ICS Control System Security

Prepared By : AMMAR MIRANI

This article provides an overview of these ICS and typical system

topologies, identifies typical threats and vulnerabilities to these
systems, and provides recommended security countermeasures to
mitigate the associated risks.

ICS Control System

Industrial control systems (ICS) include supervisory control and data

acquisition (SCADA) systems, distributed control systems (DCS), and
other control system configurations such as Programmable Logic
Controllers (PLC) are often found in the industrial control sectors.
ICS are typically used in industries such as electric, water and
wastewater, oil and natural gas, transportation, chemical,
pharmaceutical, pulp and paper, food and beverage, and discrete
manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA
systems are generally used to control dispersed assets using centralized
data acquisition and supervisory control.

DCS is generally used to control production systems within a local area

such as a factory using supervisory and regulatory control. PLCs are
generally used for discrete control for specific applications and generally
provide regulatory control.
Initially, ICS had little resemblance to traditional information technology
(IT) systems in that ICS were isolated systems running proprietary control
protocols using specialized hardware and software. Many ICS
components were in physically secured areas and the components were
not connected to IT networks or systems.

Widely available, low-cost Internet Protocol (IP) devices are now

replacing proprietary solutions, which increases the possibility of
cybersecurity vulnerabilities and incidents. As ICS are adopting IT
solutions to promote corporate business systems connectivity and remote
access capabilities, and are being designed and implemented using
industry-standard computers, operating systems (OS) and network
protocols, they are starting to resemble IT systems.
This integration supports new IT capabilities, but it provides significantly
less isolation for ICS from the outside world than predecessor systems,
creating a greater need to secure these systems. The increasing use of
wireless networking places ICS implementations at greater risk from
adversaries who are in relatively close physical proximity but do not have
direct physical access to the equipment.

While security solutions have been designed to deal with these security
issues in typical IT systems, special precautions must be taken when
introducing these same solutions to ICS environments. In some cases,
new security solutions are needed that are tailored to the ICS
environment.
Although some characteristics are similar, ICS also has characteristics
that differ from traditional information processing systems. Many of these
differences stem from the fact that logic executing in ICS has a direct
effect on the physical world.

Some of these characteristics include significant risk to the health and

safety of human lives and serious damage to the environment, as well as
serious financial issues such as production losses, negative impact on a
nation’s economy, and compromise of proprietary information.

ICS have unique performance and reliability requirements and often use
operating systems and applications that may be considered
 unconventional to typical IT personnel. Furthermore, the goals of safety
and efficiency sometimes conflict with security in the design and
operation of control systems.

ICS cybersecurity programs should always be part of broader ICS safety

and reliability programs at both industrial sites and enterprise
cybersecurity programs because cybersecurity is essential to the safe
and reliable operation of modern industrial processes.
Threats to control systems can come from numerous sources, including
hostile governments, terrorist groups, disgruntled employees, malicious
intruders, complexities, accidents, and natural disasters as well as
malicious or accidental actions by insiders. ICS security objectives
typically follow the priority of availability and integrity, followed by
confidentiality.
Possible incidents an ICS may face include the following:
 Blocked or delayed flow of information through ICS networks, which could
disrupt ICS operation.
 Unauthorized changes to instructions, commands, or alarm thresholds,
which could damage, disable, or shut down equipment, create
environmental impacts, and/or endanger human life.
 Inaccurate information sent to system operators, either to disguise
unauthorized changes or to cause the operators to initiate inappropriate
actions, which could have various negative effects.
 ICS software or configuration settings modified, or ICS software infected
with malware, which could have various negative effects.
 Interference with the operation of equipment protection systems, which
could endanger costly and difficult-to-replace equipment.
 Interference with the operation of safety systems, which could endanger
human life.
ICS Security
Major security objectives for an ICS implementation should
include the following:
Restricting logical access to the ICS network and network
activity.
This may include using unidirectional gateways, a demilitarized zone
(DMZ) network architecture with firewalls to prevent network traffic from
passing directly between the corporate and ICS networks, and having
 separate authentication mechanisms and credentials for users of the
corporate and ICS networks.
The ICS should also use a network topology that has multiple layers, with
the most critical communications occurring in the most secure and
reliable layer.

Restricting physical access to the ICS network and devices.

Unauthorized physical access to components could cause serious
disruption of the ICS’s functionality. A combination of physical access
controls should be used, such as locks, card readers, and/or guards.

Protecting individual ICS components from exploitation.

This includes deploying security patches in as expeditious a manner as
possible,

 after testing them under field conditions;

 disabling all unused ports and services and assuring that they remain
disabled;
 restricting ICS user privileges to only those that are required for each
person’s role;
 tracking and monitoring audit trails; and
 using security controls such as antivirus software and file integrity
checking software where technically feasible to prevent, deter, detect,
and mitigate malware.
Restricting unauthorized modification of data.
This includes data that is in transit (at least across the network
boundaries) and at rest.

Detecting security events and incidents.

Detecting security events, which have not yet escalated into incidents,
can help defenders break the attack chain before attackers attain their
objectives.

This includes the capability to detect failed ICS components, unavailable

services, and exhausted resources that are important to provide proper
and safe functioning of the ICS.
Maintaining functionality during adverse conditions.
This involves designing the ICS so that each critical component has
a redundant counterpart. Additionally, if a component fails, it should fail
in a manner that does not generate unnecessary traffic on the ICS or
other networks or does not cause another problem elsewhere, such as a
cascading event.
The ICS should also allow for graceful degradation such as moving from
“normal operation” with full automation to “emergency operation” with
operators more involved and less automation to “manual operation” with
no automation.

Restoring the system after an incident.

Incidents are inevitable and an incident response plan is essential. A
major characteristic of a good security program is how quickly the system
can be recovered after an incident has occurred.

To properly address security in an ICS, it is essential for a cross-

functional cybersecurity team to share their varied domain knowledge
and experience to evaluate and mitigate risk to the ICS. The cybersecurity
team should consist of a member of the organization’s IT staff, control
engineer, control system operator, network and system security expert, a
member of the management staff, and a member of the physical security
department at a minimum.

For continuity and completeness, the cybersecurity team should consult

with the control system vendor and/or system integrator as well. The
cybersecurity team should coordinate closely with site management (e.g.,
facility superintendent) and the company’s Chief Information Officer (CIO)
or Chief Security Officer (CSO), who in turn, accepts complete
responsibility and accountability for the cybersecurity of the ICS, and for
any safety incidents, reliability incidents, or equipment damage caused
directly or indirectly by cyber incidents.

An effective cybersecurity program for an ICS should apply a strategy

known as “defense-in-depth,” layering security mechanisms such that the
impact of a failure in any one mechanism is minimized. Organizations
should not rely on “security by obscurity.”
 ICS Strategies
In a typical ICS this means a defense-in-depth strategy that
includes:
 Developing security policies, procedures, training and educational
material that applies specifically to the ICS.
 Considering ICS security policies and procedures based on the
Homeland Security Advisory System Threat Level, deploying increasingly
heightened security postures as the Threat Level increases.
 Addressing security throughout the lifecycle of the ICS
from architecture design to procurement to installation to maintenance to
decommissioning.
 Implementing a network topology for the ICS that has multiple layers, with
the most critical communications occurring in the most secure and
reliable layer.
 Providing logical separation between the corporate and ICS networks
(e.g., stateful inspection firewall(s) between the networks, unidirectional
gateways).
 Employing a DMZ network architecture (i.e., prevent direct traffic between
the corporate and ICS networks).
 Ensuring that critical components are redundant and are on redundant
networks.
 Designing critical systems for graceful degradation (fault-tolerant) to
prevent catastrophic cascading events.
 Disabling unused ports and services on ICS devices after testing to
assure this will not impact ICS operation.
 Restricting physical access to the ICS network and devices.
 Restricting ICS user privileges to only those that are required to perform
each person’s job (i.e., establishing role-based access control and
configuring each role based on the principle of least privilege).
 Using separate authentication mechanisms and credentials for users of
the ICS network and the corporate network (i.e., ICS network accounts
do not use corporate network user accounts).
 Using modern technology, such as smart cards for Personal Identity
Verification (PIV).
 Implementing security controls such as intrusion detection software,
antivirus software and file integrity checking software, where technically
feasible, to prevent, deter, detect, and mitigate the introduction,
exposure, and propagation of malicious software to, within, and from the
ICS.
 Applying security techniques such as encryption and/or cryptographic
hashes to ICS data storage and communications where determined
appropriate.
 Expeditiously deploying security patches after testing all patches under
field conditions on a test system if possible, before installation on the ICS.
 Tracking and monitoring audit trails on critical areas of the ICS.
 Employing reliable and secure network protocols and services where
feasible.