Take stock of your assets and regularly assess vulnerabilities.
July 12, 2017
by Hamid Karimi
Networks that were designed to simply push supervisory commands to remote devices have exacerbated the challenge. There has been little room for devices to communicate their states, allow updates without downtime and to benefit from metadata-driven intelligence, but these are elements that are key to security.
Here are some points to consider as you evaluate the risks posed by your industrial control system:
• PLCs provide a particularly weak spot because they are monitored by SCADA systems that are another single point of failure in the overall ICS implementation. Case in point, the Stuxnet was a high-profile SCADA attack that targeted PLCs in Iran’s nuclear program. An unintended consequence was its reach beyond the designated target when Stuxnet’s footprints were subsequently discovered around the world. The reason was obvious; Iran is part of the internet community. Although SCADA systems don’t require access to the web, they often share networks with internet-connected hosts, leading to inadvertent security failures if human error occurs.
• Automation is improbable without IoT and IoT can’t function without sensors. Sensors in legacy networks have used proprietary (closed) protocols to communicate their state and receive supervisory commands. Modern sensors are using the TCP/IP language, which has known vulnerabilities that can be exploited to invade industrial control systems and in some cases, inject malicious code with command and control tools. Such developments have created an attack surface that’s elastic and growing.
• NIST 800-82 (Guide to Industrial Control Systems) has gone through revisions and offers fundamental guidelines to harden and protect the ICS. One of its most important advisories is regular and thorough inventory control and vulnerability assessment to measure exposure to risk.
• One can reasonably expect the cloud to eventually scale and meet the demands of an ICS with embedded sensors. In the meantime, hybrid approaches continue to proliferate. Regardless of which methodology wins the battle in the short run, modern DevOps requires collaboration between IT security teams and ICS developers to gain an early understanding of potential and inherent vulnerabilities before products are introduced to market.
The most prudent and cost-effective way to meet the ICS challenge is to start with an effective asset discovery and vulnerability assessment. The return on investment will be much greater than trying to stop the threats in real-time.
Hamid Karimi is the vice-president of business development at Beyond Security, a provider for automated security testing solutions based in Cupertino, Calif.