Advancing connectivity and digitalization of industrial control systems (ICS) provides significant benefits to the business, but managing increased risk to the core business and ensuring adherence to audit and compliance programs are just as significant concerns. But, when it comes to securing complex ICS, a difficult duality exists.
On one hand, there’s a universal need to secure operational technology (OT) to at least the same level as information technology (IT). After all, ICS / OT serve as the nerve centers for everything from electrical grids to manufacturing plants, and at their root they are computing systems. Meaning they suffer from many of the same kinds of attacks and cyber risks as does IT.
On the other hand, there’s the fact that there’s an “otherness” to ICS and other OT that changes risk calculations and security design for these systems compared to their IT cousins. The tension between these dual truths tends to breed a lot of misconceptions and mistaken beliefs about the security of ICS/OT environments.
Whether they’re held by engineers at electric companies or executives at manufacturing firms, these are the top five misconceptions keeping organizations from truly reducing risk to their ICS environments, their daily operations, and their organizational missions.
Myth #1. There Aren’t Many ICS/OT Threats
The ICS/OT threat landscape remains relatively opaque in contrast to the public view we have of cyber threats against IT assets. Whereas we regularly see news of a new data breach striking another major corporation, publicized examples of successful attacks against OT systems remain remarkably rare. That isn’t because they’re not happening.
In the not so distant past, most successful ICS attack cases may have never made it to the public eye. But recent new stories such as the Oldsmar water treatment facility breach highlight that ICS / OT environments are at greater risk and a breach can have serious consequences to our personal safety and our way of life.
Even within individual organizations, we find that threats may be overlooked when they strike. For instance, Dragos experts find that many cases of accidents or maintenance events have cyber components to their root causes. That’s not to say that every maintenance event is cyber-related, but very few organizations in the industry even have the type of monitoring and information collection necessary to analyze root causes and uncover these threats when they manifest themselves.
Myth #2. Industrial Control Systems Are Air Gapped
While many in the industry have done work to battle this myth, it continues to rear its head. Organizations will claim that they’ve mitigated security threats to ICS because these systems are air gapped—that they’ve cut off connectivity between these systems and the network.
But no matter how many times executives, operators, or engineers repeat this myth, the fact remains that the modern ICS is almost never completely isolated or disconnected from some network somewhere. Air gaps may have been viable a long time ago, but they’ve disappeared as ICS and our tech environments have evolved to become more and more connected.
Sometimes operators are blocked from the internet by a firewall they don’t know about and assume there’s an air gap present. Sometimes operators know there are firewalls present and say that’s as good as air gapped. And sometimes operators don’t know either way but will claim an air gap to keep IT out of the plant. Meantime, many ICS vendors will point to the security of air gaps to skirt security requirements.
And even if the organization does manage to completely disconnect its ICS from enterprise networks, there’s still “someone else’s IT” to worry about. Often vendors and integrators set up direct connections to access ICS environments for maintenance and support. Even if these connections are meant for temporary access, they serve as a conduit for threats. An organization may well have air gapped its systems from the enterprise network, but still isn’t air gapped from a vendor’s (e.g., Siemens, Rockwell, Schneider, etc.) network.
Myth #3. Availability Comes First in OT
The age-old IT security triad breaks down the profession’s drivers into three components: confidentiality, integrity, and availability (CIA). One misperception commonly repeated today is that in OT the priorities are similar but ordered differently—that availability, integrity, and confidentiality (AIC) drives security in industrial industries.
There are a number of reasons why this myth doesn’t hold water. First of all, CIA was never intended as a stack ranking of priorities. Most longtime IT professionals refer to the triad as a three-legged stool. Each leg bears equal load in maintaining an organization’s security posture. That principle stands just as true in the OT world as the IT world.
While availability stands as a core tenant in OT security, it doesn’t necessarily trump everything. For example, reliability may be crucial in the electric grid but think of how many electric companies tout “safe, reliable power.” Safety usually comes first—and you can rarely maintain safety of systems without assuring their integrity. In a completely different example, imagine the manufacturing industry. Many plants don’t run at capacity, meaning they can catch up from downtime. As a result, executives at these companies would likely prioritize maintaining the confidentiality of their recipes or intellectual property over keeping plants running at 100%.
The point here is that while three-letter acronyms are helpful to categorize and define problems, at the end of the day there’s a mission focus for industrial operations. That mission focus is more important than trying to fit the needs and requirements into the semantics of three letters—or their order of importance. It’s crucial to understand in every plant what the mission focus is to help be service-oriented to operations.
Myth #4. You Can Always Safely Scan ICS
There was a time many years ago when the industry believed that you could never safely scan ICS systems for security vulnerabilities. After years of work to battle this misperception, it seems that evangelism worked a little too well. Now there exists the mistaken belief that it’s always safe to scan ICS systems. In reality, there’s no universality either way. It depends on the environment.
Many modern control systems are designed to make them more safely scannable. But not all of them are. What’s more, the modern systems usually running side-by-side and interconnected with legacy systems that are trickier to scan safely. At Dragos, we find there are certain environments such as food and beverage manufacturing where it’s perfectly permissible to do active scanning in planned and tested ways, and we’re called on to help them do exactly that. On the flip side, we also run into cases where someone scanning the network brought down a system or lagged critical systems in unexpected ways.
Myth #5. IT Tools Can Detect Most ICS Attacks
The convergence of IT and OT systems that occurred a decade or more ago has helped foster the idea that IT detection tools can work just as well in ICS environments. After all, attackers use many of the same tactics they favor in IT systems in ICS environments and leave similar digital trails after engaging in lateral movement between Windows systems in the ICS or exfiltration via DNS.
However, this is one place where the otherness factor in ICS really does come into play. In many cases, IT security tools simply won’t work with ICS because many IT detection tools simply don’t talk well with OT systems or their protocols. In other instances, IT tools are not practical when placed within an ICS environment. For example, endpoint protection won’t work for PLCs. What’s more, the detection mechanisms and output are all based on IT-focused threats, so the context and correlation of what matters to OT operators will be missing.
Putting a finer point on that, many of the tools in IT use heuristics and machine learning models trained entirely off of inputs of what “normal” IT customer environments look like. These are baselines are not trained or tuned at all for ICS environments. Dragos experts have been called to incidents on more than one occasion where they’ve found that Windows AV destroyed the ICS applications because they looked odd to heuristics engines not used to the way ICS functions worked.
While it’s crucial to remember the convergence of OT and IT puts ICS at the same level of risk as IT systems, the fact remains that ICS has different systems, different missions, and different threats than their IT cousins. As such, detection and response efforts must also be different to take those into account.
Making OT Defense Doable
An important first step towards maturing your ICS/OT cybersecurity program is proactively assessing the divide between IT and OT cybersecurity strategies. While applying lessons from IT cybersecurity and tailoring them to OT environments can be a years-long process toward maturation, there are some things you can do to kick-start your OT cybersecurity strategy and execution. Take advantage of our free download below.
Ready to put your insights into action?
Take the next steps and contact our team today.