Industrial control systems still at risk
While security incidents involving ransomware and data breaches have have received much media attention, incidents in the industrial control sector rarely make the headlines. We hear so little, you wouldn't think there is any problem at all. However, the silence is more indicative of the calm before the storm and a certain lack of interest from the media than effective defense strategies. A few days ago, the Control Systems Cyber Security Association International (CS2AI) presented the preliminary results of its annual survey on cyber security in the ICS environment. The figures published by SecurityWeek as part of the 2019 ICS Cyber Security Conference were quite sobering. Probably the most drastic statement was that about 1% of incidents in the last twelve months have led to injuries and even deaths.
As the survey is carried out anonymously, no further details of injuries and fatalities were given at the event, however the final report may contain more information. But even the available results do not lead to great confidence in the measures taken or the attitudes of the companies involved. The experts at the security conference still criticized a lack of awareness for cyber attacks among company managers. The usual arguments "We are too small", "We do not have interesting data", "We are not important enough to be a target", are still used as excuses and justifications.
In addition to endangering individuals, the survey shows ICS Incidents cause other significant costs. A quarter of the study participants stated that breakdown or failure occurred as a result of an incident. Most of the incidents (34%) were caused by removable media containing malware – USB sticks and mobile hard drives. Obviously, the companies have not adopted any stringent guidelines governing the handling of such media. Almost as many incidents were triggered by emails with malware or phishing links. The fact that e-mails can be received in such an environment is evidence of massive errors in the most basic security precautions.
Production technology environments have different aspects that influence security measures in comparison with a data center. But many IT security measures can still be implemented directly or with small changes, especially when it comes to the process level. A mail client is never installed on a production server, and mail should not be received on an administrator workstation, at least not if the user is authenticated as an adminstrator. The classic idea of establishing an air gap, a physical separation between two networks, may have worked in the past, but is now being torpedoed by the large number of network connections of the ICS components. And it is almost certain that if an ICS manufacturer needs to access a controller for remote maintenance, it is right in the middle of the production segment. If the alternative is to send the service technicians to the machines with a USB stick, the problem is simply transferred to another medium. It would make more sense to borrow from military technology and work with a data diode , a device that also physically separates, but only in one direction. For example, sensors could write values to a central data repository but cannot be accessed from this repository.
In general, one problem is still that so many of the components used are inherently insecure. Security was not considered as important for older hardware, but even more recent systems demonstrate blatant vulnerabilities. As patching in production environments is very difficult, these vulnerabilities often remain unpatched for a long time. Even conventional IT struggles to keep up with patching and availability usually has a much lower priority in this scenario in comparison with production environments. However, it is important to bear the following truism in mind: A vulnerability only becomes a risk when it can be exploited. Without access routes such as unprotected USB ports, lack of segmentation, remote maintenance connections, unclear policies and an inadequate or non-existent role and rights concept, the risk presented by a vulnerability can be mitigated. All listed attack vectors can be circumvented without or with limited financial means. As always: Those who have done their homework do not have to fear the test.