To define the cybersecurity risk to industrial control systems (ICS) we need an understanding of the equipment to be protected. While there are similarities between the computing technologies that support both IT and ICS, operational requirements require careful consideration when implementing cybersecurity measures for ICS.
Managing cybersecurity risk is fundamental to protecting assets. Whether securing assets in the IT or the ICS domain, finding the right approach to applying cost-effective risk mitigation solutions is vital. In order to do this properly, asset owners should understand how to define risk in the context of their own information infrastructure. Unlike IT domains where the practice of deploying broad security countermeasures is commonplace, ICS assets are best protected when the mitigation strategies include careful consideration of the system’s operational uniqueness and availability requirements.
It is also important to understand how a system can be attacked and the potential consequences.
Risk Equation definition
Risk = Threat x Vulnerability x Consequence
Let’s take this definition a step further.
Risk can be quantified using the risk equation. The equation consists of three components:
We need to define one more term:
Probability – the likelihood of an event occurring.
Probability is based on the threat to the system multiplied by the vulnerability of the system. The greater the threat, the more likely the system could be attacked. And the more vulnerable the system, the greater the probability the system could be compromised.
In the context of cybersecurity, an example of a threat is a hacker. An exploitable weakness example (vulnerability) in a financial system’s computer. And the theft of credit card data is an example of a consequence.
Risk = Hacker x Financial system’s computer x Credit card data
Not all threats are intentional. Factors such as weather, material fatigue, or human error all contribute to risk and result in consequences that could be more severe than those caused by intentional threats. In this course, we will focus on intentional threats. This will give you a foundational understanding for creating unique cyber-risk reduction strategies for ICS, and for designing accurate and appropriate countermeasures for these unique environments.
In ideal situations, asset owners will have a program in place that makes sure they have timely information about vulnerabilities related to their ICS. Unfortunately, the availability of information specific to control systems vulnerabilities can be hard to acquire, and even harder to verify. But this is changing thanks to cooperative programs between government, ICS vendors, and the research community.
Even with accurate vulnerability information, verifying the applicability of the vulnerability to an ICS can be difficult. Mitigating these vulnerabilities can be even more complex because:
1. Extensive testing needs to be performed prior to the application of a mitigation (such as applying a patch) to ensure it does not affect critical system functions; and
2. If a patch or update is considered viable, strategic planning and downtime are required in order to implement it. In high availability control system environments, finding downtime can be challenging. Even after prior testing, the system must be monitored to ensure the mitigation is working as intended
Lessons Learned Ukraine’s power grid
In 2015 and 2016, Russian cyberattacks on Ukraine’s power grid caused two widespread blackouts. However, triggering large-scale blackouts hasn’t been the only goal of Russian threat actors. In 2018, FireEye’s cybersecurity researchers announced that Russian hackers were probing the U.S. power grid. It is suspected that state-sponsored threat actors, referred to as TEMP.Isotope, are targeting the U.S. power grid as part of an ongoing counterintelligence campaign.
The intention of these subtle attacks could be to steal trade secrets, store knowledge of vulnerabilities for future exploits, and to patiently exhaust the U.S.’s defenses. Among other tactics, Isotope uses spearphishing and infected websites to gain access to systems. This discovery is a sobering reminder that an organization’s security is only as strong as its weakest link – people –and that it is critical to offer proper training to help prevent compromise.
To read the entire report, use this URL
Historically, asset owners protected their ICS by physically isolating their system from other networks and using physical security measures to protect it from unauthorized access. The cyber risk, as a function of threat, vulnerability and consequence, was measurable and limited because:
- The threat would most likely come from an insider. Originally, most risk was associated with insider threats, or authorized users performing unauthorized or undesirable actions on the control system.
- Even though vulnerabilities existed in the ICS, the risk associated with those vulnerabilities was perceived as acceptable because of physical controls (e.g., locks) implemented to prevent unauthorized individuals from gaining access to the control room.
For known vulnerabilities, an evaluation process was used to determine whether the vulnerabilities needed to be fixed. This process assessed whether an insider could become an adversary, as well as whether fixing the vulnerability had a negative effect on production.
Cyber Risk to ICS
Over the years, the cyber risk to ICS has changed dramatically. We still have risk associated with insider threats, but business demands have evolved and now require that many of these formerly isolated systems are connected with Internet, corporate, peer, and customer networks. Although this new interconnectivity has improved productivity and optimized business, the control systems are now exposed to previously unseen threats, such as those associated with hackers, viruses, malware, and others.
A major concern associated with exposing ICS to cyber threats is that the control systems themselves, originally designed to be protected by physical countermeasures, often do not have an inherent cybersecurity capability to thwart attackers. This is especially true in older systems. Moreover, many of the protocols and communication standards were designed without any security at all. This makes it challenging to protect these systems, as significant changes intending to reduce cyber risk can create situations where the ICS no longer functions as designed.
Fortunately, this perspective is changing. Asset owners and operators are beginning to understand that interconnected networks can create opportunities for an adversary to gain access to the control system; and, if the system is compromised, acquire the same system rights and privileges as an operator. This could create a situation where the external attacker is in the same position as a hostile insider, and that is worrisome for asset owners.
Furthermore, many ICS engineers had not perceived that there were credible cybersecurity threats that justified the added expense of securing their control systems. This was especially true when these systems were isolated (air-gapped) and running on proprietary hardware. As ICS engineers gain a better understanding of the vulnerabilities created by interconnected ICS, there is an increased awareness of the cybersecurity threats to their systems.
The general level of interest in control system cyber attacks continues to grow at a rapid pace. The concept of a cyber attack on an ICS resulting in a real-world kinetic impact makes ICS attractive targets. The growing community of interest in control system cybersecurity involves professional and independent researchers, vendors, security consultants, asset owners, and educational institutions. Excellent work continues to be done. New vulnerabilities related to specific products, protocols, or other control system components surface regularly.
Adversaries around the world have quickly begun to understand that there are significant opportunities in targeting critical ICS. The level of effort necessary for an adversary to create successful attack strategies can be remarkably low. Using cyber as an attack platform is growing in popularity because of the speed with which the attacker can operate, and the inherent anonymity they can achieve compared to a physical attack.
Terrorists and nation-states are starting to view ICS as primary targets for an attack on critical infrastructures with the intent to cause damage as severe, if not more so, than launching a physical attack. We continue to see an increase in targeted attacks against critical infrastructure entities. Historical case studies provide insight into just how damaging a cyber attack on a control system can be.
Integrated IT/ICS Networks
The justification supporting IT/ICS interconnectivity is sound from a business perspective, as optimizing manual, disparate processes has the potential to result in more revenue. The downside is that it increases the exposure of ICS to new threats and vulnerabilities, which in turn increases risk. Every new domain that is connected to the control system network exposes the network to the threats and vulnerabilities associated with the newly added domain.
In order to counter these threats, we need to understand how the adversary thinks, and determine whether they are targeting specific systems or a broad set of systems within a larger corporate enclave. Understanding the intentions of the attacker is important, as it can provide intelligence as to how an ICS could be compromised and why. This is why incident information is shared after the fact—to ensure the larger community can learn from what attackers are doing now.
Availability, Integrity, and Confidentiality
This new landscape of attack vectors being created by the interconnectivity of IT and control system networks requires appropriate cybersecurity countermeasures for effective risk mitigation. Countermeasures and mitigation strategies should be proportional to the possible consequences posed by the exploitation of the vulnerability.
Many commercial solutions that aim to mitigate common cybersecurity vulnerabilities in IT systems do not have the flexibility, nor can they be customized, to accommodate the uniqueness of control system architectures.
Many of you are familiar with the CIA elements used in IT environments that states confidentiality, integrity, and availability in that order are most important. You may have heard the model is turned around for ICS environments where availability, integrity, and confidentiality are more important. It is important to ensure the integrity of the data from the safety systems.
With the focus on availability, integrity, and confidentiality (in that order.) With safety and availability we need to be cautious about how we utilize security technology developed for IT, and how we implement it into ICS environments.
Understanding potential adversaries and the level of effort would be required to execute a successful attack should help entities develop appropriate defenses for their systems. Just because a control system component or application is vulnerable does not necessarily mean that an attacker will be successful in exploiting that vulnerability.
Critical infrastructure asset owners will continue to meet evolving business requirements by integrating control systems with business, peer, and Internet networks. This interconnectivity between historically disparate networking enclaves creates attack vectors and vulnerabilities that were previously nonexistent — both of which could be exploited by an attacker to cause undesirable consequences.
The root cause of cybersecurity factors in ICS is based on both cultural and technological issues, each of which require new strategies to address.
Information pertaining to control system vulnerabilities continues to grow, as does the number of reported ICS cyber incidents and occurrences of malware targeting ICS.
ICS owners should evaluate the risk associated with a specific attack based on a specific vulnerability. This allows owners to make more informed decisions regarding the security investments that need to be made in order to prevent undesired consequences. It also provides owners with quantifiable information that can be used to ensure the implementation of a countermeasure does not have an adverse effect on the control system.