What is an Industrial Control System (ICS)?
ICS assets are the digital devices that are used in industrial processes. This includes all of the various components of critical infrastructure (power grid, water treatment, etc.), manufacturing, and similar applications.
A number of different devices are classified as ICS. Some examples include:
- Programmable Logic Controllers (PLCs)
- Remote Terminal Units (RTUs)
- Human-Machine Interfaces (HMIs)
- Supervisory Control and Data Acquisition (SCADA)
ICS has been around for a while, and, although they have been networked together for decades, they were often “air gapped” from the Internet. This helped to protect them from cyber threats by making them more difficult to remotely access and exploit.
In recent years, the air gap has eroded. Now, it is common to use Internet-connected smart and IoT devices for remote monitoring and management of ICS. While this increases efficiency and usability, it also introduces new cybersecurity risks. With this new paradigm, ICS and IoT security solutions are required to protect the safety and functionality of these newly Internet-connected systems.
Challenges of ICS Security
While industrial control systems have the same security challenges as traditional IT environments, they have their own unique challenges as well, including:
- High Availability Requirements: For ICS systems in critical infrastructure, manufacturing, and other industries, availability and uptime are of the utmost importance. This makes securing these systems difficult as they cannot be easily taken down to install security updates.
- Insecure and Proprietary Protocols: ICS uses a variety of proprietary protocols, including many that were designed decades ago to support long-lived components. These protocols often lack basic security features (such as encryption and access control) and cannot be updated.
- Focus on Detection Over Prevention: ICS’s high availability requirements mean that the potential that legitimate operations will be blocked is a significant concern. For this reason, the ICS security is often set to detect attacks rather than attempting to prevent them.
Overcoming these challenges requires ICS security solutions designed to operate in ICS’s unique environment.
Threats to Industrial Control Systems
Attacks against ICS devices can intentionally or unintentionally cause loss of availability. Attackers can gain access to these systems in a number of ways, including:
- Lateral movement from IT network
- Direct access to Internet-facing systems
- Phishing attacks to compromise legitimate OT account credentials
- Exploitation of vulnerable IoT and Internet-connected systems
An ICS security solution must provide comprehensive protection against these and other ICS attack vectors.
ICS Security Best Practices
ICS systems commonly lag behind IT systems in terms of protection against cyber threats. To start bringing ICS system security up to speed, implement these best practices:
- Perform ICS Asset Discovery: Many organizations lack full visibility into their complete ICS infrastructure. A full understanding of ICS assets and their network connectivity is essential to security.
- Monitor Network Baselines: ICS networks should be fairly static as the devices connected to them rarely change. These networks should be monitored to establish a baseline, then to detect and alert on any network anomalies or new devices connected to the network.
- Perform Network Segmentation: Historically, ICS networks were protected by air gaps, but this is no longer the case. Securing systems that were not designed to be connected to the Internet requires network segmentation with firewalls that understand ICS protocols.
- Implement Least Privilege: Many ICS protocols do not implement access controls, allowing inappropriate access to privileged and dangerous functionality. ICS protocol-aware firewalls should be used to enforce access controls on ICS network traffic.
- Deploy an Intrusion Prevention System (IPS): Detection-focused ICS security leaves an organization in the position of responding to existing malware infections and security incidents. An IPS should be used to identify and block attempted exploitation of known vulnerabilities in ICS systems and the legacy operating systems that they run on.
- Secure Remote Access: Remote access is often necessary for monitoring and management of ICS assets at geographically distributed sites. However, this access should be implemented using strong authentication, access control, and encryption to protect against unauthorized access to and exploitation of these systems.
- Secure Physical Access: Physical access to ICS assets can threaten their availability and enable defenses to be bypassed. ICS should be protected by both cyber and physical security measures.
Industrial control systems are complex and vulnerable, but they are also a vital part of critical infrastructure, manufacturing, and related industries. Protecting these systems against attack without interrupting normal operations makes ICS-aware security essential.
To learn more about Check Point’s ICS security solutions, check out this solution brief. You’re also welcome to request a demo to learn how to optimize ICS security or better yet, conduct an IoT Security Checkup with Check Point.