When it comes to securing complex industrial control systems (ICS), a difficult duality exists. On one hand there’s a universal need to secure operations technology (OT) to at least the same level as information technology (IT). ICS systems serve as the nerve centers for everything from electrical grids to manufacturing plants, but at their root they’re computing systems, and they suffer from many of the same kind of attacks and cyber risks as IT systems. On the other hand, there’s the fact that there’s an ‘otherness’ to OT that very much changes risk calculations and security design for these systems compared to their IT cousins.
The tension between these dual truths tends to breed a lot of misconceptions and mistaken beliefs about ICS cybersecurity.
Whether they’re held by engineers at electric companies or executives at manufacturing firms, these are the myths that are holding back industrial organizations of all types.
These are the top five misconceptions keeping organizations from truly reducing risk to their ICS environments, their daily operations, and their organizational missions:
1. There Aren’t Many ICS Threats
The ICS threat landscape remains relatively opaque in contrast to the public view we have of cyber threats against IT assets. Whereas we see news every day of a new data breach striking another major corporation, publicized examples of successful attacks against IT systems remain remarkably rare.
That isn’t because they’re not happening.
Most successful ICS attack cases never make it to the public eye. For example, Dragos doesn’t take news of threats or incident response cases it encounters to the media because our leadership believes it’s better for the ICS community and public safety to keep that information under the radar. Nevertheless, this creates a perception gap where it might look like not much is threatening the industry.
Even within individual organizations we find that threats may be overlooked when they strike. For instance, Dragos experts find that many cases of accidents or maintenance events have cyber components to their root causes. That’s not to say that every maintenance event is cyber-related, but very few organizations in the industry even have the type of monitoring and information collection necessary to analyze root causes and uncover these threats when they manifest themselves.
2. The ICS is Air Gapped
While many in the industry have done work to battle this myth, it continues to rear its head. Organizations will claim that they’ve mitigated security threats to ICS because these systems are air gapped—that they’ve cut off connectivity between these systems and the network.
But no matter how many times executives, operators, or engineers repeat this myth, the fact remains that the modern ICS is almost never completely isolated or disconnected from some network somewhere. Air gaps may have been viable a long time ago, but they’ve disappeared as ICS and our tech environments have evolved to become more and more connected.
Sometimes operators are blocked from the internet by a firewall they don’t know about and assume there’s an air gap present. Sometimes operators know there are firewalls present and say that’s ‘as good as’ air gapped. And sometimes operators don’t know either way but will claim an air gap to keep IT out of the plant. Meantime, many ICS vendors will point to the security of air gaps to skirt security requirements.
And even if by some small miracle the organization really does manage to completely disconnect its ICS from enterprise networks, there’s still ‘someone else’s IT’ to worry about. Often vendors and integrators set up direct connections to access ICS environments for maintenance and support. Even if these connections are meant for temporary access, they serve as a conduit for threats. So, an organization may well have air gapped its systems from the enterprise network, but still isn’t air gapped from a vendor’s (e.g., Siemens, Rockwell, Schneider, etc.) network.
3. Availability Comes First in OT
The age-old IT security triad breaks down the profession’s drivers into three components: confidentiality, integrity, and availability (CIA). One misperception commonly repeated today is that in OT the priorities are similar but ordered differently—that AIC drives security in industrial industries.
There are a number of reasons why this myth doesn’t hold water. First of all, CIA was never intended as a stack ranking of priorities. Most longtime IT professionals refer to the triad as a three-legged stool. Each leg bears equal load in maintaining an organization’s security posture. That principle stands just as true in the OT world as the IT world.
While availability stands as a core tenant in OT security, it doesn’t necessarily trump everything. For example, reliability may be crucial in the electric grid but think of how many electric companies tout ‘safe, reliable power.’ Safety usually comes first—and you can rarely maintain safety of systems without assuring their integrity. In a completely different example, imagine the manufacturing industry. Many plants don’t run at capacity, meaning they can catch up from downtime. As a result, executives at these companies would likely prioritize maintaining the confidentiality of their recipes or intellectual property over keeping plants running at 100%.
The point here is that while three-letter acronyms are helpful to categorize and define problems, but at the end of the day there’s a mission focus for industrial operations. That mission focus is more important than trying to fit the needs and requirements into the semantics of three letters—or their order of importance. It’s crucial to understand in every plant what the mission focus is to help be service oriented to operations.
4. You Can Always Safely Scan ICS
There was a time many years ago when the industry believed that you could never safely scan ICS systems for security vulnerabilities. After years of work to battle this misperception, it seems that the evangelism worked a little too well. Now there exists the mistaken belief that it’s always safe to scan ICS systems.
In reality, there’s no universality either way. It depends on the environment.
Many modern control systems are designed to make them more safely scannable. But not all of them are. What’s more, the modern systems still usually running side-by-side and interconnected with legacy systems that are trickier to scan safely. At Dragos, we find there are certain environments such as food and beverage manufacturing where it’s perfectly permissible to do active scanning in planned and tested ways, and we’re called on to help them do exactly that. On the flip side, we also run into cases where someone scanning the network brought down a system or lagged critical systems in unexpected ways.
5. IT Tools Can Detect Most ICS Attacks
The convergence of IT and OT systems that occurred a decade or more ago has helped foster the idea that IT detection tools can work just as well in ICS environments. After all, attackers use many of the same tactics they favor in IT systems in ICS environments, and leave similar digital trails after engaging in lateral movement between Windows systems in the ICS or exfiltration via DNS.
However, this is one place where the ‘otherness’ factor in ICS really does come into play. In many cases, IT security tools simply won’t work with ICS because many IT detection tools simply don’t ‘talk’ well with OT systems or their protocols. In other instances IT tools are not practical when placed within an ICS environment. For example, endpoint protection won’t work for PLCs. What’s more, the detection mechanisms and output are all based on IT-focused threats, so the context and correlation of what matters to OT operators will be missing.
Putting a finer point on that, many of the tools in IT use heuristics and machine learning models trained entirely off of inputs of what “normal” IT customer environments look like. These are baselines are not trained or tuned at all for ICS environments. Our experts have been called to incidents on more than one occasion where they’ve found that Windows AV destroyed the ICS applications because they looked odd to heuristics engines unused to the way ICS functions worked.
While it’s crucial to remember the convergence of OT and IT puts ICS at the same levels of risk of IT systems, the fact remains that ICS has different systems, different missions, and different threats than their IT cousins. As such, detection and response efforts must also be different to take those into account.