Industrial risk control
Industrial Control Systems, such as those seen in the oil and gas industry, are often characterised by how unchanging and unmovable they are. So it seems ironic that ICS is going through a revolution fuelled by two areas: an ever- increasing connectivity demand and, as a result of that, the change in tactics of attackers, says Robert Miller, security consultant to MWR InfoSecurity.
The drive for organisations to gain better insight into their facilities has meant a change in how ICS networks sit within the corporate infrastructure. Whereas traditionally we took the "isolate and airgap" method, many companies are now asking how they can extract real- time data out of ICS and build real- world metrics to improve how they run their business. Vendors have been quick to support this move, but have not always put security at the forefront of this progress, instead prioritising latency and convenience. Now one IT network can carry all the traffic and suddenly, office computers can query ICS components directly. Even the vendors could connect to update the firmware without travelling to the site or risking using old technology like modems. For isolated, remote ICS installations it was a revolution. The benefit is clear, but what is the security risk of these new routes to ICS?
Where is risk coming from?
We need to understand that this new found connectivity is a two way street. Based on the results of recent engagements, we found that remote ICS sites were commonly connected to corporate networks. During incident response work, it was regularly observed that hostile attackers are traversing the easiest route to achieve their objective. In ICS environments, new connectivity into the corporate environment often gifts attackers with a way in. Security researchers have publicly demonstrated the exploitable nature of components used in remote sites used in the oil and gas sectors. For example, last year a team of security researchers from IOActive demonstrated how wireless protocols, used by ICS devices, could be compromised from a range of up to 40 miles. During security assessments, MWR often finds that although pains were taken to stop an employee accidentally sending traffic to a PLC on the ICS, little was done to restrict traffic back to the offices. This is where the remote site then becomes interesting to the attacker wanting to assail the organisation, not just the remote site. In these cases it is possible for attackers to compromise the remote site and then use its trusted status to pivot their malicious traffic into the corporate IT network. Vulnerabilities like these are an ongoing challenge, with the solution being custom to the needs and layout of each ICS. With remote sites, these attackers may be based in the country we are operating in; they may have physical access to our systems or the country’s communications infrastructure. This represents a very different scenario to the attacker trying to compromise our systems from the internet. To make things more complex, we see the attacker’s capabilities and techniques changing on both fronts - a dangerous mix when it comes to defending against them.
So what can we do?
Security managers should be asking questions about how these vectors could manifest in their systems. For example many remote sites require engineers to visit them with their laptops. If so they should be assessed for their risk. Do they contain private data? Can they connect to the corporate VPN? What is the protocol for a laptop being lost/ stolen or an engineer leaving the company? Working in the field of ICS security, MWR has seen a growing amount of evidence that attackers are changing their mind- sets and methods against the companies that run remote ICS. ICS- CERT has reported around an 80% increase in reported attacks against ICS over the last two years. It is imperative that everyone who works with these systems understands this shift and the steps they need to take to keep their company and its facilities safe.
Robert Miller, MWR InfoSecurity