LRQA Nettitude Blog

How ICS Testing Protects Against Cybersecurity Threats | Nettitude

Posted by Nettitude on Apr 22, 2021 11:22:17 AM

By Fan Zhang | Cybersecurity Business Manager, APAC

images-1

When we talk about “ICS (Industrial Control Systems) Cyber Attacks” to organisations, we often mention that the systems are absolutely disconnected (air-gapped) from the IT network and from the Internet, so they can never be compromised. But is this always true?

From the growing number of ICS attack cases, we know that it is not the case and in this blog post, Nettitude aims to define what an ICS cyber-attack is and how organisations can protect themselves against them.

What is an ICS cyber-attack?

Industrial Control Systems (ICS), also often referred to as Operational Technology (OT) systems, are deployed to control physical processes related to objects such as water, oil and gas, electricity, manufacturing plant and healthcare facilities, etc. Many of these systems are considered as a part of critical infrastructure. In the past, these control systems were primarily built for operational safety and were mostly isolated. They are also designed to be protected by strong physical security measures to stop unauthorised physical accesses.

As such, most people consider such an “air-gap” approach to be 100% safe from cyber-attacks due to the lack of connectivity. Otherwise, any interaction between the ICS OT network to the corporate network is strictly northbound in a one directional manner by utilisation of a data diode (or unidirectional security gateway).

 

The problem with ICS cybersecurity threats

Over the years, there has been a much stronger need for data exchange (mostly real-time) between ICS systems and the corporate internal network through the level 3.5 of the Purdue Model, for reasons such as enhancing companies’ capability on ICS OT monitoring, troubleshooting or system updates. As a result, true physical isolation is becoming the exception rather than the norm and even with no direct connection, some malware can bridge airgaps. We now have to rely on security solutions such as firewalls to control the ICS system and keep them secure.

Unfortunately, all software-based security solutions can be compromised if they are outdated or misconfigured. Additionally, ICS systems often have an installed lifespan of several decades, so it is difficult to ensure that the architecture remains unchanged throughout the entire lifespan to keep the security design relevant. When the implemented security controls fail, it would become possible for malicious threat actors to compromise the ICS systems. This can be clearly identified in a recent cyberattack on the water treatment plant of Oldsmar, Florida, where a threat actor tried to manipulate water supply's levels of sodium hydroxide by compromising the plant’s TeamViewer software to gain remote access to the OT computer.

ICS OT systems are at risk in the modern ICS threat landscape if they are not adequately secured at the Purdue model levels 0, 1, 2 and 3. Key business drivers for effectively managing this risk include protecting the large capital investment that they represent and ensuring business continuity, to avoid the direct and indirect costs which would result from any loss of production.

 

What can we do about ICS threats?

Fortunately, Industrial Control Systems can be tested with many of the same techniques as other types of IT system and with ICS Penetration Testing, ICS cyber-attacks can be prevented. However, organisations should not treat the two kinds of testing exactly the same as there are some fundamental differences:

    • Tools that are used for testing Windows-based servers and workstations are often unsuitable for testing embedded control devices such as PLC, VFD, RTU, HMI panel, smart meters, relays, motors, pumps, control system logic programming applications, the graphics applications.

    • Devices from different manufacturers – or even the same manufacturer – are often incompatible with each other. There are also a number of incompatible control network protocols in widespread use. 
                                                                                                                                         
    • If testing has side-effects, then these are potentially much more serious than on a typical corporate network, especially in the case of a live production environment.

To accommodate these differences, ICS testing requires more planning and a more tailored approach than other types of security testing. Security companies without the experience of ICS testing are unlikely to achieve worthwhile results and could potentially cause serious harm to targeted systems if they are unaware of the risks.

 

How is ICS testing conducted?

Nettitude will always recommend the use of the safest possible method of testing. Ideally, this would be either the production system when it is down for maintenance, or a representative test system built to the same configuration. However, if there is a need to perform testing of live systems then Nettitude has the capability to do that.

The key to devising a safe but effective test plan is first to perform a detailed risk assessment. This will identify any fragilities within the system under test, detail any possible mitigations, and allow you to make an informed trade-off between thoroughness and risk. Options for testing include:

  • White box penetration testing
  • Active port scanning
  • Active enumeration (ARP scanning)
  • Active testing of network isolation
  • Passive enumeration
  • Physical inspection
  • P&ID line walk
  • Design and configuration review (paper exercise only)

For example, port scanning is normally considered a low-risk method of testing, and network hosts should not crash when exposed to one, however some types of programmable logic controller have been known to do exactly that. If necessary, Nettitude can mitigate the risk of this type by performing safety trials beforehand against the specific device models that are connected to the ICS network security under test.

Difficult decisions may be needed to achieve the best results but doing nothing is not a safe option. It’s not ideal for the first test of your control systems to be carried out by an attacker with an unclear level of motivation i.e., bringing the system down or causing a bigger impact to people’s lives if the systems in question are that of critical national infrastructure.

 

Final word on ICS cybersecurity

In conclusion, ICS cyber-attacks are very real, and the impact of an attack has the potential to cause an organisation significant harm due to the nature of Industrial control systems. They are also hard to defend against. In order to keep up with these new threats, some form of assurance exercises should be planned, in addition to a well-formed strategy to ensure that the ICS network is sufficiently protected.

Want to find out more about ICS cybersecurity measures? Reach out to your local Nettitude team.

 

 

Topics: Cyber Security, Nettitude, Security Blog, ics cyber security, ics cyber security threats, ics threat landscape, ics network security, ics testing

About Nettitude

Nettitude is the trusted cybersecurity provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Subscribe Here!

Recent Posts

Posts by Tag

See all