Security for industrial control systems (ICS), is the protection of industrial control systems. These systems are computer-based systems that control and monitor industrial processes. These systems can be used in many sectors such as energy, water, wastewater, and manufacturing.
ICS security differs from IT security in that it focuses more on the control systems and processes than the data and systems that manage them. This covers physical threats such as tampering or altering control equipment as well as cyber threats such as malware and unauthorized access to control systems.
The level of criticality is one of the key differences between ICS and IT security. Most industrial control systems are used to monitor and control critical infrastructure and processes. These include power plants, water treatment facilities and transportation systems. An ICS failure or breach can have far more serious consequences than an IT system. A breach in the ICS of a power plant could cause a power outage. In contrast, a failure in an IT system may result in confidential data being lost.
Another difference is the fact that ICS systems can be older and have proprietary protocols. This makes them harder to secure. These systems may not offer the same security features as modern IT systems and may not be capable of being updated with current security measures. Furthermore, ICS systems can be connected to the internet which increases the possibility of cyber attacks.
For many reasons, implementing ICS security can prove difficult. These systems are complex. There are many components that make up industrial control systems, such as actuators, controllers and sensors. All of these components need to be protected. ICS systems can be used for many decades and have a long lifecycle. These systems may not have been designed with the latest security measures in mind and may prove difficult to retrofit with more modern security technology.
The cost of implementing ICS security is another challenge. These systems are critical to an organization’s operation, so any disruption or downtime can be expensive. Organizations may hesitate to invest in security measures that could impact the availability and performance of these systems.
Implementing ICS security can be a challenge because of the human element. Human operators are often responsible for operating and maintaining industrial control systems. They may not be as knowledgeable about security as IT professionals. Unintentional security breaches can result, such as clicking on malicious links or not following security protocols.
Top 10 ICS Vulnerabilities
- Unsecured network connections: Industrial Control Systems (ICS) rely on network connections for communication with devices, remote monitoring and control, as well as to transmit data. An attacker could gain unauthorised access to the system, and possibly compromise it’s operation, if these connections aren’t properly secured.
- Software and firmware that is out of date: Many industrial control systems use special software and firmware to manage and operate their devices. These components may have vulnerabilities that could be exploited by attackers if they aren’t regularly updated.
- Poor passwords: Many industrial control systems rely on passwords for accessing devices and systems. An attacker can gain unauthorised access to the system if weak passwords or easily guessable are used.
- Lack of access controls: Some industrial control systems don’t have the right controls to limit access to authorized personnel. An attacker could gain unauthorised access to the system.
- Insufficient security monitoring: Some industrial control systems don’t have sufficient monitoring to alert and detect potential security incidents. This could allow an attacker to go unnoticed within the system.
- Inadequate separation between networks: Industrial control systems might not be able to properly seperate networks between control and corporate networks. An attacker could be able to move laterally in the system to gain access to sensitive information and control systems.
- Remote access that is not secured: Some industrial control systems allow remote access to support and maintenance purposes. An attacker could gain unauthorised access to the system if this remote access is not secured.
- Inadequacy in physical security: Some industrial control systems do not have adequate physical security measures to prevent unauthorized access.
- Unsecured communications. Industrial control systems could rely on unencrypted communication channels such as wireless communications to transmit data. An attacker could potentially intercept and manipulate the data.
- Insufficient incident response planning: It is possible that industrial control systems do not have enough incident response plans to respond effectively to security incidents. This could allow an attacker to continue operating in the system, potentially causing significant damage.
- Unsecured network connections
- Software and firmware that is out of date: This vulnerability can be addressed by regularly updating software and firmware to the most recent version. It may also be beneficial to have a process in place for testing new updates before they are deployed to ensure that they don’t negatively impact the system.
- Poor password security: It is crucial to create strong password policies that make it difficult to guess complex passwords. This could include passwords of at least 8 characters and a combination of numbers and letters. It is also possible to establish password expiration policies or to require frequent password change.
- Access controls are not in place: This vulnerability can be addressed by implementing access controls that limit access to authorized personnel. This could include user accounts, permissions, and physical security measures like access cards or biometric authentication.
- Insufficient security monitoring: This vulnerability can be addressed by implementing robust security monitoring systems that can detect and alert on security incidents. This could include intrusion detection and prevention systems as well log analysis tools and network traffic monitoring tools.
- Network separation is a vulnerability. To fix this, network segmentation must be implemented to ensure that different networks are separated. This could include firewalls, virtual LANs or virtual private networks (VPNs).
- Remote access that is not secured: It is crucial to implement remote access protocols and authentication methods such as VPN or SSH. To further protect remote access, it may be beneficial to use multi-factor authentication and access controls based upon IP address.
- Inadequate security: This vulnerability can be addressed by implementing physical security measures like locked doors, access codes, and surveillance cameras. These will protect against unauthorised access to devices and systems.
- Unsecured communications To limit the impact of intercepted data, it may be beneficial to use network segmentation and firewalls.
- Insufficient incident response planning: This vulnerability can be addressed by regularly testing and developing incident response plans. These plans outline the steps that should be taken in case of an emergency. These plans could include emergency response procedures, identification of key personnel, their roles, and establishment of communication protocols. To ensure they can respond to any potential incidents, it is important to train staff on these plans.
Security of ICS infrastructure is vital for protecting critical infrastructure from cyber and physical threats. Although it is difficult to implement, the potential consequences of a breach to an ICS system could be devastating, so it is important that organizations invest in strong security measures.
Using Shodan to Find ICS/SCADA Systems
Shodan is a search engine which allows users to search specific types of internet connected devices such as servers, routers and industrial control system (ICS) and get information about them. It is used often by security professionals to identify and fix vulnerabilities in internet-connected systems. Researchers and other researchers also use it to analyze and find internet-connected devices.
You can narrow your search by using keywords and filters to find SCADA (supervisory controller and data acquisition) and ICS systems using Shodan. These keywords may prove useful in finding SCADA or ICS systems:
- “PLC” is a programable logic controller.
- “RTU” is a remote terminal unit
- “HMI” (human-machine interface)
Filters can be used to further narrow down your search. You can filter your search by using the “product” filter. This will allow you to narrow down specific types of SCADA and ICS software or hardware such as “Siemens S7”, or “Rockwell Automation.” To search for SCADA or ICS systems in a particular location, you can also use “country” filter.
Shodan can be used for accessing internet-connected devices that have not been properly secured. In some cases, it may even be illegal to access such devices without permission. Shodan should be used responsibly to only allow access to devices that have the proper permissions.