Everyone knows the importance of the industrial control system (ICS) in any plant. The ICS is the brain and the nervous system of the plant. It performs automated controls and critical safety functions, executing recipes, and regulating production. Hijack the brain and you have total control of the plant. And, if you’re an aggressor in the business of creating terror, a vulnerable system provides the perfect weapon for wreaking havoc on production and inflicting harm on innocent people.
The consequences of a successful, malicious attack on the ICS are fundamentally similar to that of a catastrophic accident. For this reason, shifting trends in industry can be noted. Concerns about ICS cybersecurity are now at the same level as that of process safety and profitability for industrial sector executives . To that end, protecting against cyber-attacks should be a top concern of not only IT professionals, but also operations, plant management, senior executives, and the board of directors at industrial companies. This is demonstrated by the creation of a new “C” level position in a lot of companies – the chief industrial security officer (CISO).
When cybersecurity gets breached
The StuxNet worm
Discovery of the StuxNet worm was a watershed moment for the automation industry. StuxNet targeted the Siemens WinCC SCADA system and the Siemens S7 PLC. The worm utilised four “Zero Day” exploits (“Zero Day” is the name given to vulnerabilities that have not yet been discovered and hence unpatched) in the Microsoft Windows operating system. It was spread via infected USB sticks and was hence able to infiltrate computers not normally connected to the internet (or air-gapped). StuxNet was designed to damage rotating devices using variable frequency drives operating between 807 Hz and 1210 Hz, located in plants with 33 such devices or more and manufactured by Vacon or Fararo Paya. If the worm did not have such limitations, the destruction and possible loss of life would have been catastrophic on a global scale. Portions of the StuxNet code have been de-assembled and circulated on the internet. In principle, StuxNet exposed the systemic failure of the management systems used for process control networks. It is believed, although not confirmed, that 1000 centrifuges were damaged or destroyed at the plant .
The Havex remote access Trojan (RAT)
According to the ICS-CERT (Industrial Control Systems Computer Emergency Response Team) , multiple companies have been identified to be victims of the Havex RAT. The organisations include a construction company in Russia and a France-based manufacturer of industrial machines. The RAT primarily uses watering hole attacks involving trojanised software planted on compromised websites belonging to at least three ICS/SCADA vendors.
Havex was designed to provide remote access to facilitate intelligence collection campaigns with a focus on the energy sector. After infection, Havex starts to communicate with remote command and control servers by instructing infected machines to download and execute additional components.
Protecting endpoints that matter the most
Recently, demand for improved endpoint protection has exploded . Modern endpoint detection and response (EDR) is one of the latest cybersecurity trends having emerged because of advanced, targeted threats. Endpoint protections solutions leverage modern, behavioural, host-based protection primarily to detect zero-day exploits. Many EDR solutions also include more traditional anti-malware protection including anti-virus, anti-spyware, anti-ransomware, and might also offer personal firewalls, application control, vulnerability management, patch management, and secure configuration management.
There are two classes of endpoint that need protection. There are information technology (IT)-centric endpoints in the process control network (PCN), and there are production-centric endpoints. The IT-centric industrial endpoints are found in Level 2 and Level 3 (of the Purdue model used in Fig. 1 ) and include network devices, operator stations, configuration stations, servers, and SCADA systems. These systems and their underlying operating systems are TCP/IP connected and tend to exist primarily on top of standard Windows and Linux operating systems. These IT-centric endpoints are a mere 20% of the total industrial endpoints that exist across
The other 80% of the industrial endpoints are the proprietary, production-centric endpoints at Level 1 and Level 0 where you find an extensive variety of software, firmware, and hardware components that exist in proprietary distributed control systems (DCS), advanced process controllers (APC), programmable logic controllers (PLC), remote terminal units (RTU), intelligent electronic devices (IED), and safety instrumented systems (SIS). These production-centric endpoints are the systems that control the process. If someone gains control of these systems (or they are unintentionally misconfigured), physical damage, environmental harm, personal injury, lost production, and steep fines can result. Not to mention injury to brand and possibly stock price!
For many companies today, an incomplete or outdated cyber asset inventory represents the biggest problem or blind spot in ICS cybersecurity. A comprehensive cyber inventory is foundational to tackling the bigger challenges of good ICS cybersecurity. How can you catch unauthorised changes to control assets if you have not yet identified those assets and are not
The risk of not knowing
As an example, many companies gather configuration data for Microsoft Windows and network devices, which are easily interrogated via WMI or SNMP. While a good start, this approach does not sufficiently capture enough PCN data. It is missing information on controllers, I/O cards, firmware, ladder logic, and much more. Getting at this data and manipulating it are the ultimate goals of cyber-attacks, and it is where inadvertent engineering changes can go unnoticed.
So, we know where the big problem is, which is half the battle. Now, what do we do about it? Here are three top considerations when developing or improving an inventory management approach to the PCN layer :
The risk of internal attack
Security risk is often viewed as an external threat best defeated by physical- or network-based security. The idea is that if you keep the aggressors at bay then you are safe. But what if the aggressors are already inside the house? This splits into two categories :
Recovering after detection
Beyond detection, monitoring policy violations and automating workflow-driven responses are needed. It takes significant time and resources to identify each aspect of damage sustained from attacks and even more additional time to correct the problems. Identifying exactly what changed and how it was configured takes just minutes with proper change management automation. This is the key to quick recovery.
Further considerations to take
In addition to inventory and configuration management, the ICS cybersecurity iceberg doesn’t end there. Some further strategies which can be implemented to ensure a bulletproof approach are discussed
“Zero-day” vulnerabilities are normally eliminated through vendor issued patches. A patch management system which automates the closed-loop patch process for control system assets can be invaluable. Such a system would assess the applicability and impact of operating system and control systems centric vendor patches, driving the testing, implementation, and mitigation via workflows.
Several standards of compliance for ICS cybersecurity gets updated periodically. It is imperative to have an automated workflow to properly manage this regulatory and internal compliance. Such a system can provide relevant and actionable information to the right people at the right time – including inventory, alerts, user authentication events, configuration details, change history, and workflow documentation.
For the power, energy, and process industries, securing industrial control systems requires knowing and tracking a complete inventory of all proprietary ICS and traditional information technology cyber assets. Only with a comprehensive inventory that includes configuration data can companies secure against unauthorised change, achieve a sufficient compliance standard, mitigate risk, and ultimately improve process safety .
Centralised management of proprietary, heterogeneous ICS in a facility is a complicated process. Control system configurations are typically inventoried manually, a time-intensive process requiring expensive engineering resources. In addition, manually gathered cyber asset inventory data is often incomplete, stale over time, and incorrect due to human error. Unfortunately, traditional IT-centered security tools provide little relief, as they do not collect the deeply proprietary configuration data required for established cybersecurity best practices. Without a comprehensive, evergreen inventory, it is difficult to detect unauthorised change due to malicious attack or inadvertent engineering updates, execute a closed-loop patch management process, or maintain compliance against regulatory or corporate standards.
This article was compiled from information as supplied by PAS and is published with permission.
 N Cappi: “When ICS Cybersecurity Gets Personal: The Risk Of The Disgruntled Employee”, ICS Matters. N.p., 2015. Web. 17 March 2017.
 “Cyber Integrity.”, 1st ed. Houston, Texas: PAS, 2017. Web. 16 March 2017.
 K Eduard: “Attackers Using Havex RAT Against Industrial Control Systems”, Securityweek.com. N.p., 2014. Web. 18 March 2017.
 E Habibi: “Why ICS Matters”, ICS Matters. N.p., 2015. Web. 17 March 2017.
 S Hollis: “Protect the Industrial Endpoints That Matter the Most”, ICS Matters. N.p., 2016. Web. 18 March 2017.
 Institute for Science and International Security: “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment”, Washington DC: Institute for Science and International Security, 2010. Print.
 H Perez: “Securing Industrial Control Systems With PAS Cyber Integrity”, 2017. Presentation.
 D Zahn: “Cybersecurity Road Trip”, ICS Matters. N.p., 2016. Web. 18 March 2017.
Contact Nirmal Narotam, PAS Automation Services South Africa, Tel 016 976-4832, firstname.lastname@example.org