Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Depending on the industry, each ICS functions differently and are built to electronically manage tasks efficiently. Today the devices and protocols used in an ICS are used in nearly every industrial sector and critical infrastructure such as the manufacturing, transportation, energy, and water treatment industries.
ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.)
There are several types of ICSs, the most common of which are Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS). Local operations are often controlled by so-called Field Devices that receive supervisory commands from remote stations.
SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control.
These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation’s critical infrastructures are privately owned and operated, says NIST. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling.)
Presently there is a very high rate of vulnerability and cyber-attacks globally on ICS, some of these threats and attacking agents include terrorist network groups, dissatisfied employees, hostile
governments and other malicious intruders. Cyberattacks consequences are very devastating with effects ranging from disruption or damage to critical infrastructural operations to significant effect on public health, safety, and destruction of lives and properties.
Types of Industrial Control Systems
Supervisory Control and Data Acquisition (SCADA)
SCADA is not a system that can provide full control. Instead its capabilities are focused on providing control at the supervisory level. SCADA systems are composed of devices (generally Programmable Logic Controllers (PLC) or other commercial hardware modules) that are distributed in various locations. SCADA systems can acquire and transmit data, and are integrated with a Human Machine Interface (HMI) that provides centralized monitoring and control for numerous process inputs and outputs.
The primary purpose of using SCADA is for long distance monitoring and control of field sites through a centralized control system. In lieu of workers having to travel long distances to perform tasks or gather data, a SCADA system is able to automate this task. Field devices control local operations such as opening or closing of valves and breakers, collecting data from the sensor systems, and monitoring the local environment for alarm conditions.
SCADA systems are commonly used in industries involving pipeline monitoring and control, water treatment centers and distribution, and electrical power transmission and distribution.
Distributed Control System (DCS)
This is a system that is used to control production systems that are found in one location. In a DCS, a setpoint is sent to the controller that is capable of instructing valves, or even an actuator, to operate in such a way that the desired setpoint is maintained. Data from the field can either be stored for future reference, used for simple process control, or even used for advanced control strategies with data from another part of the plant.
Each DCS uses a centralized supervisory control loop to manage multiple local controllers or devices that are part of the overall production process. This gives industries the ability to quickly access production and operation data. And by using multiple devices within the production process, a DCS is able to reduce the impact of a single fault on the overall system.
A DCS is also commonly used in industries such as manufacturing, electric power generation, chemical manufacturing, oil refineries, and water and wastewater treatment.
Initially, ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas and the components were not connected to IT networks. or systems. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents.
As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems.
The increasing use of wireless networking places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment.
Possible incidents an ICS may face include the following (NIST):
Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.
ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects.
Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
Interference with the operation of safety systems, which could endanger human life.
Major security objectives for an ICS implementation should include the following (NIST):
Restricting logical access to the ICS network and network activity. This may include using
unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Restricting physical access to the ICS network and devices. Unauthorized physical access to
components could cause serious disruption of the ICS’s functionality. A combination of physical
access controls should be used, such as locks, card readers, and/or guards.
Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services and assuring that they remain disabled; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.
Restricting unauthorized modification of data. This includes data that is in transit (at least across the network boundaries) and at rest.
Detecting security events and incidents. Detecting security events, which have not yet escalated
into incidents, can help defenders break the attack chain before attackers attain their objectives. This includes the capability to detect failed ICS components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of the ICS.
Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event. The ICS should also allow for graceful degradation such as moving from “normal operation” with full automation to “emergency operation” with operators more involved and less automation to “manual operation” with no automation.
Restoring the system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly the system can be
recovered after an incident has occurred.
Generally, current ICS security technologies can be classified as Active Security Defense Technology (ASDT) or Passive Security Testing Technology (PSTT)
Active Security Defence Technology
Four techniques are defined under this class of security technologies: They include:
Model-checking: This focuses on applying information technology (IT) to ICS security. Considering a recent incident of ICS attack, Stuxnet, a sophisticated cyber software worm that targets SCADA in critical infrastructure companies was found to have been uploaded on the Programmable Logic Controllers (PLC) that control industrial automation processes.
Additionally, the internet worm allowed attackers to gain total control of critical operation of a process plant from remote locations. In order to effectively handle ICS security flaws, a security mechanism, known as simple non-programmable hardware chips or STCB, to secure ICS/SCADA systems was developed.
Security testing platform: Recent discovery on proliferation of cyber-attacks on ICS show that large number of security vulnerabilities exist in ICS. However, the ever-increasing rate of attacks on ICS results in the event of a security test-bed that became very crucial to evaluate the protection of ICS tools and products. One among such test-bed design security model is for
evaluating the security of industrial applications by providing completely different metrics for static testing, dynamic testing and network testing in industrial settings. Comparing the model with alternative detection platform, this platform covers all components of the ICS development and provides metrics for evaluations
Security testing platform:
Recent discovery on proliferation of cyber-attacks on ICS show that large number of security vulnerabilities exist in ICS. However, the ever-increasing rate of attacks on ICS results in the
event of a security test-bed that became very crucial to evaluate the protection of ICS tools and products. One among such test-bed design security model is for evaluating the security of industrial applications by providing completely different metrics for static testing, dynamic testing and network testing in industrial settings.
Authentication and Access Control: This technology establishes access management for ICS by checking to ascertain if user’s credentials are on identical page with the credentials readily available on database of licensed users or in a data authentication server. A form of distributed firewall that adds a protecting layer among internal subnet compared with traditional boundary
firewall was used. Its function is to make different configuration for each service object, it fully considered the running applications and network processing load when configured. Firewall rule configuration mechanism, which makes dynamic judgments of behaviour between control network and information network, was demonstrated. The spread of malicious code to other
production equipment can be prevented by limiting intersubnet communication strictly.
Security risk assessment: This introduces the concept of Security Assurance Level (SAL), which tries to measure the security of an ICS with the norm methods. It can be used by users of the ICS
Passive Security Testing Technology
Two main techniques are identified under this class of security technology: Intrusion Detection Technology and Incident Response & Fault Diagnosis Process
Intrusion Detection Technology: Intrusion detection is a passive security defence strategy that observes and analyses the events taking place in an information system with the aim of discovering signs of security issues. For ICS systems, intrusion detection is network behaviour
through the gathering and analysis of system information. This security technology detects whether there is invasion against digital ICS systems by constantly comparing with known intrusion model or making decision and analysis for the unknown intrusion model.
Incident Response and fault diagnosis Process: A comprehensive incident response is a significant tool in ICS cyber security, taking cognizance of the various threat attacks facing enterprises. ICS threats are counted to be among the foremost critical aspect of a nation infrastructure. Mis-configuration, human error, failure, and attackers target ICS to lose availability and integrity. Improvement level of industrial control system emergency response and fault diagnosis ability helps further protection of the safety of industrial control system.
Industrial control systems (ICS) often fail to receive software patches in a timely manner. ICS owners and operators fail to apply patches for many reasons, including the risk or cost of disruption of operational processes and the failure of vendors to provide patches for specific equipment. Regardless of the reasons, the failure to apply patches leaves ICS devices and
systems vulnerable for much of the time they operate. Left unaddressed, the vulnerabilities can threaten production or safety. The potential impacts of not patching include physical destruction of equipment or facilities, economic losses, and personal safety incidents.
Patch management technology and processes can reduce ICS vulnerabilities. Patch management processes include analyzing patches for criticality, time sensitivity, and testing requirements, which can improve patch deployment decisions and timelines. Additionally, automation of patch deployment could assist in expediting the patching process. Automation can include unit and system testing, as well as patch deployment.
Non-IP Based SCADA/ICS Protocol Monitoring
Non-IP based Supervisory Control and Data Acquisition (SCADA)/Industrial Control System (ICS) communications encompass the serial communications between ICS devices, e.g., programmable logic controllers (PLCs) and remote terminal units (RTUs), and the system controller/server containing the human machine interface or graphical user interface.
Although ICS operators across multiple sectors rely on the same protocols, their processes are often unique to their environment. Thus, the exploitation of a given operational technology vulnerability may have different impacts depending on the environment. Further efforts should consider how to conduct proof-of-concept vulnerability exploitation tests, identify similarities across sectors, and seek ways to translate vulnerability information into actionable threat intelligence that ICS monitoring solutions can consume in an automated fashion. CISA should adopt this technology, consider how to adapt it to specific critical infrastructure (CI) sectors to illustrate its value to the ICS operators of the nation, and encourage adoption by CI.
These communications protocols were designed for the exchange of control messages and sensor data, incorporating simplicity, efficiency, and scalability, with minimal security features, such as mutual authentication and encryption. The primary ICS management and control protocols are Modbus and Distributed Network and Protocol 3 (DNP3). Several capabilities can be combined to address this capability demand, including network monitoring, ICS protocol intrusion detection system (IDS), ICS protocol intrusion prevention system (IPS), and process monitoring systems. Serial interface/network monitoring devices allow for ICS protocols communicated via serial interfaces to be monitored and enables detection of anomalous activity at the serial interface of an RTU or PLC. ICS protocol IDS is a capability that can alert on the detection of anomalous packets. ICS protocol IPS is a capability that can block and alert on the detection of anomalous packets. ICS process monitoring is a capability that monitors the ICS process data collection and control activity to “learn” the “typical” combination of sensor data and commands used to control one or more processes. Process monitoring can be implemented independent of other security capabilities.
Until recently there were no products available that provided adequate monitoring of these protocols. However, new technology is being commercialized into products that address this capability demand.
Depth Defence Strategy
Overall, complete digital ICS security cannot be achieved solely on a single security technology solution. Therefore, it became imperative to integrate a range of security technologies hierarchically to boost the defence capability of industrial systems. The United States Department of Home Security proposed a “defense in depth” strategy; the model is segmented into five (5) layers. The first layer is the use of commercial firewalls; deployment and use of firewall, intrusion detection, vulnerability scanning and other proactive security measures can be helpful in militating against possible ICS attacks acting as an integral protection. Man-in-the-Middle attacks
can be averted by securing field device by deploying and safe guarding the environment using field level firewalls designed for PLCs, IEDs, and SCADA RTUs.
Second layer is the joint security approach to defend a variety of security threats. This is done by insulating the office network from external network using commercial firewalls while attention is placed on security gateway which mainly insulates work area to control area. The third layer is the protection and security of industrial PCs from prevailing threat attacks and vulnerabilities. Fourth
layer is the monitoring of field devices while security log management and data backup is taken care of by the fifth layer.