The industrial control systems that are one of the building blocks of the Industrial Internet of Things (IIoT) have, in many cases, been around for a long time; often so long that their design predates any awareness of the potential for cybercrime.
According to a recent article by Maria Korolov, attacks on such control systems have doubled since 2014, impacting in particular SCADA systems in Finland, the UK and the US.
Protecting those vulnerable systems is a mission of The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates within the National Cybersecurity & Communications Integration Center (NCCIC), which is in turn a division of the Department of Homeland Security's Office of Cybersecurity and Communications.
ICS-CERT recently composed a message, directed at the C-Suite, in which they warned, “Cyber threats against Industrial Control Systems (ICS) continue to increase in intensity, frequency, and complexity. Yet, basic cybersecurity practices within many ICS organizations continue to be an afterthought or significantly less than needed. This document was developed as a tool to help facilitate the communication of strong, basic cybersecurity principles to the leadership of ICS organizations.”
The good news is that it should be possible to engineer more protections into the systems that have already been fielded. The bad news is that it may be very complicated (and perhaps expensive) to do so. A recent blog post from SANS Industrial Control Systems drill down into the functions managed with industrial control systems in a single solution polymer chemical processing facility to illustrate some of the challenges. The author noted that “there are two points that this process is vulnerable to control system attacks that would have serious quality impacts on the company owning the facility. The same points would be attacked to try to effect a catastrophic attack on the process, but the success of that attack would depend in large part in how well the facility safety systems were designed and installed.”
And that, of course, is the challenge. If you happen to be an owner or operator of a facility that is considered to be critical infrastructure, ICS-CERT offers a 2-3 day Design Architecture Review (DAR) technical review and cyber evaluation of the architecture and components in the industrial control systems, including integration of Information Technology (IT) and Operational Technology (OT) teams. Best of all, because DAR is based on Congressional funding, it is available as an onsite facilitated assessment for critical infrastructure asset owners and operators at no cost. Others will have to do the work themselves or hire an outside expert. However, given both the potential risks – and the rewards of preparing existing assets to operate safely in an IIoT world, it should certainly be worth it.
Alan R. Earls is a Boston-based writer focused on technology, business, and manufacturing — a field where he spent the earliest part of his career. He has written for publications and websites as diverse as The Boston Globe, Computerworld and Modern Infrastructure as well as Industry, The Manufacturer, and Today's Machining World and is a regular contributor to the Smart Industry Connect blog.