Industrial control systems are everywhere. They form the critical infrastructure that underpins a wide variety of basic needs we all enjoy. Water treatment, power generation, oil refining, food production, pharmaceutical production are just a few industries that run on complex control systems. These industrial systems have traditionally been viewed as separate from enterprise / commercial IT networks and may not have received the same attention as security.
With a high degree of connectivity between these operational technologies and IT networks, there has been a heightened awareness of the security need of industrial control networks. Recent breaches that have resulted in failed power grids, disrupted pipelines and threatened corporations, have increased the urgency for securing industrial systems like never before.
In this series, we examine a few aspects of industrial control system security. A few considerations make industrial system security different from IT security approaches.
Network Topology – Any industrial facility has thousands of devices and nodes that are not in the purview of enterprise IT. Control systems, measurement systems, sensors, safety devices, and other proprietary systems comprise production infrastructure and account for 70-80% of networked systems. The remaining 20% are what we usually think of as IT systems such as email, customer relationship management, supply chain systems, accounting, etc. The production infrastructure is designed to function even if the enterprise IT systems fail and avoid endangering human health, production continuity, and environmental safety.
Communication protocols (Modbus, Fieldbus, Profibus), interfaces, and operating frameworks differ from typical TCP/IP. The heterogeneous nature of these industrial networks thus creates complexity and requires a different approach than the typical enterprise IT security. Often IT organizations are overwhelmed when they try to account for every device in the industrial network. Many organizations do not have a reliable inventory of the number of devices, configurations, and interconnections that form the industrial network. This lack of record would be unacceptable in the IT world where firewalls, user configurations, and perimeter defenses are everywhere.
Endpoint Complexity – Endpoints (devices, controls, sensors) in an industrial network are heterogeneous and are often several generations behind IT endpoints (laptops and phones). It is not uncommon to stick with older technology with known vulnerabilities simply because it is still operable, or upgrade costs are prohibitive. Additionally, the lack of a standard protocol like TCP/IP makes compatibility with existing control systems key in end-point device choice. IT endpoints are very agent-software friendly allowing IT organizations to install agents that help monitor and secure the endpoint. Industrial endpoints do not offer such functionality. Many of these endpoints are not easily discoverable and often hidden as subsystems within an overall control and supervisory system to complicate things further.
Device Makers – Industrial settings involve a wide variety of process control sensors and devices provided by a wide variety of suppliers. Unlike in IT, where almost every system/device vendor uses the same protocols and operating systems, the industrial world is rife with proprietary protocols and special implementations, making adopting a common approach to securing the network difficult. Specialized skills, training, and vendor involvement become crucial in devising strategies to secure industrial networks.
Crafting a strategy to secure industrial facilities requires a comprehensive view of the entire IT/OT infrastructure and a framework that systematically treats every node as a source of vulnerability. While ensuring that every node is secure and up to standard may be impractical initially, identifying and securing the most critical components of the industrial network is the first step. A crucial step in developing a security strategy is establishing a baseline of the system – the baseline will need to capture the settings and configuration of the system and become the starting point for detecting intentional and unintentional changes to the system. Change management can then focus on tracking changes to the system and identifying changes as soon as they happen. Change detection at endpoints and triggering investigations to ensure compliance is crucial for securing the industrial network. Automating the detection and remediation steps via workflows can help establish electronic breadcrumbs that provide compliance and audit processes evidence.
In the upcoming blogs in this series, we will discuss industrial endpoints and network security, and highlight best practices for securing industrial control systems.
