Industrial Control Systems inherently vulnerable to cyber attacks

Monday, 9 October 2017 00:00 -     - {{hitsCtrl.values.hits}}

US-based Bayshore Networks Senior Director for Industrial Control Systems Dr. Vincent Turmel said industrial controls were inherently vulnerable. 

US-based Bayshore Networks Senior Director for Industrial Control Systems Dr. Vincent Turmel 

This is because Industrial Control Systems (ICS) are based on open protocols and old designs. “Security was never thought about when they were designed and they inherently trust other devices on the control network. They are also often installed and left untouched for a long time and furthermore only a few updates are made as any change brings the risk of interrupting production,” said Turmel. 

He said ICS vulnerabilities are everywhere. “Many IT/Operation Managers believe their systems are air gapped.  However, most systems are connected either directly to the outside world via web servers and VPN for remote diagnostics, engineering or indirectly via corporate networks such as MES systems, VPN and jump servers.

The Bayshore official said driven by “plant digitisation” or “industrial IoT” also called “Industry 4.0”, ICS connectivity will increase rapidly. 

“This is the promise of efficiency gain in production processes via the use of big data as there are direct process efficiency gains due to process and operations optimisation and preventative and predictive maintenance and the creation of new products. 

“This is based on the collection, analysis and sharing of industrial data,” he explained.

Turmel told the Daily FT-CICRA Cyber Security Summit participants how ICS were vulnerable to IT issues as well as specific threats. 

There are many types of what he labelled threats actors. Disgruntled employees and knowledgeable contractors, etc. are known as internal threats and outside threats include Hacktivists and independent hackers, those engaged in organised crime, state actors such as intelligence agencies, military organisations and state sponsored hacking groups, etc.

“None of them can be ignored. You may not be a target of choice but your organisation could be a target of opportunity or just collateral damage.” 

Cyber Security Summit participants were warned by the Bayshore official that ICS were seen as an interesting playground as they were usually not hard to penetrate.

At the summit he shared a host of global incidents of attacks on ICS. In Australia a waste management system was hacked by a disgruntled employee while an engineer hacked into the Los Angeles traffic control system.

 He also referred to the famous ‘WannCry’ attack impacting companies and utilities globally.

“Unfortunately organisations are paralysed by five myths of industrial control systems security. They are we’re not connected to the internet, we’re secure because we have a firewall, hackers don’t understand SCADA/DCS/PLC, our facility is not a target and our safety systems will prevent any harm,” said Turmel. 

He said that organisations needed to harden their ICS so that inherent vulnerabilities did not lead to large-scale compromise. This is basic cyber hygiene he said, adding that however challenges remained in the operating technology environment. “We can reduce the vulnerabilities but not eliminate them. We cannot control the threat actors so we must act on the threat vectors,” he stressed.

Bayshore also highlighted various industrial cyber platform capabilities and best practices for the benefit of Daily FT-CICRA Cyber Security Summit participants.