General awareness for the need to improve cybersecurity in industrial control systems (ICS) has increased significantly in recent years, but there are still plenty of misconceptions. A recent incident that can be used to highlight some of these is the cyber attack on a German steel factory, described in a report from the German Federal Office of Information Security (BSI). According to an article which translated and summarized some passages of the report:
- After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant.”
- The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory’s office networks, from which access to production networks was gained.
- The attack involved the compromise of a variety of different internal systems and industrial components, BSI said; not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process.
This attack effectively debunks a few myths about ICS cybersecurity. One common myth is that “Besides Stuxnet, cyber attacks to ICS have not really led to any physical damage.” To many, the Natanz Stuxnet incident just seems so one-off and far-removed from the rest of the world, that the kinds of ICS cyber risks it exposed, particularly cyber-physical damage, can be ignored. But physical damage from cyberthreats does happen and is often not publicly disclosed. This reported incident is a clear reminder that critical assets can be destroyed by cyber attacks.
Another myth challenged by the German incident is that “ICS systems can be secured by air-gapping.” There are many economic, operational and even regulatory drivers that compel ICS environments to have connectivity to internal and 3rd party organizations. Air-gapping for the most part is not a practical option in this day and age. Organizations need to plan for connectivity outside of “Ops” and ensure it is done in a cyber-secure manner. This is not to say that internal segmentation/security can be ignored — insider threats are also very real.
The third myth that comes to mind is one I still hear a lot: “All you need are firewalls to achieve security.” This is not to say that the only security devices the steel mill had were firewalls. They could have very well had a range of security devices and technologies deployed. But the point here is that putting just legacy, stateful-inspection firewalls in the ICS environment is not enough to ensure security. Additional security capabilities at the network and endpoint levels are required to effectively stop advanced threats.
To achieve true defense in depth in an escalating threat landscape, more effective technologies such as application visibility and control, network IPS/AV/Anti-spyware, and malware sandboxing, to name a few, need to be brought in. Also, the paradigm of deploying signature-based endpoint protection technologies needs to be challenged as those technologies do nothing to stop completely new attacks. Advanced endpoint protection that prevents even zero-day attacks needs to be deployed. Furthermore, these technologies need to be brought together into a tightly integrated platform that ensures prevention, instead of just detection, and that automates security tasks as much as possible to reduce the burden on security personnel.
ISA-99 Managing Director, Joe Weiss, and I will debunk these myths and several other recurring misconceptions with regards to securing SCADA and ICS environments in a January 7 webinar: “Exposing Common Myths Around Cyberthreats to SCADA and ICS.”
We also discuss some best practices and the Palo Alto Networks enterprise security platform, with which you can address security gaps and drive change in your organization. Register for the webinar here.
[Palo Alto Networks Blog]