Securing Industrial Control Systems From Modern Cyber Threats

Ransomware and other cyberattacks often target industrial control systems (ICS) to disrupt operations or steal intellectual property. However, many organizations still use ICS technologies that are decades old, are exposed to the internet, and lack built-in security controls. Manufacturing, utility, health care, and other ICS-dependent organizations must protect current and planned ICS infrastructure and related sensitive information. Let’s look at how a critical infrastructure organization can implement robust security controls to keep hackers away.

Traditional Models for Securing Industrial Control Systems

Figure 1 is an example of a manufacturing ICS environment. An ICS network consists of multiple layers, beginning with sensors and automated controls. The sensors are connected to supervisory systems accessed via a human-machine interface (HMI).

Figure 1: ICS-Connected Network

The supervisory systems collect information needed by business systems located in the Business Data Center. Remote connections to data centers and ICS networks are common. In addition, much of the information collected by sensors or processed by supervisory systems today may find its way to cloud storage and SaaS solutions.

Figure 2, from the DHS 2010 document Configuring and Managing Remote Access for Industrial SystemsOpens a new window , goes one step further by including supervisory control and data acquisition (SCADA) systems that enable the management of distributed ICS.

Figure 2: Integrated Business and ICS Systems

Learn More: Red Tape Hamstrings Industrial Security: Kaspersky Lab

The DHS document explains that ICS infrastructure is accessed by a significant number of roles, including 

• System operators and engineers
• Vendors
• System integrators
• Support system specialists and maintenance engineers
• Field technicians
• Business partners
• Reporting or regulatory entities
• Customers
• Supply chain reps
• Managed server providers

If not properly managed, this access can provide a sizable porous attack surface. One of the most popular ICS security models is the Purdue Model. In a previous article, I described how the Purdue Model is used to plan, implement, and protect ICS infrastructure and data. Figure 3 shows the model’s six levels. 

Figure 3: The Purdue Model

• Level 0: The sensors, robotics, and other physical devices that work in the production environment.
• Level 1: This level contains the proximate devices with direct control over Level 0 devices. A programmable logic controller is an example.
• Level 2: Systems collect information from Level 1 for automated response or employee interaction via the HMI.
• Level 3: Level 2 functionality might be restricted to a specific plant zone or area. Level 3 systems collect and manage information from across an entire site.
• Level 4: Eventually, information from levels 0 through 3 are provided to business systems functions that directly support production, such as logistics. Devices include servers and database servers.
• Level 5: This level contains all the rest of the corporate network, including financial, HR, and customer-facing systems. It is also assumed to include internet access.

Securing the Purdue Model traditionally involves placing perimeters at multiple locations, as shown in Figure 4. However, this approach assumes the Level 0 infrastructure does not need internet access. This has changed.

Figure 4: Traditional Purdue Model Security (from Tom Olzak)

Learn More: Dragos Partners with GE, Amplifies Industrial Controls Systems Cybersecurity

New Challenges to the Security of ICS Systems

Today’s operational technology (OT), the hardware, software, and firmware that work across Purdue levels 0 through 4, broadly includes IIoT (Industrial Internet of Things). IIoT often requires internet access for data aggregation, processing, and firmware/software updates. Traditional approaches to securing ICS are no longer adequate.

Providing internet connections to the ICS infrastructure exposes IIoT and increases the attack surface by including vulnerable legacy devices. Vulnerabilities include:

• Exposed ports
• Inadequate or non-existent authentication capabilities
• Obsolete, unsupported applications with security issues
• Ability of IIoT to become infected and act as an attack platform against legacy Level 0 and Level 1 resources

With increased internet access, these vulnerabilities are already enabling intellectual property theft, nation-state espionage, physical sabotage, and ransomware attacks.

Many pundits argue that increased internet access has killed the Purdue Model. I can’t entirely agree. Organizations with OT are not likely to interrupt production while reconfiguring OT infrastructure. This is obvious when we realize that most organizations still use 20 to 30-year-old OT. Industrial edge computing solutions help meet new internet access challenges and can integrate into Purdue Model environments.

Industrial Edge Computing (IEC)

Mission Secure describesOpens a new window the industrial edge as OT technology and an IIoT gateway. This definition supports the Gartner IoT Reference architecture, shown in Figure 5. In this approach, two gateways exist: one between what would constitute Purdue Levels 0 and 1 and the other between Levels 4 and 5.

Figure 5: Gartner IoT Reference Architecture with Purdue Model Levels

IIoT gateway devices provide connecting, operating, and security capabilities, including:

• Protocol translation: Different protocols are used across Level 0 devices. The gateway translates these protocols into those needed to communicate with other levels and with cloud services.
• Edge computing: IIoT gateways direct traffic to where needed for processing and storage. Figure 6 shows how this works. Edge computing moves servers and applications just outside the gateway to be closer to data collection. These processing resources can be on-premises or in the cloud.
• IoT firewall: Traditional Purdue Model security often uses next-gen firewalls between layers, but the IoT gateway device provides additional functionality unique to IIoT networks. 
• Encryption: Encryption of traffic across devices can be implemented and managed by the gateway.
• Access control: Gateways can provide authentication and other services needed to control ingress and egress traffic. This enables control over what internet connections to Level 0 devices are allowed and when.

Figure 6: Gateway Edge (from Atilla SecurityOpens a new window )

Learn More: Top 10 Network Access Control Software Solutions in 2021

Other Needed Safeguards

ICS with secure IIoT gateways provides better security for IoT devices connected to the internet and more efficient processing of Level 0 data. However, it is not enough. 

Microsegmentation of the networks with zero-trust enforcement is still needed. Microsegmentation pulls traffic perimeters down to each device. In the firewall-enabled zero-trust example in Figure 7, an application on a user device can only “see” the relevant server. Traffic to all other servers is blocked. As part of zero-trust, traffic must be explicitly allowed.  

Figure 7: Microsegmentation (From Tom Olzak)

Zero-trust networks require authentication for all access to network segments and endpoint devices. As I wrote in a previous article, nothing and no one is trusted. The following are the characteristics of a zero-trust network: 

• Remove all applications from direct visibility on the public internet.
• Grant access to the application, not the network
• Include an assessment of the user and device identity, device health, and session context before allowing access to an application
• Base the nature of access provided for each session on the user, the device, where the requesting user/device is located, and other contextual information.
• Encrypt all traffic and eliminate privileged network segments/security zones
• Monitor user and device behavior for anomalous behavior that changes the trust established during initial application authentication/authorization, including requiring re-authentication if user/device behavior deviates too far from an established baseline and inspects and logs all traffic.
• Use multi-factor authentication.
• Each device must authenticate.

This approach assumes that none of the levels in a Purdue Model are safe. Upstream and downstream access to network segments and devices at each level must be continuously authenticated and assessed.

Finally, physical security is needed for all Level 0 through Level 5 devices. This includes hardening any device with USB ports to prevent accidental or intentional malware infection via USB storage devices. Many vendors provide solutions to manage this challenge and other security challenges related to ICS security. EM360 Tech provides a Top Ten list of ICS security solutionsOpens a new window . 

Learn More: Is Application Performance Monitoring Key To Protecting Critical Infrastructure Against Cyberattacks?

Final Thoughts

ICS infrastructure has shown itself to be a popular target for cyberattacks. In addition to financial gain, threat actors also steal trade secrets and interrupt production processes. These attacks adversely affect the targeted organization, the public, and national security.

Many organizations used approaches, such as the Purdue Model, to secure ICS technology. While these approaches are still critical, the increasing internet access has made them far less resistant to intrusion.

Edge computing helps to fill the security gaps in the Purdue Model opened by internet traffic. It also enables the processing of the large and increasing amounts of data collected by IIoT devices closer to where the sensors reside. This provides more efficient processing. Edge computing solutions must include a zero-trust approach to ensure only explicitly authorized traffic is allowed access to internal and external resources.  

Do you think industrial control systems put in place by critical infrastructure organizations are secure enough to withstand modern threats? Comment below or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!