CONTROL–SYSTEM ATTACK RISKS
CONTROL–SYSTEM SECURITY ATTACK MODELS By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions
any cybersecurity practitioners assume that standard IT security practices are sufficient to secure industrial control systems, but this is not so. The difference between IT systems and control systems lies not in the kind of technology deployed on the networks, but in that technology’s focus. The focus for an industrial control system is, not surprisingly, control. Industrial control systems control large, complex and often dangerous physical processes. The attacks that control system owners and operators lose sleep over are cybersabotage attacks, not cyberespionage attacks. Any mis-operation of complex, dangerous physical equipment at a power plant or refinery by attackers on the other side of the planet, however briefly, is an unacceptable risk. Classic IT security tolerates certain risks and expects a certain degree of compromise from time to time. IT firewalls are porous by design – after all, they permit email messages and Web pages into protected IT networks. Every one of those emails or Web pages can contain an attack, and attacks do reach through IT firewalls from time to time, in spite of the best efforts of firewall vendors or IT staff. This is why intrusion detection is so important on IT networks. Applying this approach to control-system networks is, frankly, dangerous. Recent reports show that intrusion detection systems take an average of 1-2 months to detect compromised equipment but, again, any mis-operation of physical equipment, no matter how brief, is unacceptable.
Control system security standards are evolving to emphasise strong intrusion prevention in the form of unidirectional security gateways and removable media controls over intrusion detection systems. Modern attack modelling makes the reasons for such measures very clear.
BLIND TO ATTACKS Too many control-system security practitioners apply IT security best practices to control-system networks without a clear idea of how those practices leave networks at risk. Fundamentally, all software has bugs and all software can be hacked, even security software. All intrusion detection systems are software and can be defeated. All firewalls are software and can be defeated. For example, imagine a control-system technician working from home. Imagine that the technician’s laptop has been compromised by an attacker who wants to sabotage operations at a particular site. The compromise arrived via a spear-phishing attack, and is now running in the background on the laptop. Antivirus did not catch the attacker’s malware because the attacker wrote this little piece of code, and no other machine in the world has ever seen it. This means, of course, that there is no anti-virus signature for the malware. When the technician uses the compromised laptop to open a VPN connection to the plant to do some controlsystem work, the malware wakes up. The engineer cybersecurity-review.com
The Cyber Security Review is a publication designed to draw on the combined knowledge, skills and expertise of the cyber security community...