Please mind the gap
Within the field of information security, there are three main pillars: Confidentiality, Integrity and Availability - often shortened to C.I.A to make it easy to remember. Information security professionals often focus on confidentiality as the most important, however that is not necessary correct for all types of assets.
Written by Paul Bernhard Svenning, Chief Information Security Officer in Frontica.
If you take Industrial Control Systems (ICS) as an example, there is a fundamental difference in the way of thinking between ICS and conventional information systems (e.g. back office systems). ICS is often designed to be robust and with a primary focus on availability. Secondary comes integrity and in the end confidentiality. For conventional IT however it’s the other way around, were availability and confidentiality are trading place. This is of course understandable, because of ICS you would be more concerned about ensuring that a valve on an oil pipe is running as it should (availability), instead of protecting any data collected. While in an office IT environment you would have business sensitive and personal data to worry about (confidentiality).
One of the consequences of resilience and availability being the main focus for ICS, is that a minimal effort has been put into protecting the system from un-authorized access. This priority is of course understandable since such systems were not connected to any network historically. So if you wanted to do something on your ICS you could not do it from the same computer that you used for reading email or browsing the internet. Such systems are usually called air gapped systems. Because these systems weren’t connected to the online world you did not really need to worry much about using strong passwords and patching security flaws in the different components of the ICS.
This is now rapidly changing, the air gap is disappearing and more industrial control systems become connected. We now live in a world where nuclear plants, hospitals, oilrigs, water treatment plants, power grids and much more are connected to the online world.
The use of strong passwords and being able to patch security flaws quickly has become essential also for these types of systems. Strong passwords and patching of security flaws might sound easy on a piece of paper, but how do you patch a system that is built to run 24/7/365 with little or no room for downtime. And what about strong passwords? Well not all ICS components supports the use of strong passwords, and sometimes the passwords are hardcoded into the firmware, making them almost impossible to change.
There also exist computer viruses for ICS. Do you remember Stuxnet that hit a nuclear facility in Iran? There is even a more recent variant of Stuxnet, called Irongate that disrupts communication to PLC’s and changes the commands issued to the PLC. Imagine your subsea installation or power plant is being held for ransom by a hacker? Believe me, it is not a very unlikely scenario.
I’m not recommending you not to connect your ICS system to the online world. While you expose your ICS to significant risks by doing so, there are also upsides through cost reductions, improved maintenance and monitoring. You might offer new services to customers as well.. It is important that you take your time and do your homework before connecting to the online world. Make sure that you evaluate the risks and look at what different safeguards you need to put in place before you bring your ICS system online.
I have now given you a small taste of the different challenges related to industrial control systems connecting to the online world in this blog post. The challenges we are facing have no quick fix solution. The increased focus to protect the systems from un-authorized access is a step in the right direction. You will need a solid injection of confidentiality.
On a side note: while I was writing this blog post (21/10/2016) a major cyberattack occurred hitting the west and east cost of USA. The attack was of a type called Distributed Denial of Service attack (DDOS). Until now unsuspecting user’s PC’s have been used in these types of attacks . This attack was different than others, were internet enabled devices (such as surveillance cameras, DVR’s, Routers ++ was used in the attack). So ICS components do not only risk being attacked, but also risk being used in an attack.