Industrial organizations and critical national infrastructure (CNI), like energy suppliers and water companies, are a growing target for cyber-threat actors. Threats emanate from both cyber-criminals with financial motivations and nation-state threat actors seeking to damage rival nations or steal sensitive data.
Many experts have noted that there has been a pattern of threat actors targeting the energy sector and CNI in recent years. One example was the cyber-attack on Energy One Limited (EOL), a global supplier of software and services to the wholesale energy market, in August 2023.
There have also been warnings from government bodies that critical infrastructure is a particular target for nation-backed groups. In April, the UK’s National Cyber Security Centre (NCSC) sounded the alarm over “state-aligned” Russian groups which could launch destructive attacks targeting CNI.
With this in mind, the security of industrial control systems (ICS), used for operating and automating industrial processes, is coming under increasing scrutiny.
Here are five major ICS cybersecurity challenges and how they can be overcome:
1. Vulnerability Remediation
The rapid remediation of vulnerabilities in ICS tends to be significantly more challenging than in standard IT environments, Holly Grace Williams, Managing Director at AkimboCore, told Infosecurity. This is firstly because of the critical nature of these systems, which makes it harder to have frequent maintenance windows.
“Tasks such as installing software updates can be delayed until the next maintenance window rolls around, and the system can be taken offline for updates. This can lead to a long delay between a security fix being available, and it actually being deployed,” she explained.
Additionally, Williams noted that many ICS do not have a test environment to enable software updates to be tested prior to deployment, meaning “that the risk of bad updates causing system instability or unavailability is much worse.”
Therefore, vulnerability management must be undertaken differently in ICS. Williams said security teams should explore alternatives to simple “rule-based approaches” to installing software updates and patches. For example, focusing on prioritizing patching vulnerabilities on critical systems rather than waiting to install all fixes in one window.
She advised: “Some organizations operating in a more forgiving environment might base their prioritization on simple metrics such as CVSS. Whereas more complex environments with more onerous testing and deployment challenges should take into account broader metrics such as the availability of exploits, the likelihood of exploitation, and the criticality of the specific asset.”
2. OT-IT Convergence
The growing convergence of the historically sealed world operational technology (OT) with IT networks, creates a broader attack surface, noted Paul Watts, distinguished analyst at the Information Security Forum.
“On the ICS side, the environment has not necessarily been readied to withstand the wrath of a cyber-attack on its interests, such as a ransomware event,” he told Infosecurity.
Due to this convergence, Watts said that an attack on an ICS environment must be treated differently to equivalent attacks on other types of organizations. This is because the priority of industrial control is about maintaining safety, reliability and performance (SRP) rather than the security and availability of data.
“Not only could an attack [on ICS] interrupt production – which has significant cost implications – it could, in the worst case, contravene safety requirements with potentially catastrophic consequences, including loss of life,” he commented.
Cybersecurity in ICS must account for and prioritize SRP outcomes – for example, ensuring essential systems are segmented and able to continue functioning during an incident, Watts explained.
Williams noted that in her penetration testing work, many organizations ignore vulnerabilities that only impact availability, as they may be able to reboot the system and bring everything back online quickly.
Attitudes need to be different for OT systems. “These organizations have broader challenges than simply data confidentiality and might have to invest more time and resources into integrity-protection and ensuring system availability,” she outlined.
3. Legal Requirements
Another challenge for cybersecurity teams working in ICS environments are the specific legal and regulatory requirements they must adhere to – which are stricter for CNI compared to other sectors. This is due to the potentially severe consequences of attacks on such systems.
Watts noted: “These requirements are not only stringent, but their violation carries significant judicial penalty for the designated system operator.”
in the US, a number of new policies and regulations have emerged in recent years that affect ICS. These include President Biden’s executive order on improving the nation’s cybersecurity, which places new obligations on critical infrastructure organizations that run OT, and the National Cybersecurity Strategy, which sets out a plan to coordinate the defense of these types of systems.
Another notable regulation for ICS organizations is the ISA/IEC 62443 series of standards, which define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS).
Understanding the plethora of regulations, and setting out the key roles and responsibilities that must be fulfilled across the organization, is essential for ICS operators.
4. Skills Shortages
While there is a significant cyber skills gap throughout the sector, the problem is especially acute in industrial control, according to Watts.
He noted that historically, ICS were predominantly sealed environments, with localized, analog methods used to manage, monitor and control their behaviors. However, the organic convergence of OT and IT environments has created a significantly greater need for cyber professionals – a need that has so far not been met.
“The sector has been largely attempting to plug this gap using traditional information technology and information security resources but, to date, this has seen mixed levels of success,” commented Watts.
Governments around the world are undertaking initiatives to boost the cyber skills pipeline generally, and this is something ICS organizations must tap into. This includes the White House’s National Cyber Workforce and Education Strategy, published in July 2023.
5. Incident Response
Williams noted that many of the incident response challenges in ICS are similar to standard IT environments. One of these is recording sufficient information about their environment in order to determine what actions the attacker took against its network and systems – critical to enabling effective incident response.
“If an organization doesn’t have accurate information about what is on their network – then determining how an attacker may have interacted with those systems is going to be very difficult,” she explained.
Williams said that this documentation can be far more complex in ICS environments due to the vast number and types of assets deployed, from programmable logic controllers (PLCs) to sensors.
Additionally, ICS operators have extra obligations placed upon them in regard to information sharing and reporting cyber-incidents. In 2022, the Cyber Incident Reporting for Critical Infrastructure Act passed into law in the US, which will oblige these organizations to disclose cyber incidents to the Cyber and Infrastructure Security Agency (CISA) within 72 hours of discovery, similar obligations fall on firms in the UK and Europe.
Therefore, ICS operators must develop distinct incident response plans that take these factors into account.