March 22 2021
Are you taking steps to protect your ICS?
Industrial Control Systems (ICS) have been a prized target for attackers ever since Stuxnet hit the headlines back in 2009. Since then the threat has continued to grow, attacks have become more sophisticated and it’s only a matter of time before another critical industrial system is compromised.
Whether you’re operating a food production line or a nuclear energy plant, no industrial system is immune. The potential consequences of an attack go beyond monetary loss and reputation, there’s a physical impact and lives are potentially at risk.
But are you taking security seriously?
According to a recent global study by antivirus provider Kaspersky, 54% of the sampled organisations have experienced at least one ICS security incident in the last 12 months. ICS professionals who took part in the study also explained that they did not have sufficient plans in place to deal with them.
The need for action is clear, yet we continue to see organisations failing to put in place the necessary security measures. And even if they do, they often lack the robustness required.
So, why is this the case? For many organisations it’s the fear of downtime that is stopping them from assessing their ICS security. Take for example car manufacturers: in 2005 a survey showed that just one minute of unplanned downtime would cost as much as $22,000. With costs like these it’s no wonder companies don’t want to do anything to jeopardise critical operations, and that includes implementing security measures.
Overcoming such barriers is essential in protecting your critical systems and security inaction is simply no longer an option. But where do you start and how do you go about it?
This is where our guide comes in, giving you seven practical steps to help improve your security and protect your all-important industrial control systems.
Step 1: Map your network
The air-gapped system of the past is long gone and connectivity is now commonplace. Engineers require remote access away from the traditional console, third party vendors need to view operational data, and suppliers want access to ensure cost-effective maintenance and monitoring. Even if you don’t have any of the above, internal managers and staff will always require connected access to real-time production data and statistics.
These connectivity requirements continue to increase and have led to the growth of internal industrial networks. That’s not to mention the challenges thrown up by the Industrial Internet of Things (IIoT), whereby most businesses employ a wider network of devices and digital assets than ever before.
This rapid expansion has led to many organisations losing sight of their networks and, according to CyberX, 44% have at least one unauthorised or unknown device that may pose a legitimate threat to operations.
Network expansion is only one of the reasons behind this oversight, and poor network management alongside changing personnel also play a part. Companies may also put themselves at risk following organisational growth, or through a merger with another company. All it takes is one rogue device that isn’t accounted for or fully protected to constitute the source of major security issues.
Having an accurate and up-to-date network map is the first step towards protecting your system. It will provide you with a clear picture of how your systems are connected and what devices are present, so you can start to uncover who has access and where the major vulnerabilities lie.
Additionally, a network map offers a more tangible view of your organisation and by being able to visualise all connections you can start to build a case for a wider security review.
Step 2: Get your security priorities in order
Once a network map is in place, you can begin to analyse the security of your organisation’s connections and devices in more depth. However, many businesses do not have the luxury of testing their whole system at once, which means they must prioritise their actions effectively.
Prioritising your efforts could take two potential routes: focusing on vulnerabilities first or by concentrating on your critical assets.
All it takes is one vulnerability, one unsecure device, and attackers can use this to pivot into your wider industrial network. If you choose to prioritise by vulnerability, you’ll identify the parts of your ICS that are most susceptible to attack and this will allow you to rectify the most pressing concerns first.
Common vulnerabilities could include lack of privileged access, default passwords on IIoT devices, or even unpatched software. These simple vulnerabilities should act as a red flag and in many cases the issues can be addressed quickly, providing you with an instantly improved security posture.
Alternatively, you may wish to focus your security efforts on your critical assets. For some companies this may be the operations themselves, for others it could be their intellectual property or product designs. For some it could be their production data. Whatever it is, your company depends on this and therefore it needs to be protected first.
Step 3: Educate the Board
The need to inform Board members about the risks that result from poor IT security management isn’t just an industrial concern; it’s a problem that affects all major enterprises. To put the problem into perspective, a recent HM Government survey found that 68% of FTSE 350 company Board members had received “no training in order to deal with a cyber incident within their organisation” and only 5% of companies have Board members with specialist technology or cybersecurity experience.
When it comes to industrial systems the stakes are even higher and you certainly don’t want your first Board conversation about ICS security to be after a breach. But for many, getting upper management level support can often be the biggest obstacle to any security improvement.
Education is the key and the onus is on ICS managers to translate key technical information in a way that is clear, digestible and easy to understand. An up-to-date network map can assist in this and can provide upper management with a tangible view of security concerns, risks and threats. It’s also important to share any recent news on cyber-attacks, as this is a good way to explain the scale of impact that poor system security can have.
Whatever way you choose, you need to ensure that the Board are fully aware of the potential risks the company is facing and the consequences of security inaction.