Industrial Control Systems and Cybersecurity

Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, says that retailers aren’t the only victims. He says that energy companies — including the oil and gas industry — were targeted in 41 percent of the malicious software-attack cases reported to the Department of Homeland Security in 2012.

Convergence of ICS and IP Networks

Industrial Control System (ICS) cybersecurity is an important consideration to oil & gas, chemical, and energy plants across the world. Attacks on manufacturing and operations in these critical infrastructure areas not only result in financial losses but also pose significant public safety and national security risks. Louisiana is the energy and chemical hub of the United States, so it follows that ICS cybersecurity is critically important to the public, environmental, and economic safety of the state.

ICS networks are systems that control, monitor, and alert on events in physical processes, such as electricity transmission, movement of oil and gas in pipelines, petrochemical manufacturing, water distribution, and other sensor-actuator based systems that form the bases for critical infrastructure and modern living.

Recent convergence of ICS operational and information technology networks is based on advantages of increased networked connectivity based on open standards such as Ethernet and TCP/IP. This saves costs by eliminating proprietary equipment in favor of OTS hardware and software solutions. OT and IT convergence also creates plant management efficiencies.

The OT/IT convergence comes at a cost of higher vulnerability to cyberattacks since they share the same networking and host-based infrastructure, protocols, and technologies. Vulnerabilities in enterprise systems are now a vector for attackers to surveil, initiate, and execute cyber attacks against ICS and critical infrastructure using the same tactics, techniques, and tools as enterprise-based IT systems.

ICS Attack Landscape

The cyber attack landscape for ICS systems is much larger than just the ICS devices, equipment, and networks that comprise an industrial site. The landscape extends to all parts of an organization, including the enterprise IT networks, integrators and contractors, and the extended supply chain. It is not surprising that the number of attacks is steadily increasing over time. In 2015, the number ICS security incidents increased by over 20%. The year 2016 is on track to continue the trend.


ICS cybersecurity attacks fall into one of two general categories: external and internal. External attacks are often more sophisticated given the amount of effort necessary to surveil and reconnoiter an industrial network. Internal attacks are, however, as risky since threat actors have easy access and intimate knowledge of an industrial network’s configuration and operation.

External attacks are typically manifested as advanced persistent threats (APTs), targeted attacks, and malware. Spear phishing is the most common specific attack type. External threat actors typically are motivated to achieve political outcomes or perform industrial espionage (e.g. steal IP). Politically motivated actors include nation-states (China, Russia, Iran, and North Korea are the most active) as well as hacktivists with goals of operational disruption and physical damage. Both groups are usually well-funded and highly trained.

In a 2016 survey of 234 ICS operators, external hackers accounted for 36% of known attacks, followed by current employees and hacktivists, at 34% and 23%, respectively.

Source: SANS 2016 ICS Security Survey

Internal threat actors are usually disgruntled employees, contractors, or integrators. Their intimate knowledge of an industrial network’s configuration and operation along with the trusted or semi-trusted access to the network make them as dangerous as external threat actors.

An additional dimension to internal threats is human error. A lack of malicious motive does not reduce the significant impact an attack can have as the result of human error and poor decision making. A common example of this type of threat results when employees or system integrators short-circuit security protocols for convenience of access, e.g. installing “backdoor” maintenance accounts to bypass remote access security protocols. This occurs very frequently across OT and enterprise networks and is an extremely difficult vulnerability to detect (but is very easy to exploit).

ICS Response to Cyber Threats

Industrial and manufacturing companies are taking notice, if belatedly. In a 2016 SANS survey, two-thirds of ICS operators perceive severe or high levels of threats to their ICS networks, compared to 43% in 2015. In their annual risk assessment, international accounting and consulting firm BDO found that cyber security ranks for the first time as a top 10 risk among the 100 largest U.S. manufacturing companies.

Despite the increasing trending attacks, threat landscape, and urgency of protecting critical industrial infrastructure, the ICS and manufacturing community lags in improving the cybersecurity posture of its assets. Fifty percent (50%) of ICS operators in a 2016 have no plans to address the security issues surrounding convergence of IT and control systems (20% have no plans to develop any.) Additionally, security incident sharing and planned ICS security improvements lagged compared to 2015.

Standard cybersecurity principles, techniques, and practices are applicable to ISC networks. Defense-in-depth is a foundational concept that provides security in layers instead of a single perimeter, e.g. firewall. The standard phases of cybersecurity — monitoring, protection, detection, prevention, mitigation, response, recovery — apply equally to enterprise and ISC networks because they both contain digital networked assets vulnerable to attacks by the same threat actors.

A core recommendation of DHS to ICS operators is to deploy network monitoring and threat detection solutions as a foundational element of their Defense-in-Depth strategy for ICS networks. There are basic solutions for log management and event detection, but they tend to be host-based and do not inspect network traffic behavior. As such, they are insufficient for providing a complete view of an ICS network. Furthermore, existing network traffic behavior and anomaly detection solutions target enterprise IT networks. They are sufficient yet incomplete solutions for an industrial networks since they lack awareness of ICS protocols and network behaviors.

ICS networks have unique properties that make standard network monitoring and cybersecurity tools insufficient. First, many ICS protocols are now embedded in TCP/IP sessions as separate layers, and ICS semantics must be parsed and processed distinctly from typical IP network traffic. Second, ICS network traffic is much more sensitive to disruptions and delays because of the time sensitivity of measurements and commands to ICS components. Third, there are important nuances in ICS and OT networks that are not present in typical enterprise IT environments, which lowers or negates the effectiveness of typical cyber security solutions. Finally, and most important, detection of vulnerabilities and attacks has a higher sense of urgency in ICS networks because of the risks to physical infrastructure, public safety, environment, and economies. In short, ICS networks require network monitoring and defense technologies that are specific to their behaviors and technologies.

Copyright © 2016 John Zachary