In­dus­trial risk con­trol


In­dus­trial Con­trol Sys­tems, such as those seen in the oil and gas in­dus­try, are of­ten char­ac­terised by how un­chang­ing and un­mov­able they are. So it seems ironic that ICS is go­ing through a revo­lu­tion fu­elled by two ar­eas: an ever- in­creas­ing con­nec­tiv­ity de­mand and, as a re­sult of that, the change in tac­tics of at­tack­ers, says Robert Miller, se­cu­rity con­sul­tant to MWR In­foSe­cu­rity.

The drive for or­gan­i­sa­tions to gain bet­ter in­sight into their fa­cil­i­ties has meant a change in how ICS net­works sit within the cor­po­rate in­fra­struc­ture. Whereas tra­di­tion­ally we took the "iso­late and air­gap" method, many com­pa­nies are now ask­ing how they can ex­tract real- time data out of ICS and build real- world met­rics to im­prove how they run their business. Ven­dors have been quick to support this move, but have not al­ways put se­cu­rity at the fore­front of this progress, in­stead pri­ori­tis­ing la­tency and con­ve­nience. Now one IT net­work can carry all the traf­fic and sud­denly, of­fice com­put­ers can query ICS com­po­nents di­rectly. Even the ven­dors could con­nect to up­date the firmware with­out trav­el­ling to the site or risk­ing us­ing old tech­nol­ogy like modems. For iso­lated, re­mote ICS in­stal­la­tions it was a revo­lu­tion. The ben­e­fit is clear, but what is the se­cu­rity risk of th­ese new routes to ICS?

Where is risk com­ing from?

We need to un­der­stand that this new found con­nec­tiv­ity is a two way street. Based on the re­sults of re­cent en­gage­ments, we found that re­mote ICS sites were com­monly con­nected to cor­po­rate net­works. Dur­ing in­ci­dent re­sponse work, it was reg­u­larly ob­served that hos­tile at­tack­ers are travers­ing the eas­i­est route to achieve their ob­jec­tive. In ICS en­vi­ron­ments, new con­nec­tiv­ity into the cor­po­rate en­vi­ron­ment of­ten gifts at­tack­ers with a way in. Se­cu­rity re­searchers have pub­licly demon­strated the ex­ploitable na­ture of com­po­nents used in re­mote sites used in the oil and gas sec­tors. For ex­am­ple, last year a team of se­cu­rity re­searchers from IOAc­tive demon­strated how wire­less pro­to­cols, used by ICS de­vices, could be com­pro­mised from a range of up to 40 miles. Dur­ing se­cu­rity as­sess­ments, MWR of­ten finds that although pains were taken to stop an em­ployee ac­ci­den­tally send­ing traf­fic to a PLC on the ICS, lit­tle was done to re­strict traf­fic back to the of­fices. This is where the re­mote site then be­comes in­ter­est­ing to the at­tacker want­ing to as­sail the or­gan­i­sa­tion, not just the re­mote site. In th­ese cases it is pos­si­ble for at­tack­ers to com­pro­mise the re­mote site and then use its trusted sta­tus to pivot their ma­li­cious traf­fic into the cor­po­rate IT net­work. Vul­ner­a­bil­i­ties like th­ese are an on­go­ing chal­lenge, with the so­lu­tion be­ing cus­tom to the needs and lay­out of each ICS. With re­mote sites, th­ese at­tack­ers may be based in the coun­try we are op­er­at­ing in; they may have phys­i­cal ac­cess to our sys­tems or the coun­try’s com­mu­ni­ca­tions in­fra­struc­ture. This rep­re­sents a very dif­fer­ent sce­nario to the at­tacker try­ing to com­pro­mise our sys­tems from the in­ter­net. To make things more com­plex, we see the at­tacker’s ca­pa­bil­i­ties and tech­niques chang­ing on both fronts - a dan­ger­ous mix when it comes to de­fend­ing against them.

So what can we do?

Se­cu­rity man­agers should be ask­ing ques­tions about how th­ese vec­tors could man­i­fest in their sys­tems. For ex­am­ple many re­mote sites re­quire en­gi­neers to visit them with their lap­tops. If so they should be as­sessed for their risk. Do they con­tain pri­vate data? Can they con­nect to the cor­po­rate VPN? What is the pro­to­col for a lap­top be­ing lost/ stolen or an en­gi­neer leav­ing the company? Work­ing in the field of ICS se­cu­rity, MWR has seen a grow­ing amount of ev­i­dence that at­tack­ers are chang­ing their mind- sets and meth­ods against the com­pa­nies that run re­mote ICS. ICS- CERT has re­ported around an 80% in­crease in re­ported at­tacks against ICS over the last two years. It is im­per­a­tive that ev­ery­one who works with th­ese sys­tems un­der­stands this shift and the steps they need to take to keep their company and its fa­cil­i­ties safe.

Robert Miller, MWR In­foSe­cu­rity

Newspapers in English

Newspapers from International

© PressReader. All rights reserved.