Congrats, it is now almost November and we have nearly made it through Cyber Security Awareness month (and what a month it has been). The theme for this final week is: “Protecting Critical Infrastructure from Cyber Threats.”
For the purposes of this blog, I want to discuss two strawmen views of Industrial Control Systems (ICS) Security which, unfortunately, are both prevalent in many discussions around the topic of critical infrastructure protection:
- Doom’n’Gloomers: this is the “sky is falling” view of ICS security, often from people with an IT security background, who are appalled by lack of patches, outdated Operating Systems and lack of traditional IT security controls
- Airgappers: this is the view that ICS security is in a good place due to the airgapped nature of ICS systems and the lack of understanding of attackers of the complexities of ICS systems
My opinion is that both views are partially accurate and that the reality of ICS security is nuanced and appreciation of that nuance is essential for making security decisions about those systems.
A recent study claims that “One third of OT [Operational Technology] networks are exposed to cyber attacks” mainly due to the ICS systems having some form of internet connectivity, usage of unpatched or unpatchable systems and lack of encryption for passwords. These are all valid concerns. Which strawman argument is right, Doom’n’Gloomers or Airgappers? There are arguments on both sides:
1. Almost all systems require some degree of internet connectivity in the modern era. While airgaps sound desirable due to their strong security properties, there are serious challenges to their usage: they cannot be updated, the data they collect cannot be exported and they cannot be remotely debugged in case of an issue. In a statement before the Subcommittee on National Security, Homeland Defense, and Foreign Operations in 2011 Sean McGurk, the Director of the Control Systems Security Program, stated that: “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network.” Despite the absence of complete airgaps, ICS networks are often firewalled or segmented off from the main enterprise network. Frameworks like NIST 800-82r2 and centers like CPNI (Critical Protection of National Infrastructure) have guidance around the deployment of firewalls for ICS systems, for example. We hope this guidance is followed.
2. The continuing use of Windows XP past it’s End of Life is a concern due to any new security vulnerabilities which are discovered are not being patched. Even though Microsoft issued an emergency patch for the ETERNALBLUE exploit (MS17-010), its deployment in ICS systems is likely not widespread due to the difficulties involved with patching systems where Availability is the key concern. These systems do have vulnerabilities. But the ease of exploitation of these vulnerabilities is not as often discussed. ICS systems often have physical security controls, for example, only accessible from rooms which have physical access control and closed-circuit television (CCTV.) Unfortunately, many support contracts do not allow companies to upgrade or modify software without vendor approval, thereby extending the time required to patch.
3. Legacy equipment which is incapable of encrypting passwords or the misconfiguration of equipment which is capable is certainly an issue. However, as mentioned previously, access to control networks is not as straightforward as access to enterprise network for an attacker. While there are some ICS systems which are connected to the Internet, it is rare to find the Human-Machine Interface (HMI) for a power station easily accessible. Often, they are connected to other systems via leased lines or a VPN. Additionally, the knowledge and skills to compromise an ICS system itself, rather than its surrounding IT infrastructure, are rare. Robert M. Lee and others helpfully distinguish intrusions into ICS system into two steps: Step One: Network Access and Step Two: Operation Access. Compromise of the enterprise network would be Step One. The access to the operational networks, Step Two, and then being able to use that access has been publicly documented in only two cases: Stuxnet and BlackEnergy/CRASHOVERRIDE. While such attacks are a concern, they are far from an everyday occurrence.
One final point which is worth bearing in mind is the level of monitoring of ICS systems that is typically in place. Power stations and other systems which are safety critical and are monitored closely by operators. Response procedures are also present. Even in the case of the attack against the Ukrainian power network in December 2015, the power was out for a maximum of 6 hours before the Prykarpattyaoblenergo Company successfully restored power.
As with many issues in cyber security, we see an evolutionary arms-race playing out between attackers and defenders with each side attempting to gain the upper hand. As for our strawmen, both have their good points, they should remind us of what the strengths and weaknesses of ICS systems are together with a cautionary note to not be complacent.