During the previous post, I mentioned that the most notable concerns of current Industrial Control Systems are derived from cybernetic spaces. However, they are side by side with the most analogic and ancient point of failure: the human factor. By mistake or ignorance, the employees of an organization can reveal the vulnerabilities of the company and cause anything from data leakages to loss of production. A worst case scenario would be the failure of a critical infrastructure or a fatal injury to a workmate. Individuals are, usually, the primary point of attack that leads to secondary attacks that exploit the vulnerabilities hackers want to profit from.
The first line of defense of any company that uses ICS systems must be its own employees and users. According to the Federal Office for Information Security, the top 1 threat is “Infiltration of Malware via Removable Media and External Hardware”. Innocent actions like using the laptop of the company at an open Wifi or watching there a film downloaded via Torrent can put the whole company in danger. If the device is infected by malware, once connected to the ICS network it will be spreaded like an infectious disease. Those connections can be protected by countermeasures, but, before explaining them, I would like to introduce another human-centered threat: “Social Engineering and Phishing”.
During the last years, phising has been decreasing. At the beginning of the decade, organizations such as The Industrial Control Systems Cyber Emergency Response Team (based on the USA) repeatedly mentioned the spear-phishing as one of the main concerns for the national ICS security. Thanks to those awareness campaigns, companies have taught their members to stop sending their credentials to anyone who asks for them and instead notify the suspicious behaviour to the IT staff. Training on good practices is the first step towards a more secure environment. However, most people are not experts and might not be able comply with the new policies. If a problem persists, more radical actions could be taken. For example, physically blocking access to USB ports and forcing users to share files inside a secure intranet reduces the above-mentioned risk of malware infiltration via removable media.
Another threat related to users’ activity is “Human Error and Sabotage”. Once again, human error can be minimized by training and limiting what the user can do (and consequently, break). Previously, I mentioned countermeasures focused on the malware. However, there is a wider approximation to this issue that has been promoted by public administration (like the National Institute of Standards and Technology of the U.S. Deparment of Comerce): standardization. The adoption of frameworks assure the quality and security-awareness of the business, sometimes even increasing productivity by systematizing processes. Some of the most common recommendations are the creation of regular backups, the establishment of usage policies or the deployment of automatic monitoring and auditing of systems and configurations. Registering users’ and programs activity increases security against the second part of the threat (sabotage). I am going to point out that most solutions are pointless if they are not adopted along others. If users can be easily impersonated, the logs are going to be almost useless to determine who is responsible of a suspicious access. Security is not a matter of patches, but a transversal layer of the organization.
However, since ICS components are connected to the internet, remote attacks are another risk to have in mind. Malware infection appears again as a threat, but not via physical devices, but via internet and intranet. Some countermeasures are common to the previous recommendations: control access, apply policies that prohibit the usage of foreign hardware and executables and create logs to detect and prove intrussions. The main idea is isolating the systems so they have just the necessary interfaces, which should be correctly configured to avoid unauthorized remote accesses. Although IT and OT should work together to offer the most to the company, it does not mean that they should be mixed. OT manufacturing zone is very sensitive and requires less accesses. A good practice is to separate them by a DMZ, a very expressive way to mean that there is no population (aka business logic), and that everything crossing will suffer strict controls like firewalls or anti-malware.
ICS has began to rely more and more on third party services, some of them becoming essential for the current production processes. For example, Cloud storage and processing are tools that increase productivity (better calibration of machines, sharing of real-time data between factories), and sometimes they can be used to apply security countermeasures like creating backups. This creates an unconfortable situation for the ICS owner: can they trust a third party component? If the service cannot be assured, there is a constant risk of being collaterally damaged by attacks to our partners. Whether the local ICS system is secure does not matter when a DoS attack to the Cloud provider can deny our own services. Those vulnerabilities could even serve as a backdoor for our systems.
To minimize the risks when hiring a service, SLAs serve as a compromise where the provider compromises to fulfill certain obligations and reparate the damage (usually by monetary retributions) caused by their mismanagement. Another indicative of their security are the certifications obtained from an independent audit. In the case of a very popular Cloud service, AWS, the ISO/IEC 27017 was given by EY CertifyPoint, who were accredited by the Dutch Accreditation Council. Certifications can be applied to the company that uses ICS and help to improve both, its processes and reputation, which is specially relevant when making deals with the public administration.
In conclusion, threats of ICS are connected and cannot be considered without taking into account a wider context because a partial patch will not solve the problem, threats to security are ubiquitous. In the age of cyberattacks and connected industry, OT have to be protected from the risks of IT, while the new technologies provide new opportunities for human errors. Even if a perfect shield does not exist, most threats can be identified and minimized with new controls, more training and regular audits. Security should not be considered as a reactive task but as a constant goal.
 Federal Office for Information Security, Industrial Control System Security: Top 10 Threats and Countermeasures, accessed 24 November 2019, https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS/BSI-CS_005E.html
 Industrial Control Systems Cyber Emergency Response Team, «Incident Response Activity», ICS-CERT Montly Monitor (June-July 2012), accessed 24 November 2019, https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jun-Jul2012.pdf.
 National Institute of Standards and Technology, Recommendations of the National Institute of Standards and Technology, accessed 24 November 2019, https://www.ccn-cert.cni.es/publico/InfraestructurasCriticaspublico/Guide to Industrial Control .pdf
 Check Point Software Technologies LTD., Blueprint for Securing Industrial Control Systems, 6-7, accessed 24 November 2019, https://www.checkpoint.com/downloads/products/cp-industrial-control-ics-security-blueprint.pdf
 «ISO/IEC 27017:2015 Compliance», AWS Amazon.com, accessed 26 November 2019, https://aws.amazon.com/compliance/iso-27017-faqs/
 «Certification», ICS Sans, accessed 24 November 2019, https://ics.sans.org/certification