ICS: Protecting the ‘other’ network
Since the advent of the industrial age and the rise of manufacturing, large, integrated and highly-complex industrial sites, even cities around the world, have been processing staggering amounts of raw materials or feedstock into final products down the chain. At the very heart of such processes are Industrial Control Systems (ICS): they are what holds everything together and scale to become vastly complex proprietary networks. ICS is the common overarching term for other acronyms such as SCADA (Supervisory Control And Data Acquisition), DCS (Distributed Control Systems), and PCN (Process Control Networks), all types of control systems. For the Gulf Cooperation Council (GCC) countries with significant reliance on process industries such as Oil and Gas, complex ICS systems are considered the cornerstone of operations. With Industrial Operations representing a major portion of the GCC National GDP1, significant disruption is not an option.
By common classification, ICS fall under what is termed Operational Technology or Operational Systems, hence distinguishing ICS from IT (Information Technology) systems. These systems are not built for what is typically referred to as “Security”, namely the protection of information assets from compromise. ICS systems have a fundamentally different premise of operation, having real and significant impact on the physical safety of engineers and operators in the production cycle. An example would be the risk of industrial fires and explosions due to faulty control systems during the manufacturing or refining cycles. Direct access to production control is therefore vital to prevent such incidents, or for responding to them quickly to prevent injury or loss of life.
While information security is founded on three guiding attributes: Confidentiality, Integrity and Availability, ICS reverses these priorities to be more aligned with Availability first, then Integrity of operations.
The issues with ICS and Information Security
With the drive to reduce manufacturing costs and operational overhead, ICS networks have over the past decade opened up to the corporate IT networks. The idea of leveraging existing networks to manage and monitor ICS operations reduces dependency on on-site engineers to monitor and manage the ICS networks and facilitates integrating large, physically-diverse manufacturing operations, from corporate locations. The integration of ICS networks into corporate IT networks, however, has presented a new set of security risks that have been unaccounted for, such as:
- ICS are not designed with Information Security in mind. Reliance on strong physical security and access controls become circumvented when opened up to corporate IT Networks;
- Exposure of ICS to the threats of attacks from the Internet;
- Exploitations are compounded when IT systems with known (or unknown) risks become an entry point into ICS.
The fact that the key controls of ICS need to be “accessible” is the same reason why there are “weak” security access controls, and with the exposure of such environments to the corporate and IT networks, the domino effect can now reach all the way to the heart of production. Recently, the exploit dubbed ‘Stuxnet’ was used as a medium of cyber-attack specifically targeting ICS against nation states. Variations of the same exploit have been associated with other regional high-profile attacks.2 According to a popular website tracking cyberattack incidents,3 the statistics for 2013 (as of March 2013) show that the attacks targeting Industry have accounted for 11.2 percent of the cyber-attacks tracked globally, out of which the Oil and Gas Industry ranked first with about 22 percent, and the Energy Industry ranked third at 11 percent.
The recent and increasing wave of high profile cyberattacks such as those stated above, have driven organizations in the region to elevate information security to a major board-level agenda item. Senior Management has been demanding that business and IT departments overhaul operations to show that their systems and networks are adequately protected and there are plans for recovery from any compromise. The challenge related to protecting ICS is the traditional Two-Silo approach of management between Engineering/Operations and Information Technology.
According to the National Institute of Standards and Technology (NIST) “ICS have unique performance and reliability requirements[…]considered unconventional to typical IT personnel.”4 It is common in the region to see that this is evident in Oil and Gas operations where the sensitivity and criticality is such that Operations would isolate IT in its entirety from matters related to ICS. However, the IT organization may be much better equipped to handle and respond to Information Security and breach threats, whereas Operations typically would focus on physical security and human safety. When it comes to securing ICS, both engineering and IT need to operate as partners and stakeholders.
Governments also need to look into what controls are in place to ensure the safety of the ICS network of national services of which a breach would possibly affect national and economic security. Similarly, any disruption of critical services such as electricity and water would directly impact citizen wellbeing. Driven by this, the state of Qatar has recently released guidelines related specifically to ICS Security.5
Protecting Industrial Control Systems: the task at hand
In the GCC, the protection of ICS needs to be customized to the unique regional characteristics of the area and should adapt to the changing landscape of security globally with particular attention to the mutual convergence of IT and Operational Technology. The approach to address these requirements can be categorized into four points:
- Increasing awareness: knowing there is a risk is the first step to addressing it. Regionally, entities need to expand the fold of Information Security beyond just the IT department and address the risks related to ICS. Communication needs to flow top to bottom on the possible risks and what each stakeholder’s responsibility should be. Tried and true tactics such as workshops including individuals from both IT and Operations should be conducted to facilitate information flow and build bridges between these traditionally separate functions.
- Build fit-for-purpose controls: ICS vary by industry and type of operations. In the Gulf region, given the importance of industries such as Oil and Gas, operations may be part of a larger turn-key project such as a global partnership, where the management or maintenance of ICS may be outsourced in part to external parties. All these qualifying factors need to be taken into consideration when putting together a plan for the protection of industrial assets controlled by ICS.
- Leverage existing best practices: there exists a wide spectrum of guidance documents that address each of the layers and components of ICS Security and to such extent, a number of global initiatives with interest in protecting ICS have begun consolidating standards, frameworks and policies. Examples of such initiatives are Europe’s enisa6 and the publications of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST) in the United States.
- Involvement of assurance: periodically perform independent assessments of the security of ICS. Teams that have sufficient expertise in both ICS security and the proprietary technology of the ICS being reviewed, should be hired to perform such assessments, as opposed to solely IT-specific assessments by information security practitioners.
Achieving ‘Information Security’ is a challenge. Achieving Industrial control system information security, with its innate complexities, becomes a much more difficult task. The security and safety of Industrial Control Systems and the environments they manage represent a real and present risk to entities and governments in the region. The compounded effect of the limited exposure and experience of stakeholders in the topic, the exponential growth of Internet-based security attacks driven by geopolitical turmoil and the involvement of nation-states all make this a topic that must find its way on the agenda of the Boards of Directors. Similarly, government agencies entrusted have a role to play with guiding industries to a set of regulations and guidance documents to mitigate the impact of such risks. Organizations should implement measures to ensure that if such compromises were to happen, there are sufficient processes to mitigate the impact of these incidents and the time to recover from them. Protection of Industrial Control Systems also touches upon critical national infrastructure, areas that directly affect citizen wellbeing, in addition to national safety and security.
by Raddad Ayoub, principal, Enterprise Risk Services, Deloitte Middle East
- IMF word economic Outlook 2012
- http://www.symantec.com/connect/blogs/stuxnet-introduces-first -known-rootkit-scada-devices
- NIST National Institute of Standards and Technology/ Special Publication 800-82 Guide to Industrial Control Systems Security
- ictQATAR, Controls for the Security of Critical Industrial Automation and Control Systems Guidelines, January 2012
- European Network and Information Security Agency (enisa), Protecting Industrial Control Systems Annex III