Industrial Control Systems (ICS) were developed decades ago when any thoughts of security centered on locking down the physical plant. That’s because they were designed, developed and deployed before the internet took root, much less blossomed into the internet of things (IoT). Despite efforts to modernize these systems—or perhaps because of them—ICS are not much more secure than in their earlier days and that, too, may be by design.
“The most surprising in all projects is that the personnel of industrial companies not only do not understand information security today, but also in every way opposes any innovations that are designed to increase the object’s IT security,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a global provider of security products. “This is because the staff first and foremost are responsible for the uninterrupted operation of systems in their normal mode, not realizing that their work can be disturbed not only by a physical impact, but also as a result of cyberattacks.”
Security Landscape by the Numbers
Perhaps it’s not such a surprise then that a recent study by Positive Technologies found that 73 percent of industrial organizations’ networks are vulnerable to attack, and in 82 percent of cases, it’s possible for attackers to access ICS equipment, too.
In 64 percent of cases, flaws were introduced by administrators and involved remote desktop access. The researchers noted that administrators at industrial companies often enable remote access so that they can manage devices from their offices, rather than making site visits. Indeed, having fast and easy-to-use remote administration mechanisms in place appeared to trump security concerns. At 18 percent of companies, ICS components were not even isolated on a separate network segment.
Further, at all companies, corporate information systems used dictionary passwords and obsolete software versions with known vulnerabilities. Files containing system passwords were frequently stored on employee workstations.
The drive to increase production remains king. Even the rise of cyberattacks does not divert attention from production goals.
“Security is not just a technical problem, but an organizational one. On average, each company we tested had at least two penetration vectors,” said Paolo Emiliani, industry & SCADA research analyst at Positive Technologies.
In the end, it will be regulation that drives a concerted and sustained efforts to improve security.
“Today, it is not the information about recent cyberattacks that primarily motivates industrial companies, but the requirements of regulators and legislation which have become tougher,” said Galloway. “However, unlike other industries, it is a rather laborious task to make significant changes in internal processes and systems for industrial companies, since it is extremely important to make all the changes without disturbing the technological process.”
And that’s not likely to change anytime soon.
“Therefore, it is difficult to expect in the near future significant improvements of protection by those companies that are in the sample of the research. But it’s highly likely that will occur later—major improvements in information security will require two or three years,” said Galloway.
Is All This Gloom and Doom Warranted?
Dragos’ Robert Lee told SearchSecurity at the 2018 RSA Conference that 64 percent of all vulnerabilities found in the industrial sector don’t actually matter. That’s a conclusion the group also came to in a 2017 report, despite that being a watershed year for threats to ICS.
“It’s not that they’re not vulnerabilities—it’s that they’re just non-operational to an adversary in that environment, which means that we’d need to be more careful in how we invest resources,” Lee told SearchSecurity.
Others note the uptick in threats and attacks on the sector and warn of flawed perspectives and a false sense of safety leaving the doors open for more.
“Few people perceive the successful attacks on the industrial sector in the world as a threat directly to their company, believing that all this is happening somewhere far away and they are out of danger themselves. Vendors in the ICS space are receptive to fixing vulnerabilities, but this is still a relatively new area in security, and companies are just only starting to understand the impact that a cybersecurity incident can have on their business,” said Galloway.
All told, a perfect storm is brewing over the sector.
“A company may have several facilities very far apart from each other, with only a handful of security staff to go around. This puts security staff in a difficult position: They have to enable remote desktop access to get their job done, even though this opens security holes,” said Emiliani. “Compounding the problem, different teams may share responsibility for securing their organizations’ network and industrial systems. Moreover, unsecured architecture with unpatched or unpatchable environments and no monitoring mechanisms combine to form a perfect storm for ICS insecurity.”
Where overlaps in responsibility for security exists and the teams don’t communicate well, configuration errors where the two networks meet can result. This leaves significant gaps in processes and the resulting unaddressed parts of the cybersecurity processes become the sole responsibility of humans, who often make mistakes.
As is the case in other sectors, the industrial sector will have to proactively seek protective measures that balance security with convenience and meeting operational demands. But that goal currently looks a long way off.