Industrial Control System (ICS) networks, which include supervisory control and data acquisition (SCADA) systems, administer operations for critical infrastructure and production including manufacturing facilities, refineries, water treatment, hydroelectric and nuclear power plants. These legacy systems, often built before the internet existed, are increasingly being connected to the Internet, essentially to make them easier to manage remotely. Even SCADA systems that have remained isolated from the Internet and business IT systems are vulnerable to threats that can “leap the air-gap” via process, people and physical (e.g., USB drive) attack vectors.
Industrial Control Systems Face Unique Complications
Control networks and industrial control systems face a unique set of cyber security complications. Just as traditional air gaps are no longer effective, information technology (IT) cyber security solutions in use on the corporate network can’t be deployed interchangeably to protect the control network, as the IT and control network teams have different priorities and requirements. For example, in industrial control system environments that usually run 24/7, configuration changes can only be applied during maintenance outage windows, which often occur only once per year for a limited number of days. A related deficiency is the lack of forensic readiness: presuming that a failure will happen, its root cause may require prolonged forensic efforts, and may ultimately be lost in a rush to re-establish operations.
Discovery of the Stuxnet Virus
The discovery of Stuxnet in 2010 and the subsequent revelations about its counterparts Flame and Duqu have brought critical infrastructure security to the forefront of the public’s attention. Unfortunately, cybersecurity continues to be somewhat of a low priority in private ICS environments. For example, many critical infrastructure operators don’t have a dedicated security professional for their systems, and SCADA security makes up less than one percent of their budget for process and ICS equipment and services.
Relying on traditional perimeter cyber security tools, such as simple firewalls anti-virus software, have proven their shortcomings time and time again. For example, the Flame virus, avoided detection from 43 different anti-virus tools and took more than two years to detect.
SCADA Systems Must Respond to Threats in Real Time
Instead, SCADA systems must have tools in place that allow them to identify threats, respond and expedite forensic analysis in real time. To achieve this, continuous monitoring of all log data generated by SCADA components is needed to automatically baseline normal, day-to-day activity across these components and therefore identify any and all anomalous activity immediately.
By adopting an integrated, layered approach that leverages advanced firewalling, intrusion detection and prevention, security information and event management, predictive analysis and network forensics ICS operators can take a proactive stance against threats and vulnerabilities, can comply with industry regulations and cybersecurity best practice, and protect important critical infrastructure.