Written by Daniel Ehrenreich, Consultant and Lecturer, SCCE.
In recent years, industry experts have been exposed to new vulnerabilities detected in Programmable Logic Controllers (PLC) supplied by a range of well-known vendors. This exposure leads to growing concerns about possible cyber-attacks against Industrial Control Systems (ICS) / Operation technology (OT) systems. Among the published internally and externally generated cyber security incidents, you find attacks that may directly or indirectly affect the industrial process and cause operation outage, damage, and risks to lives.
To protect industrial and utility plants, you must deploy a range of SRP (Safety, Reliability, Productivity) triad-related measures. In some cases, these solutions must also satisfy the CIA (Confidentiality, Integrity Availability) triad-related requirements. This paper aims to help the readers to understand how to perform risks assessment for ICS-OT systems and select suitable cyber defense solutions.
Cyber security Risk analysis
The following paragraphs will guide you through scenarios that describe various ICS-OT-related cyber security risks. The charts and the descriptions below will help you to correctly understand the risk factors and select the most suitable, practical, effective, and cost-effective cyber defense.
1. How do cyber incidents happen?
Here we must differentiate between failures created by hardware products or software bugs, incorrect actions of authorized personnel, and cyber-attacks, which can be internally or externally- generated or supply-chain related. The three suggested attack factors below may be associated with multiple possibilities.
Analyzing the security level (SL1 to SL-4 factors according to ISA/IEC 62443) will help you understand who or what organization might initiate the attack, the level of their expertise, and how much resources they have are willing to allocate. Upon analyzing Figure 1 below, your organization may select the industrial facility’s most suitable defense or risk mitigation solution.
Cyber security incidents are initiated following the combination of three factors. According described in Figure 2 below, a) the ICS-OT architecture might have one or more unsolved vulnerabilities caused by hardware, software, physical security, or poorly structured application program, b) someone or an organization must have a light or strong motivation, and c) the attackers must have the confidence that the planned attack process is possible.
Understanding the “driving factors, based on the SL1 to SL-4 elements defined at ISA/IEC 62443, the organization may select the most suitable defense or risk mitigation solution. It can be achieved by strengthening the end-point protection, perimeter security, or another defense measure.
The essential activity conducted by defenders is to differentiate among the possible attack vectors and attack paths. The Lockheed Martin Cyber Kill Chain and the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) are suitable tools for this evaluation and for reaching conclusions related to cyber defense.
In Figure 3 below, you see an illustration of these possibilities. An attack might start directly in the ICS-OT zone (usually an internally generated) or the IT Zone (usually an externally generated action). The initiated attack might directly or indirectly affect the SRP-related requirements at the industrial plant or utility operation.
When analyzing the possible impact on an industrial facility, it is essential to realize the amplitude or the severity of that incident. The lowest impact may be a short operation outage (minutes or hours), or a lengthy outage (weeks up to months) caused by the harming factors described below. A higher level of impact might lead to repairable or even non-repairable damage.
In the worst case, the result of a cyber-attack may hurt the lives of a few or many people. Figure 4 below illustrates these possibilities and may help the organizations’ experts to combine multiple layers of defense to select the most suitable and effective defense solution.
When analyzing the possible factors that might lead to a cyber security incident, that process might be pointing to a) poor physical/perimeter or endpoint security, b) incorrectly designed Applications Program, and c) lack of attention to critical factors described by the PPT (People-Processes -Technologies) Triad. Organizations must pay attention to physical processes which must be conducted at the plant according to “Security by Design” principles.
The PPT Triad focuses on the training of employees and subcontractors working in the facility, the existence of correctly defined procedures, and the consistent process aimed to retrofit legacy-type hardware and software. Substantial mentioning here is that organizations that do not conduct at least one annual assessment might be exposed to cyber-attacks for the reasons described above.
Important to mention in the summary section, that investment in education for employees on cyber security risks and defenses has the highest Return on Investment (RoI) among all PPT actions.
ICS-OT cyber security experts know well that to select the most suitable, effective, and cost-effective cyber defense, their team, must understand the plant’s physical process, the control architecture, and the operation of the ICS-OT system. Once these learning processes are completed and confirmed, the local teams can start to analyze the sources of malfunctions, sources of cyber-attacks, evaluation of people or organizations who might initiate the attack, etc. Experts must accurately evaluate the possible attack vectors (using practical tools mentioned above) and assess the possibility of conducting a direct attack on the ICS-OT zone of the attack that might start by compromising the IT-related architecture.
Consequently, essential to strengthen here that strong perimeter/physical defense is a mandatory precondition to cyber security, and robust cyber security and network segregation are mandatory preconditions to operating safety. Finally, IT and ICS-OT experts must collaborate toward selecting and deploying correctly designed cyber defense.
The role of the management at industrial and utility-related facilities is to allocate the needed resources to be at least one step ahead of hostile attackers.