Cyber-Threats and Secure Industrial Control Systems

Secure Industrial Control Systems (ICS)

Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems are essential to life in any advanced society because they manage critical infrastructure such as power plants, the electrical grid, hydroelectric facilities, transportation, water and wastewater, manufacturing, and other essential services.  Society depends on their reliable operations.

Yet, these systems tend to be taken for granted, by everyone except their operators, that is, until a failure in an ICS system leads to a crisis that is visible enough to require wider attention.  And as these systems are increasingly connected to private and public networks, a new, possibly failure mode is being introduced. Yes, the ICS systems that manage crucial infrastructure such as energy, power, water, and transportation can be attacked by Malware.

The prevalence of malware within ICS environments suggests that IT and security professionals should pay closer attention to cyber-threats within ICS environments. The Dragos Threat Operations Center studied 15,000 malware samples from ICS environments over a three-month period and concluded that approximately 3,000 industrial sites per year get infected with malware. Additionally, much of the malware these researchers found came from common malware families. One malware variant, posing as Siemens Programmable Logic Controller (PLC) firmware, has been in circulation since 2013 and has been reported by 10 industrial sites in the U.S., Europe, and China. Another attack, which dates back to 2011, was a phishing email that targeted multiple nuclear sites in the U.S. and other Western countries.


As bad as these numbers are, they appear to be getting worse. According to IBM Managed Security Services (MSS) data, ICS attacks increased more than 110 percent in 2016. This increase was related primarily to brute force Supervisory Control and Data Acquisition (SCADA) attacks, which use automation to attempt to guess default or weak passwords. Once a hacker gains access, they can remotely monitor or control connected devices — paving the way for a larger attack or other nefarious activities.

Cyberattacks that target ICS environments aim to inflict “loss of view” and/or “loss of control” on the systems’ operators. The authors of ICS malware may have many different motives for targeting an ICS environment, including political motivations, financial gain, or even a military objective. Attacks may be state-sponsored, inflicted by competitors, insiders with malicious goals, or even hacktivists. No matter who is behind them – or their motivation – attacks on ICS are serious business. Documented attacks in 18 countries outside the U.S. and hits have included:

  • The destruction of centrifuges in Iran’s nuclear facility (via the Stuxnet worm)
  • Damage to a blast furnace
  • Tilting of an offshore oil rig
  • Significant environmental discharges

Within the U.S., recent attacks have included the loss of electrical power and water, damage to manufacturing lines, shutdown of HVAC systems, and damage to critical motors. In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York using a cellular modem. Worse, the attack is believed to have occurred in 2013, but wasn’t reported until 2016 – further proof that cyberattacks often take months and years to identify and resolve.

ICS makes an easy target

What makes ICS and SCADA systems such attractive targets for hackers? While they are generally regarded as being well designed to withstand or recover from physical threats such as fires and explosions, as well as physical events caused by hardware malfunction, the truth is they are often not designed with cyberattacks in mind.  It’s easy to see why they are an attractive target, especially now that they are more connected to other external IT systems and the internet. Because many ICS systems rely on technology that may not have been built with security in mind, they tend to expose Vulnerabilities related to access policies, configuration control, hardware, software, and network configuration. As IT systems and operational technology environments increase their interconnectedness, ICS solutions become much more vulnerable to intrusions and attacks.

Mitigate risks related to ICS

With so much malware already resident in ICS environments and the prospect of an ICS breach leading to an infrastructure failure with disastrous consequences, Government agencies in the U.S. and elsewhere are scrambling to raise awareness and mobilize the owners and operators of infrastructure assets.

Especially active is the U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which has published a series of recommendations on how to identify and mitigate the cyber vulnerabilities of ICS environments. Some of its recommendations include:

  • Removing critical control systems from the public-facing internet
  • Ensuring that updates are performed securely and with documentation
  • Strictly controlling access to critical systems and maintaining high levels of discipline related to access credentials.

A useful addition to these suggestions would be recognizing that the components of networked ICS systems also function, in effect, as endpoints on their networks. If users can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, cyber-risk awareness within ICS and SCADA environments can be significantly increased.

The endpoint modeling advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each networked resource. It automatically discovers the role and behavior of IT assets, and then continuously tracks the behavior of those assets. When endpoint modeling is applied to an ICS environment, it provides analysts and operators an ideal way to monitor for any threats as well as any changes in the assets connected to the network.  By monitoring and detecting behavior changes, no prior awareness of threat characteristics is needed.  A threat that changes the network behavior of an asset can become visible to an operator.  Endpoint modeling also has another benefit: it exposes normal network behavior for ICS assets which increases operator understanding and their ability to recognize abnormal activity that may be due to component failure.

Endpoint modeling brings highly accurate, low-noise security awareness to security analysts who can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it. As a result, vulnerable ICS systems – which may be been poorly secured before now – can benefit from increased visibility and security.

By Bryan Doerr, Chief Executive Officer, Observable Networks

Gary Bernstein

Infographic: The Data That Never Sleeps

Here’s What Happens Every Minute on the Internet in 2020 In 2020, the world changed fundamentally – and so did the data that makes the world go around. As COVID-19 swept the world, nearly every ...
Ronald van Loon

Modernize and Future-Proof Your Data Analytics Environment

Future-Proof Your Data Analytics Environment More than ever, we are seeing companies use data to make business decisions in real-time. This ubiquitous access makes it imperative for organizations to move beyond legacy architectures that can't ...
Are Brain Implants the Future of Humanity?

Are Brain Implants the Future of Humanity?

Future of Brain Implants Scientists have been researching and developing brain implants that could connect the human brain to other devices in order to allow human beings to control things with their minds. But in ...
Big Data Explosion

Developing Machine Learning-based Approach for Optimizing Virtual Agent (VA) Training

Optimizing Virtual Agent (VA) Training Achieve NLU model’s precision, recall & accuracy up to 78% The success of any Virtual Agent (VA) depends on the training of its Natural Language Understanding (NLU) model prior to ...
Kash Shaikh

A Clairvoyant Look Back on 2021

In a lookback from the future, here is what happened in 2021 as reported on January 1, 2022. 2021 was the year that our world worked its way out of the 2020 pandemic and back ...


The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy


    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks


    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.