Securing critical industrial infrastructure systems in manufacturing, distribution and product-handling environments is a major challenge. The main reason we haven’t seen a spectacular attack on one these systems is because it’s hard to pull off.
But organizations in oil and gas, chemicals, utilities and a whole host of other industries need to take steps to protect their critical infrastructure, lest they fall victim to an attack by a nation-state, hacktivists or even insiders, according to a panel of security experts who spoke during the (ISC)2 Congress 2018, taking place this week in New Orleans. The panel was moderated by James McQuiggan, president of (ISC)2 Central Florida Chapter, and product and solutions security officer for Siemens Gamesa Renewable Energy.
Industrial Control Systems (ICS) pose serious protection challenges for various reasons. For one thing, some of the equipment involved is several decades old and, therefore, not as adaptable to modern security and monitoring tools as typical IT networks.
To underscore the challenge, panelist Galina Antova, co-founder of Claroty, an industrial security provider, pointed out that when there is an issue, it isn’t always clear whether a cyber incident caused it. Investigators often have to fly to a site to determine if a cyber threat is present, she said.
This indicates that organizations have zero visibility into these environments, and expertise is lacking. “That’s the challenge we are facing it. There aren’t enough professionals that have ICS security expertise,” she said.
Ben Miller, director of the threat ops center at threat monitoring vendor Dragos, said it’s now common for insurance companies to demand assurances that a problem wasn’t caused by a cyber attack before they agree to a payout. “It shows the state of where things are going,” he said.
Panelist Spencer Wilcox, executive director of technology and security at PNM Resources, noted that often organizations aren’t even aware of all the components in their industrial or OT (operational technology) environments “How many PLCs (programmable logic controllers) or RTUs (remote terminal units) are hidden behind the wall or the ceiling? What does each of them do? Everything we do is dependent on these systems and nobody knows what they are except for the engineers who put them in place.”
Organizations need to inventory their environments in order to secure and monitor them, and put access controls in place. They also need to segment networks so they don’t communicate with each other beyond where they need to interact, Wilcox said.
Segmentation, Antova said, presents some challenges because many environments are spread over large geographic areas. An example would be a manufacturer with 100 sites. “The reality is that doing segmentation across a large geographical footprint is very tough to do.”
But proper security requires that the basics be addressed – segmentation, access control and monitoring, for starters. Then, said, Wilcox: “Watch it run. If you see anomalies, do something about it, investigate it. It’s the stuff that we don’t know is happening on our networks that’s going to kill us. Monitoring is the key.”
Not everything is doom and gloom. Antova said the situation has improved in the past five years. Miller pointed out that pulling off a major attack on industrial systems isn’t easy, which is one of the reasons it hasn’t happened yet. In addition, nation-states that might have the capability to mount an attack probably hold back because they know that attacking the power grid or some other critical infrastructure would be a declaration of war.
But no matter the reason such an attack hasn’t occurred, one thing is clear: It could. And that’s why more attention to security in industrial settings is needed.