How to protect your business' Industrial Control Systems?

Did you know that in the first half of 2021, 33.8% of Industrial Control Systems’ (ICS) computers were attacked, which is 0.4% points (p.p.) higher than in H2 2020? This means that only in the first 6 months of last year, over one-third of ICSs suffered some kind of cyber attack in the world. If cybercrime were a country, it would be the world's third-largest economy after the United States and China, inflicting $6 trillion USD in worldwide damages in 2021. 

Shocking data especially if we consider that Industrial Control Systems handle many types of processes including critical infrastructures, such as water treatment, energy, and air traffic control.

In our newest article below we will discuss:

• What Industrial Control Systems are?
• What are the main cybersecurity issues ICS can face and how to avoid them?
• Which international standards Industrial Control Systems must comply with?

Besides, you can get to know how we, at CCLab can help you to achieve better security for your business’s ICS.

Industrial Control Systems - what are they and how do they work?

Industrial Control System (ICS) is a collective phrase to define different types of control systems and associated instrumentation. These can be systems, networks, devices, and controls used to automate and operate industrial processes. Almost all critical infrastructure and sectors of industrial production, power management, water treatment, and transportation require some kind of ICS, as well as the devices and procedures that go with it.

Types of Industrial Control Systems

Industrial Control Systems are divided into groups based on the complexity of their control actions in regard to the comprehensive functions of the ICS. The following are examples of common types of control systems:   

• Supervisory Control and Data Acquisition (SCADA)
• Distributed Control Systems (DCS)

Core components of modern Control Systems

Today's automated and digitized ICSs have the following main components:

• Remote Terminal Units (RTUs)
• Human-Machine Interface (HMI)
• Intelligent Electronic Devices (IEDs)
• Programmable Logic Controllers (PLCs)
• Programmable Automation Controllers (PACs)
• Industrial Automation and Control Systems (IACS)

What are the main security issues ICS can face and how to avoid them?

You may assume that cyberattacks are becoming less of a concern, but this is not the case. According to global research, security incidents are increasing at a compound annual growth rate of 66 percent. This means as the number of Industrial Control System devices and elements increases so does the chance of cyber-threats and attacks. 

Main vulnerabilities of Industrial Control Systems

1. Exposure through the internet: Before the online world Industrial Control System operations were limited to the facility. Today most companies have connected their ICS or a part of their ICS setup to the internet and integrated it with other platforms to boost operations. Insecure connections however may allow malicious players to get backdoor access to the ICS environment.
2. Inadequate security awareness: Employees often become victims of phishing and spear-phishing assaults as a result of inadequate safety awareness. 

Extending threats to Industrial Control Systems

The average cost of a cyber-attack in 2019 ranged from $108,000 to $1.4 billion, depending on the firm's size. According to Cybersecurity Ventures, overall damage might exceed $6 trillion. Based on a recent global risk assessment, over half of the Industrial Control Systems have evidence of attempted hostile break-ins in the second half of 2018. 

According to the research, the most frequent type of attack was Trojan malware, which was found on 27 percent of ICS systems.

Phishing emails are the other common type of attack against ICSs. Threats can be diverse and wide-ranging, with far-reaching human repercussions, not only for employees.

Malware dangers are also more common than many of us would think. Portable media is often used by personnel in the industrial control system environment. Malware can be easily transferred through removable media and infect the ICS.

What are the other common threats? 

• Third-party threats: With the rising outsourcing of system maintenance for ICS settings, potentially infected support staff devices pose a risk of compromise.
• Technical or physical malfunction: Power, hard drive failure, system crash, and cable damage can all result in a runtime failure.
• Cyber threats: Terrorist and hacker groups that want to inflict fear, destruction, and loss of life frequently attack critical infrastructure.  Electric power, air traffic control, and nuclear power facilities are extremely vulnerable.
• Insider attacks: Internal employee malpractice (whether deliberate or inadvertent) can lead to serious issues in the ICS environment. 
• Service denial: In Industrial Control Systems both wired and wireless connectivity is used. Attacks on these connections have the potential to disrupt real-time communication between ICS components. Delays of seconds in ICS might have serious consequences for the operation.

Smarter Systems = Higher risk?

While smart devices and the Internet of Things (IoT) are revolutionizing Industrial Control System networks and enhancing usability, efficiency, and productivity in ICS environments, they are also having a substantial influence on ICS security. 

The number of devices and components connected to the Internet and different networks is increasing, with which their exposure to cybercrime grows in direct proportion. This means that the entire system is just as secure as its weakest component. ‍

As ICS components become smarter, they are increasingly becoming a target for cybercriminals, so special attention should be paid to their protection too. This is where often mentioned Defense in Depth (DiD) comes into play. DiD is a cybersecurity method that layers a succession of defensive procedures to protect critical data and information. If one system fails, another instantly steps in to prevent an attack. This multi-layered strategy with intended redundancy improves overall system security and handles a wide range of attack vectors.  

A security assessment can help industrial businesses determine their cybersecurity maturity and understand the danger of a cyber intrusion. It will also assist them in arranging the next steps to develop their cybersecurity strategy, install security controls, assess cyber-resilience, establish a vulnerability management program and design their DiDs.

Which is the most effective cybersecurity solution currently?

The International Electrotechnical Commission (IEC) is a global organization for standardization comprising all national electrotechnical committees (IEC National Committees). IEC 62443 is a global standard for the security of ICS networks that was created to protect ICSs and assist facilities in lowering the risk of failure and exposing ICS networks to cyber threats. Currently, compliance with ISO/IEC 62443 is the most effective cybersecurity solution for Industry 4.0. ‍

IEC 62443 has four parts:

• 62443-1: General
• 62443-2: Policies
• 62443-3: System
• 62443-4: Components

Let’s dive into 62443 standard Part 4

IEC 62443 part 4-1 specifies the process requirements for the secure development life cycle for developing and maintaining secure products used in Industrial Automation and Control Systems (IACS). The life cycle includes security requirements definition, secure design, safe implementation including coding guidelines, validation and verification, defect and patch management, and product end-of-life.

What is the benefit of an IEC 62443-4-1 certification?

The IEC 62443-4-1 certificate confirms that the developer has executed a securityby-design method from day one of the product development processes. Therefore it is highly recommended that an Industrial Automation and Control Systems component manufacturer include the security requirements under IEC 62443 4-1 in its product development operations.

What is 62443 standard Part 4-2 and why is it important?

This section describes the technical requirements for products and their components. If suppliers adhere to the set of rules stated in this part, they can provide their customers with the best possibilities for securing their networks against cyberattacks. Industrial Control System suppliers shall certify their components and products in accordance with IEC 62443-4-2 to ensure that the security standards applicable to customers are met.‍

The IEC 62443 standard defines 4 levels of safety functionality for component security in 62443-4-2:

‍

• SL1: Protection against causal or coincidental violation
• SL2: Protection against intentional violation using simple means with low resources, generic skills, and low motivation
• SL3: Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills, and moderate motivation
• SL4: Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills, and high motivation

How can CCLab help to achieve better security?

As an accredited test laboratory together with other members of QTICS Group we provide versatile compliance services within the Energy and Industry sector for both manufacturers and suppliers of Industrial Control System's components. We can support you from preparation to getting certified for 62443-4-1 Product development requirements and for 62443-4-2 Technical security requirements.

We provide preparation consultation services, which help you create the necessary evidence for a certification process. We designed our service portfolio around the device manufacturers' certification journey to help you reach 62443-4 compliance wherever your product is in the development life cycle.

We suggest starting with an analysis of your current documentation to decide whether it can be used in its current form as evidence for the certification. We help you identify key areas where additional documentation or tasks should be performed in order to create the evidence required by 62443-4. This will be covered by our gap analysis service, which results in a report that can be used as a roadmap to identify the required effort and resources that you need to get your product 62443-4 certified. 

Summary

Technical advances, globalization, and digitization are constantly changing and improving the industries, getting networks connected and automating processes to make them smoother and faster. On the other hand, it is digitalization that makes these systems more vulnerable to cybercriminals. The IEC-62443 international standard was developed to work toward securing these vulnerabilities in Industrial Control Systems (ICS) networks. 

If you are a product manufacturer or supplier that designs and creates the components for the System Integrator to build ICS then you are also responsible for responding to IEC-62443 requirements. Get in touch with us if you are looking for comprehensive support in being certified for 62443-4-1 and 62443-4-2.

Source: https://ics-cert.kaspersky.com/publications/reports/2021/09/09/threat-landscape-for-industrial-automation-systems-statistics-for-h1-2021/

‍