impact of the attack is significant and our enemies understand this. A notable disruption to our infrastructure can cause significant economic harm, but can also threaten health, safety and lives. Although the focus of public discussion has been on threats to our financial records or privacy, the potential disruption to critical infrastructure is much greater.

Integrated Approach to Protecting ICS
Analytics through Network Monitoring
IIoT: We Have to get Ahead of This
Open Systems Need Intrinsic Security

Second, the control systems in operation today are complex webs of old and new technology provided by a range of OEM vendors. Historically, the use of proprietary technologies and isolation protected these systems from the Internet-based attacks so prevalent in our IP-oriented communication technologies. As we look to the future, however, operators want to leverage the efficiency provided by these new communication technologies and are connecting these older systems to new systems.

Third, we have growing evidence hackers are in fact targeting these systems. Enterprise Strategy Group, a leading consulting firm, published results of its 2015 survey for critical infrastructure providers that showed dramatic increases in the number of attacks. Sixty-eight percent claimed they experienced one or several cyber security incidents over the past two years; 36 percent said cyber security incidents led to a disruption of operations; and two-thirds of cyber security experts at critical infrastructure providers believe the threat landscape is more dangerous today than it was two years ago.

ICS is a general term applied to several types of control systems designed to support industrial processes. This includes supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and programmable logic controllers (PLC). While dissimilarities are diminishing with advancing technology, there are still differences worth noting. SCADA systems generally control assets geographically dispersed over large areas and can handle long-distance communication challenges. DCS systems replaced PID controllers and primarily control production systems within the same geographic location (power plant, factory, etc.). PLCs typically control specific applications and/or standalone equipment and can end up used in SCADA and DCS systems. A typical ICS system uses a range of network protocols and contains an array of instrumentation, controllers, human interfaces and support tools.

Since control system upgrades are costly and typically require production loss, they often occur in phases and may not apply to all aspects of a plant (meaning, boiler controls may be upgraded to a next generation DCS but coal handling equipment may still use older PLC technology). Different units/areas within the same plant might also deploy different control systems. The end result often equates to several different types of ICS platforms and vintages that have to be maintained, supported and secured.

No One Solution
Through work with critical infrastructure operators, there are a significant number of security solutions offered to meet the minimum regulatory requirements as well as the more stringent security requirements of industry leading companies. However, the end result was there was not a solution that was comprehensive or offered the defense-in-depth strategy necessary for adequate protection.

Furthermore, these systems consist of complicated webs of proprietary protocols, interfaces and custom software that make standardized tools difficult to develop. As a result, ICS owners have patched together solutions using manual processes.

We saw four fundamental problems with the available solutions:
1. They do not offer an integrated defense-in-depth solution that support multiple OEM systems in a given plant or across plants
2. They do not keep up with the ever-changing threat landscape, in part because they do not leverage the investments being made by enterprise IT
3. They are not built to take into account the unique requirements of ICS networks, thereby potentially causing more harm than good
4. The products are too complicated

One of the biggest challenges facing critical infrastructure operators is the fact most facilities do not possess a single ICS system. Instead, there are multiple versions of PLCs and DCS systems (or a combination of the two) at a typical site. Most OEM vendors do not develop leading cyber security products. If they do, they typically only protect their specific ICS platform. This forces asset owners to purchase multiple (often different) cyber security products, all of which have to be managed, monitored and updated.

Some non-OEM vendors have built cross-vendor solutions. But in most cases those solutions focus on only one or two elements of the threat matrix, such as change management, asset management, or application whitelisting. Furthermore, most of products only offer monitoring capabilities to inform the operator of issues, but rarely provide tools for remediation purposes. What is needed is a solution that can bring together as many of the critical elements of cyber security as possible — both those required by regulatory structures as well as those in critical areas not covered by regulatory requirements.

Integrated Security
That is where an integrated approach to security comes into play.

An integrated approach must consider the following:
1) Tuning the best IT solutions to operate in ICS environments
2) Vendor agnostic solution that allows for one, fully converged, defense-in-depth solution
3) Simple, user-friendly interface that allows the user to manage the full suite of security products from a single pane of glass.

Simply installing multiple security tools with a myriad of logins, screens, reporting and interfaces misses the opportunity to “orchestrate” your program across those specific tool sets.

By layering a portal on top of best in class tools your viewpoint is always adaptable and up to date as your underlying technologies and their vendors spend their time and money to keep their components up to date and current. This can give the end user tremendous flexibility and allows them to leverage their current infrastructure.

The best possible solution for installing a scalable, operational, affordable cyber security system into an OT environment is to leverage an orchestrated platform. The platform should integrate best in class IT security tools, should be built/installed/tested/supported by ICS engineers and should work across multiple OEM platforms. The platform then rolls up data and required actions across specific tools and provides reporting and tracking capabilities. This type of platform is starting to emerge throughout the market today and the sooner it is embraced by Operational groups the more effective and valuable a security investment will be.

This is an excerpt from a white paper. Click here to view the entire white paper with more details on an integrated approach to protecting an ICS.

Robert K Bevis is the CTO, John Livingston, the chief executive and Rick Kaun the lead application engineer at St. Louis-based Rkneal, an engineering firm specializing in ICS systems, cyber security and technical services by fusing information technology (IT) with operation technology (OT).