Busting industrial control system security myths

Published: Monday, 26 October 2015 14:27

Kirill Slavin lists five common myths that are often heard when talking with businesses about industrial control systems. He shows why each of these myths needs a re-think…

Despite growing awareness of cyber-based attacks on industrial control systems, many IT security models continue to adhere to the outdated belief that physically isolating systems and ‘security by obscurity’ is enough. It’s not.

Below are five common myths that are often heard when talking with businesses about industrial control systems (ICS), followed by busts that demonstrate why the traditional air-gap and perimeter-based approaches to cyber security are no longer enough to protect industrial systems. 

Myth # 1: Our industrial automation systems are not connected to the Internet, so they’re secure
Bust: The average ICS has 11 direct connections to the Internet (1).  If you think yours is an exception, it might be worth taking another look.

An internal survey (2) at a major, representative energy company, found that the majority of business units’ management believed control systems were not connected to the business network; whereas an audit showed that 89 percent of systems were in fact connected.

What’s more, business network security was geared towards general business processes only, with no regard to critical process systems. Multiple connection types between the enterprise network and the Internet were in place, including intranets, direct Internet connection, wireless and dial-up modems.

This kind of patchy security can leave you wide open. Take the ‘Slammer’ worm for example. It affected critical infrastructure as diverse as emergency services, air traffic control and ATMs, achieved its full scanning rate (55 million per second) in under three minutes - thanks to the internet. Ironically, the only thing that slowed it down was a lack of bandwidth on the networks it infiltrated, including:

Myth # 2: We’ve got a firewall, so we’re safe from outside threats
Bust: Firewalls offer a degree of protection, but they’re certainly not impenetrable. A study (4) of 37 firewalls from financial, energy, telecommunications, media and auto companies found that:

Myth # 3: hackers don’t understand SCADA / DCS / PLC
Bust: These days, SCADA and process control systems are common topics at hackers’ ‘Blackhat’ conferences. There’s a good reason for it: cybercrime has become very lucrative financially, with zero-day exploits selling to organized crime for as much as $80k per exploit. If you don’t think hackers have the interest or capabilities to target industrial control systems, here are a few reasons why you might want to revisit that thinking:

Myth # 4: Our facility is not a target
Bust: This is dangerous thinking. Even if we get past the fact that there is no way you actually could know this, there’s a host of reasons why it’s irrelevant.
 Firstly, your organization does not have to be the target of an attack, to become a victim: 80 percent of control system security incidents were unintentional, but harmful (5). Slammer, for instance, was aimed at taking down as many systems globally as possible. It didn’t specifically target energy companies or emergency services, but it had a significant impact on many of them.

Secondly, many systems are already exposed and vulnerable to attacks, thanks to the insecure operating systems they are based on.  Extensive research by Kaspersky Lab, using data from the Kaspersky Security Network (KSN) indicates that there is a growing number of computers running SCADA software that encounter the same malware afflicting business systems (IT), including (but not limited to) well known culprits such as Trojans viruses, worms, potentially unwanted and dangerous programs (PUPs) and other exploits targeting vulnerabilities in the Windows operating system. (6)

Figure one: Kaspersky research shows that many industrial PCs are infected with the same malware afflicting business systems (IT).

















Myth # 5: Our safety system will protect us from harm
Bust: This is where we get a little technical, but it’s important to understand that most currently available safety systems are technically flawed. This is precisely the reason Kaspersky Lab is currently working on a secure operating system that has been built from the very beginning with security in mind (rather than an afterthought). Some of the main issues with the current systems are that:

What can be done?
To successfully defend against attacks in the process-centric, high availability industrial control environment, security systems need to meet specific requirements.

While air-gaps and perimeter based approaches are important first lines of defence / defense, protection must also take place inside the perimeter, on the very vulnerable systems and devices that are being targeted.

As cyber-criminal activity, including targeted attacks and advanced persistent threats (APTs), continue to grow in frequency and sophistication, security systems should be continually reviewed and reappraised. And any beliefs about ICS that you might once have clung to, should be subject to the same treatment…

The author

Kirill Slavin is managing director at Kaspersky Lab.