My InfoTech Journal: CyberSecurity Vulnerabilities in Industrial Control Systems
For this article, I will be presenting an overview of CyberSecurity Vulnerabilities, using the US CyberSecurity & Infrastructure Security Agency (CISA) guidelines for Industrial Control Systems.
Please note that this US CISA CyberSecurity guideline is specific to Industrial Control Systems. Nonetheless the framework and line of thought can be used as reference for any other similar environment.
CyberSecurity aims to protect sensitive information hosted in critical systems from different faces of evolving threats.
Year-by-year business reports would publish the cost of data breaches globally in millions of US dollars. This includes losses in business revenues, cost of responding to the breach, cost of deciphering the extent of the data breach, performing root cause analysis, and most of all the long term damage of the company reputation and brand.
In order to protect your Control System’s risk and exposure to Cyber Attacks, you have to be familiar with the CyberSecurity Vulnerabilities.
The US CyberSecurity & Infrastructure Security Agency (CISA) guideline is just one of several frameworks that you can use as reference for your CyberSecurity program.
It is fundamental to start with a mindset that every component within your Control System is vulnerable from internal and external threats.
To understand the system’s threats, you must understand your environment: how each individual systems work and how each network components communicate with each other.
It is also very much important to learn and understand what are the vulnerabilities inherent to each components, as this is what hackers use as their attack vectors.
The following points of discussion were taken from the US CyberSecurity & Infrastructure Security Agency (CISA) Overview of Cyber Vulnerabilities for Control Systems. 1
This discussion (as posted in their website) provides a high level overview of these topics but does not discuss detailed exploits used by attackers to accomplish intrusion.
- Understanding Control System Cyber Vulnerabilities
- Access to the Control System LAN
- Common Network Architectures
- Dial-up Access to the RTUs
- Vendor Support
- IT Controlled Communication Gear
- Corporate VPNs
- Database Links
- Poorly Configured Firewalls
- Peer Utility Links
- Discovery of the Process
- Control of the Process
- Sending Commands Directly to the Data Acquisition Equipment
- Exporting the HMI Screen
- Changing the Database
- Man-in-the-Middle Attacks
Understanding Control System’s CyberSecurity Vulnerabilities
To understand the Control System’s CyberSecurity Vulnerabilities, you must first understand your system’s environment. This is where the overall system and network diagram is crucial.
Start with an accurate inventory of what are installed in your Control System network. This will be your point of reference for ensuring that every system and network components are accounted for. This will help you fully assess each system and component vulnerabilities.
Perform Risk Assessment on your Control System environment. This will help you to understand the risk factors that may have potential impact on your critical systems. This is where you assess the severity of each risks and the probability of these risks from happening.
The Risk Assessment result will be your reference in prioritizing your remediation program and focusing your resources in the critical and highly probable risk areas.
Example of a Control System Environment
Diagram 1 is an example of a control system environment.
The above diagram is a very valuable information to understand the system’s environment. This is a very useful information to start with understanding the system architecture and what components are there within the environment.
The same diagram in the wrong hands, like that of an Attacker might possibly cause catastrophic results!
Understand how each component communicates with each other. You have to be thorough in your review and assessment on how each access points work and how authorized permissions are granted.
Mark these components as target vectors by Attackers who are trying to gain access to the entire control system environment by all means possible.
Follow the path of communication between each of the system components to understand any other vulnerabilities within your network.
You need to understand the vulnerabilities in each of the system components and how these affects the other systems or network components within the control system environment.
Ensure that each of the vulnerabilities in each device or systems are resolved or mitigated on a timely manner.
The system risk assessment and vulnerability patching has to be a continuous process so as to keep your system abreast with new patches.
Your CyberSecurity program does not end here, there are a lot of other areas to improve on. Like your Incident Response procedure, your Team’s skill sets and continuous learning, systems resiliency, data backup and recovery procedure, and continuous improvement on your systems to adapt with technological advancements as needed.
There should also be a continuous learning and development process for End-User education.
Understanding the CyrberSecurity Vulnerabilities is a good starting point.
Ensuring that your system environment is secured and protected has to be your main objective.
Attackers Perspective
You may have always heard or read that it is important to also understand how an Attacker thinks.
This may be too much to ask, but at least you have to understand the basic principle of what they look out for.
From an Attackers point of view, the fundamental objective is to:
1. Perform reconnaissance to understand the environment, identify weak points and vulnerabilities.
2. Exploit these vulnerabilities and gain access to the Control System’s local area network.
3. Take over control of the Control System’s processes.
If an Attacker is successful with the three basic objectives, your control system is owned!
End Notes
1 US CyberSecurity & Infrastructure Security Agency (CISA): Cyber-Vulnerabilities
Disclaimer
This article is a result of my personal research and is not a substitute for legal advise.
Please consult your Legal Team, Ethics & Compliance, or Regulatory Team for the interpretation of specific CyberSecurity requirements.
Comments
Post a Comment