OPERATIONAL TECHNOLOGY (OT)/ICS RISK
Industrial Control System (ICS) refers to digital instrumentation, networks and devices that are used to manage industrial processes, ranging from factories to critical infrastructure. SCADA (Supervisory Control And Data Acquisition) is a type of ICS that is mainly used for “long distance monitoring and control of field sites” and is commonly used by operators of networks – for example oil and gas transportation, and power grids.
Criminal groups and ‘nation state actors’ – both hostile (APT groups) and friendly – have been scrutinising ICS for several years now for several reasons: Firstly, information technology (IT) and operational technology (OT) have effectively merged in recent years, meaning that industrial appliances such as remote-controlled valves are now connected to the IoT (Internet of Things), in a similar way to devices such a smart thermostats in our homes. Secondly, the software (firmware) running on these devices is often misconfigured (default username and password left unchanged, for example), and out of date, meaning that it can be easily hacked if accessed. Finally, several of the companies and organisations at risk are strategic by any definition, and critical for the smooth running of the industries that they support. That makes them attractive financial targets for organised criminals (ransomware) and for hostile nation states (who can use an attack to cause economic disruption). The first recorded attack of this type happened in Ukraine in 2015.
There are two main ways to defend against cyberattacks on ICS/SCADA: Firstly, digital access to the systems is restricted by network segmentation, strict firewall policies, physical protection and avoidance of more fragile communications channels such as WiFi. In an extreme case, facilities may be ‘air-gapped’, meaning that their network has no logical connection with external networks including the internet. Air-gapping is not a perfect solution, however, as malware can jump the gap (for example in a USB key), and it presents problems for software updating and patching.
It is also possible to apply specific software solutions that incorporate some or all of the following features: Identify and document all exposed components (recording manufacturer, MAC address, firmware version etc); Check for misconfiguration and out-of-date firmware; Monitor threat intelligence for relevant trends among threat actors.
Check Point provides specialised security solutions for OT/ICS risk. Forcepoint offers a product which is very similar to a next generation firewall, called Data Guard, which inspects data content and can control the flow of certain information or instructions. In the context – for example – of a power station operator, Data Guard may serve the purpose of restricting the type of commands that are sent to a sub-station, and blocking malicious activity.