Industrial Control System Security (ICS Security) has been important to generations of controls engineers, plant managers, IT personnel, industrial systems engineers, and CIO/CTOs. Recently, as companies attempt large, rapid modernization of these control systems, the resulting designs—especially the need to leverage data generated by ICS to improve performance—offer new potential cyberattack avenues. At the same time, criminals’ awareness of ICS as targets for both random and public disorder has increased exponentially, leading to a perfect storm of opportunity and intention.
We all agree that securing an ICS could be deemed more important than ever before, but what does ICS Security mean today in the context of modernization and digital transformation?
ICS Security describes a set of procedures and technologies that aim to prevent all unauthorized access to Industrial Control Systems, a term which encompasses several types of electronic control systems, including supervisory control and data acquisition (SCADA), distributed control systems (DCS), and other control system configurations using components like Programmable Logic Controllers (PLCs) often found in industrial sectors and critical infrastructure.
With the important role Industrial Control Systems play in everything from manufacturing toothbrushes and automobiles to power generation and waste management, extreme care is taken to secure these systems from unauthorized access that might be used to damage components, systems, and even people, while at the same time allowing safe access for maintenance, production optimization, and organizational advancements like digital transformation.
In the past, Industrial Control Systems tended to be walled gardens, managed by groups often unrelated to those managing business or IT infrastructure. It would be unlikely that ICS would share anything like an ethernet network with non-industrial systems; at most perhaps an interface to a Manufacturing Execution System (MES), but certainly not a connection to the internet. ICS may even be an entirely closed systems, as is often the case for within utilities.
Over the last 20 years, business intelligence, network analysis, data gathering, and real-time analytics have become more commonplace. Data sharing and analysis from Industrial Control Systems can no longer stop at purpose-built software solutions, supervisory control applications, stand-alone statistical process control, process historians, and relational databases. This effort to modernize has exposed new security weaknesses for criminal activity both from a broader, public understanding of ICS infrastructure as well as new types of technologies meant to aid in an organization’s modernization. Recall the Oldsmar, Florida, water treatment system attack through a common, third-party software application used for remote Windows OS access.
Securing Industrial Control Systems uses many concepts, including:
Let’s have a look at each item in a bit more detail.
Asset inventory and detection answers the very first question that should be asked when thinking about ICS Security: “What is present, anyway?” ICS configurations tend not to change very often, and your current employees might lack detailed expertise of the complete system.
If not static, these systems can grow organically over time and evolve different bumps and protuberances that may not have been part of a top-down, consistent enhancement strategy. This “take stock” first step ensures that all equipment that’s part of an ICS is identified: Unique identifiers like serial numbers along with makes, models, and network states are determined and recorded, oftentimes in software-based “asset management systems.”
Vulnerability management is critical to securing any system, especially ICS. Management typically begins with multiple assessments where weaknesses are identified and reported to key stakeholders. From there, management techniques – combinations of procedures and technologies – are employed to resolve existing vulnerabilities and plan for management of new ones as they are identified. Common susceptibilities include: open physical access to systems, unintended or unnecessarily broad network access to systems, password simplicity, and few operating system access restrictions. Especially for ICS, the age of the system’s components is a big factor in determining vulnerability management, as there may be no official resolution path offered by the vendor.
Network intrusion protection and detection is the process by which a network of electronic systems (typically an ethernet network of computer operating systems present on servers, desktops, laptops, and for ICS, DCS and PLCs) is managed and monitored to prevent unauthorized access. Many sophisticated, automated solutions for network intrusion and detection exist today, and more and more of these tools are being extended to cover networks touching or facilitating ICS.
Endpoint detection and response (EDR) is the proactive monitoring of and threat-resolution at the “endpoints” of a network, typically end-user devices and systems at the very edge. As defined by Anton Chuvakin at Gartner, EDR solutions “record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.” Such tools could detect and report unauthorized access to a system, but more so, these tools can also detect authorized access to a system at a very unusual time, and steps could be taken – automated or otherwise – to evaluate and monitor that user’s access to lock systems down if needed.
Patch management refers to the management of updates and enhancements – aka “patches - to software-based systems and applications that help mitigate vulnerabilities uncovered during the software’s lifetime. ICS may include multiple, disparate software operating systems and third-party applications, and it must be assumed that the systems as they are today could have weaknesses uncovered and exploited in the future. Therefore, it’s crucial to develop a strategy of regular assessment and application of software patches to close vulnerabilities and increase ICS security posture.
User and access management seeks to answer the questions: Who needs access to this system? What tool or tools should be used for system access? What specifically do they need access to within this system? For what reason do they need access? And, for how long should access be granted?
As with the Oldsmar, Florida, water treatment system attack mentioned previously, a properly executed plan around user-access controls that answers these questions might have closed the open attack point and prevented unauthorized access. In addition to considering physical isolation, most modern systems used in ICS and other networked environments offer various tools for user-access controls, and third-party solutions also exist.
Just as user and access management considers how to ensure safety and security as people interact with systems, secure data access considers how to ensure data can be obtained quickly, reliably, and safely from target environments like ICS and shared with others within the organization that might be outside of the secure environment. When considering ICS Security, various techniques are employed to isolate control networks from broad network access while maintaining a high level of service for data acquisition needs. Standards like Perdue and ISA95 outline the need for highly stratified networks. Firewalls, demilitarized zones, and even data diodes – one-way pipes for data publishing – are typical methods to achieve stratification, and the utilization of data servers and data publishing tools that implement highly secure protocols (OPC UA over Transport Layer Security (TLS), MQTT over TLS and HTTPS, for example) help share collected information safely and securely with others.
These protocol standards offer certificate-based identification, message signing and encryption, and username and password-based authentication that may itself integrate with an organization’s Local Directory Application server (like Microsoft Active Directory). Access to ICS data is critical to an organization’s modernization strategy, but data access to ICS does not have to result in an introduced vulnerability.
Kepware’s KEPServerEX and variant offerings have been a mainstay of Industrial Control Systems integration for nearly three decades. Kepware server products allow software-based control and data acquisition systems – like SCADA, MES, HMI, and Historians - to interact with other software and hardware automation systems to create a functional Industrial Control System.
Kepware servers also offer organizations a method of secure data access produced by these Industrial Control Systems through industry -standard and highly secure data messaging interfaces like OPC Unified Architecture (OPC UA), HTTPS, and MQTT/TLS. For example, if an organization’s goal is to allow data from a DCS to be sent and stored within a cloud, if not already present, an instance of Kepware might be placed in the same network segment as the DCS to use the older, relatively insecure OPC Data Access protocol to interact with the OPC DA server component of the DCS. From there, Kepware might publish MQTT over TLS directly to the cloud if permitted to, but more often, a second instance of Kepware is placed in the DMZ “above” the secure network and an OPC UA connection created between the two Kepware instances.
Only a single, user-selected TCP port needs be opened as an inbound rule in the firewall protecting the secure network from the DMZ, and the usernames and passwords exchanged during OPC UA connection negotiation can be authenticated against an organization’s Microsoft Active Directory server so that consistent and effective user management strategies can be employed even for programmatic data access. From there, Kepware could send data safely to other network layers above the DMZ using secure messaging protocols, or, again if permitted, directly to the cloud over the DMZ’s internet connection.
Kepware implements many protocols that offer a wide variety of security features, and Kepware itself offers critical security-enhancing options above and beyond those of implemented protocols. Whether Kepware is already part of the Industrial Control System or if it’s added by an organization to facilitate secure access to the ICS, PTC’s Secure Deployment Guide for Kepware will help users implement a Kepware server product in the most secure way possible. The guide covers techniques to ensure healthy access controls are implemented and maintained, unused interfaces are turned off and disabled, and desired interfaces are configured according to best security practices.
Industrial Control Systems represent some of the most critical and complex electronic systems and securing these systems can be difficult. However, when Kepware products are present in the environment and our Secure Deployment Guide is followed, users can help ensure that they not only facilitate successful operation of their ICS but also safe and secure access to the extremely valuable data produced by the ICS that allow organizations to operate more effectively and modernize operations.
To learn more about best-of-breed, single-source connectivity solutions, contact an industrial connectivity expert today.