Cyber-Threats and Secure Industrial Control Systems

Secure Industrial Control Systems (ICS)

Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems are essential to life in any advanced society because they manage critical infrastructure such as power plants, the electrical grid, hydroelectric facilities, transportation, water and wastewater, manufacturing, and other essential services.  Society depends on their reliable operations.

Yet, these systems tend to be taken for granted, by everyone except their operators, that is, until a failure in an ICS system leads to a crisis that is visible enough to require wider attention.  And as these systems are increasingly connected to private and public networks, a new, possibly failure mode is being introduced. Yes, the ICS systems that manage crucial infrastructure such as energy, power, water, and transportation can be attacked by Malware.

The prevalence of malware within ICS environments suggests that IT and security professionals should pay closer attention to cyber-threats within ICS environments. The Dragos Threat Operations Center studied 15,000 malware samples from ICS environments over a three-month period and concluded that approximately 3,000 industrial sites per year get infected with malware. Additionally, much of the malware these researchers found came from common malware families. One malware variant, posing as Siemens Programmable Logic Controller (PLC) firmware, has been in circulation since 2013 and has been reported by 10 industrial sites in the U.S., Europe, and China. Another attack, which dates back to 2011, was a phishing email that targeted multiple nuclear sites in the U.S. and other Western countries.


As bad as these numbers are, they appear to be getting worse. According to IBM Managed Security Services (MSS) data, ICS attacks increased more than 110 percent in 2016. This increase was related primarily to brute force Supervisory Control and Data Acquisition (SCADA) attacks, which use automation to attempt to guess default or weak passwords. Once a hacker gains access, they can remotely monitor or control connected devices — paving the way for a larger attack or other nefarious activities.

Cyberattacks that target ICS environments aim to inflict “loss of view” and/or “loss of control” on the systems’ operators. The authors of ICS malware may have many different motives for targeting an ICS environment, including political motivations, financial gain, or even a military objective. Attacks may be state-sponsored, inflicted by competitors, insiders with malicious goals, or even hacktivists. No matter who is behind them – or their motivation – attacks on ICS are serious business. Documented attacks in 18 countries outside the U.S. and hits have included:

  • The destruction of centrifuges in Iran’s nuclear facility (via the Stuxnet worm)
  • Damage to a blast furnace
  • Tilting of an offshore oil rig
  • Significant environmental discharges

Within the U.S., recent attacks have included the loss of electrical power and water, damage to manufacturing lines, shutdown of HVAC systems, and damage to critical motors. In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York using a cellular modem. Worse, the attack is believed to have occurred in 2013, but wasn’t reported until 2016 – further proof that cyberattacks often take months and years to identify and resolve.

ICS makes an easy target

What makes ICS and SCADA systems such attractive targets for hackers? While they are generally regarded as being well designed to withstand or recover from physical threats such as fires and explosions, as well as physical events caused by hardware malfunction, the truth is they are often not designed with cyberattacks in mind.  It’s easy to see why they are an attractive target, especially now that they are more connected to other external IT systems and the internet. Because many ICS systems rely on technology that may not have been built with security in mind, they tend to expose Vulnerabilities related to access policies, configuration control, hardware, software, and network configuration. As IT systems and operational technology environments increase their interconnectedness, ICS solutions become much more vulnerable to intrusions and attacks.

Mitigate risks related to ICS

With so much malware already resident in ICS environments and the prospect of an ICS breach leading to an infrastructure failure with disastrous consequences, Government agencies in the U.S. and elsewhere are scrambling to raise awareness and mobilize the owners and operators of infrastructure assets.

Especially active is the U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which has published a series of recommendations on how to identify and mitigate the cyber vulnerabilities of ICS environments. Some of its recommendations include:

  • Removing critical control systems from the public-facing internet
  • Ensuring that updates are performed securely and with documentation
  • Strictly controlling access to critical systems and maintaining high levels of discipline related to access credentials.

A useful addition to these suggestions would be recognizing that the components of networked ICS systems also function, in effect, as endpoints on their networks. If users can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, cyber-risk awareness within ICS and SCADA environments can be significantly increased.

The endpoint modeling advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each networked resource. It automatically discovers the role and behavior of IT assets, and then continuously tracks the behavior of those assets. When endpoint modeling is applied to an ICS environment, it provides analysts and operators an ideal way to monitor for any threats as well as any changes in the assets connected to the network.  By monitoring and detecting behavior changes, no prior awareness of threat characteristics is needed.  A threat that changes the network behavior of an asset can become visible to an operator.  Endpoint modeling also has another benefit: it exposes normal network behavior for ICS assets which increases operator understanding and their ability to recognize abnormal activity that may be due to component failure.

Endpoint modeling brings highly accurate, low-noise security awareness to security analysts who can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it. As a result, vulnerable ICS systems – which may be been poorly secured before now – can benefit from increased visibility and security.

By Bryan Doerr, Chief Executive Officer, Observable Networks

Martin Mendelsohn

New Executive Roles in the Post-Corona Era

Executive Roles in the Post-Corona Era As the global economy shows early signs of reviving from past months of rigormortis, forward-looking companies will be busy preparing for the next pandemic. What this means for technology ...
Back G Cloud

Five Reasons Why There’s A Digital Stampede To The Cloud

The Digital Stampede As the transfer of digital assets to the cloud gathers momentum, we examine the fundamental reasons why it’s happening Many organizations have been contemplating moving some or all their assets to the ...
Will Crump

The Key to a Successful M&A = Data

Successful M&A = Data Data is often the single point of failure for many organizations. Divestitures, privatization, leveraged buyouts, and management buyouts are all on the rise, but data too often remains an afterthought, rather ...
Dental Teeth Iot

The Revolutionary Transformation In Digital Dentistry

Transformation In Digital Dentistry 3D printing has taken the field of Dentistry by storm. This additive manufacturing technology has gained enormous popularity due to its many advantages, especially the ability to produce highly personalized prosthesis ...
David Gevorkian

How to Apply Website Accessibility in UX and How to Achieve Better User Experience

Design Tweaks: Apply Website Accessibility in UX In this current digital age, websites have become more complex because of the introduction of various aesthetic designs on a web page interface. It especially affects people with ...
Big Data Explosion

Developing Machine Learning-based Approach for Optimizing Virtual Agent (VA) Training

Optimizing Virtual Agent (VA) Training Achieve NLU model’s precision, recall & accuracy up to 78% The success of any Virtual Agent (VA) depends on the training of its Natural Language Understanding (NLU) model prior to ...