Managing Cyber Risks in an Industrial Control Environment
Most people think of industrial control systems (ICS) as systems that operate electrical grids and water utilities.
While that’s true, ICS are in many other businesses too, such as manufacturing companies, factories and plants, oil and gas refineries, pipeline companies, waste treatment facilities, transportation and logistics companies, hospitals, nuclear power plants, and more. Even if a company doesn’t have an ICS, its building may have an ICS that controls the HVAC, lighting and fire detection systems.
Technically, an ICS is a blend of hardware and software that leverages network connectivity to support devices, systems, controls and processes. Various names are used for these systems. They can be referred to as SCADA (supervisory control and data acquisition) systems, distributed control systems (DCS) or a hybrid of both. Components of these systems include programmable logic controllers (PLCs), human-machine interfaces (HMIs), remote terminal units (RTUs), or control servers.
The United States is currently the predominant user of ICS, but Market Research Future predicts the global market will grow substantially by 2023. MarketWatch predicts that automation technologies increasingly being deployed by companies to reduce human interactions, errors and operational costs will be a driver of growth in ICS.
In the cyber context, this means high risk. Today, these systems often include internet of things (IoT) devices that enhance network capabilities. But IoT devices have their own cyber-security issues and just add to the risk. IoT devices enable smart grids, yet they are small and are often developed without security in mind. For example, many of these devices are not patchable and are not large enough to accommodate authentication or encryption.
There have been several high-profile attacks on ICS. The most notable was the 2010 alleged U.S.-Israel cyber attack (called Stuxnet) on Iran’s nuclear program that disrupted programmable logic controllers and caused the destruction of nuclear centrifuges. Today, attacks on ICS are commonplace. In June 2018, the FBI issued a private-industry warning about attacks to ICS. A 2018 report by Waterfall Security listed insiders, ransomware and phishing among the top forms of ICS cyber attacks.
Kaspersky, a global anti-malware company, reported that its products had prevented attacks on 41% of its industrial control customers. The company reported that a quarter of these threats came through the internet, with attackers searching for unsecured ports and system access, while other attacks come through removable media and email. Similarly, in 2018, Symantec saw IoT attacks increase by 600% and ICS attacks increase by 29%.
These are not easy problems to fix. There are lots of reasons for vulnerabilities in ICS, including that many of the components on these networks are old and run on out-of-support operating systems and many of the cyber-security programs for these systems are not in alignment with standards and best practices.
Cyber-security standards for ICS are both settled and fluid. Numerous organizations have developed ICS standards. Some are mandatory, some are being revised, and still some new ones are being developed.
So…it is a complex mess. How does one begin to manage cyber risks in such an environment? A good beginning point is a full cyber-security risk assessment of the IT environment—corporate and ICS (ICS often ride on corporate networks). Credentialed vulnerability scans are a good second step. Among other things, vulnerability scans will flag unpatched systems or applications, indicate whether non-essential network services are on the network or unnecessary machines are present in the environment, and indicate whether the environment allows unauthorized inbound or outbound traffic to/from the internet.
Cyber risk assessments and vulnerability scans will enable a good advisory team to identify potential cyber risks and determine their impact on the organization. This will help risk managers and insurance executives define a cyber risk strategy and sort out the types of insurance coverage and limits needed.
Any organization with industrial control systems should perform these activities annually to ensure it stays abreast of the threat environment and keeps its cyber risk strategy current. No company is ever fully in control of its IT environment, especially one with ICS. Beyond insurance, cyber risk assessments and vulnerability scans will also help IT and security teams close vulnerabilities and improve their company’s cyber-security posture.