Securing Critical Infrastructure

Critical Infrastructure refers to the collection of assets, systems, and networks that are vital for the proper functioning of a society. It includes both physical and virtual components and is essential for various aspects of a nation, including its economy, national security, public health, and safety. Examples of critical infrastructure include sectors such as food and agriculture, transportation systems, water supply, internet and mobile networks, public health services, energy utilities, financial services, telecommunications, and defense.

Industrial Control Systems (ICS) are a key component of critical infrastructure, particularly in sectors such as transportation, oil and gas, electricity, and water management. These systems, including supervisory control and data acquisition (SCADA) systems, play a vital role in automating and controlling industrial processes. However, the increasing threat of attacks targeting SCADA and other ICS poses significant risks.

This infrastructure is hugely different from common IT structures that are normally found in companies. On the one hand, we are looking at older protocols and systems due to the complexity of updating hard- and software. On the other hand, this is the area where we are facing some of the newest technologies collectively referred to as the Internet of Things (IOT). A very different world of new protocols and an enormous amount of data that needs to be collected, analyzed, and transmitted.

Operators of ICS are challenged to keep pace with the ever-evolving trend of gathering and ingesting reliable, quickly obtained data from both interior and exterior sources or risk losing market share. The need for reliable and fast access to data representing what’s happening in one’s own system, as well as the competitive market, can make the difference between record profit margins or bankruptcy. Now that these serial networks have been modified to operate in IP networks using commercial off-the-shelf (COTS) products, most of which do not provide any additional security, these once serial, air gapped systems face the same advanced persistent threats, malware, and insider threats as their enterprise counterparts’ systems. These day-to-day threats are of concern to the enterprise IT, but even more so to the operational technology systems, because unlike enterprise systems, OT systems cannot be easily updated and retooled to address the constantly changing threat landscape.

Designed to control physical processes with as close to 100 percent uptime as possible, these systems are difficult and costly to take offline due to the impact they could have on production and surrounding environments. Due to the functional requirements placed upon these systems, the equipment refresh cycle is greatly extended. It is not uncommon to find one that has been operating for close to 25 years on the original hardware and operating system.

Security experts with a computer science background are confronted with a very different world with a high attack potential and of course an enormous value for attackers as messing around with such systems has devastating effects. When it comes to securing critical infrastructure, you need to employ experts with a background in IT and OT technologies and ideally experience in one or more verticals like manufacturing, transportation, oil and gas, etc.

We can help you with:

ICS Risk Management

An ICS risk management process is considerably different, for example safety is a paramount concern for ICS operators and significantly influences the engineering and operational decisions made. When establishing a risk management process for an ICS organization, it is essential to consider how safety requirements interact with information security. In situations where safety requirements conflict with best security practices, the organization must make a clear decision on prioritization. In most cases, ICS operators would prioritize safety over security. The risk management process ensures that such assumptions are explicitly addressed, fostering agreement within the organization, and maintaining consistency throughout the process.

The availability of services is another significant concern for ICS operators. In critical infrastructure sectors like water or power systems, uninterrupted and dependable operations are vital. Therefore, ICS often have stringent requirements for availability and recovery. It is crucial to explicitly develop and state these assumptions in the risk management process. Failing to do so may lead the organization to make risk decisions that inadvertently impact the users and stakeholders who rely on the services provided by the ICS.

There are many more examples but discussing all of them would go far beyond the purpose of this page.

ICS Risk Assessment

When conducting a risk assessment for an ICS, there are unique considerations that differentiate it from a risk assessment for a traditional IT system. Due to the interaction of physical and digital aspects in an ICS, the impact of a cyber incident can extend beyond the digital realm and have physical consequences. As a result, risk assessments for ICS must consider these potential effects.

For example, assessing the potential physical impact of a cyber incident is crucial for an ICS. This involves evaluating how a disruption or compromise in the ICS could affect physical processes, equipment, infrastructure, and personnel safety.

Considerations should also be given to the potential operational consequences resulting from a cyber incident in an ICS. This includes assessing the impact on critical processes, production capabilities, delivery of services, and overall system availability. Operational disruptions can have significant financial, reputational, and safety implications.

Another important aspect are supply chain dependencies. ICS often rely on a complex network of suppliers and vendors. Assessing the risks associated with supply chain dependencies is crucial to ensure the resilience and security of the ICS. This involves evaluating the potential vulnerabilities and threats that may arise from third-party interactions and considering appropriate risk mitigation strategies.

As above, there are many more examples, but we can’t discuss all of them here.

ICS Security Program Development and Deployment

Effectively integrating security into an ICS requires defining and executing a comprehensive program that addresses all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing auditing for compliance and improvement. This involves many aspects like:

        • developing a business case for security
        • establishing governance structures and defining roles and responsibilities
        • conducting a comprehensive risk assessment
        • developing and documenting security policies, procedures, and guidelines
        • implementing security awareness and training programs
        • defining and deploying appropriate security controls
        • establishing an incident response plan
        • implementing monitoring systems and security technologies to detect
          and respond to potential threats
        • ensuring compliance with relevant industry-specific regulations, standards, and frameworks
        • developing procedures for assessing the security posture of third-party vendors and contractors who have access to your systems

ICS Security Architecture

Designing and implementing a security architecture for critical infrastructure and industrial control systems involves a solid understanding of the corresponding industry vertical. Besides, various technical elements like the following need to be considered:

        • Segmentation and Zoning
        • Boundary Protection and Firewalls
        • Logically separated Control Network
        • Defense-In-Depth
        • Access Controls
        • Secure Remote Access
        • Event Logging and Monitoring
        • Man-In-The-Middle Attacks
        • Incident Detection, Response, and System Recovery

If you are interested in more details, you may want to get hold of NIST special publication 800-82 which includes a lot of details on executing the Risk Management Framework tasks for Industrial Control Systems and gives in-depth guidance on the application of Security Controls to ICS.

ICS Security Testing

Due to the heightened sensitivity of many ICS environments, special care must be taken when conducting technical security tests. The type and nature of these tests need to be carefully considered, and analysts need to employ a diverse range of methods and alternative approaches as part of their testing methodology.

Unlike traditional IT environments, ICS environments prioritize “availability” over “integrity” or “confidentiality.” This fundamental difference requires a distinct approach to technical security testing. Invasive tests or tests that strain the network can potentially lead to disruptive service outages and should be avoided in these environments.

Performing security tests in ICS environments requires analysts to have a deep understanding of the unique technologies and processes involved, as well as the most effective testing approaches. This places a greater emphasis on the skills, knowledge, and situational awareness of analysts, requiring specialized individuals supported by a robust methodology.

Also, when conducting testing in ICS environments, it is crucial to consider the various stakeholders involved and their different perspectives, motivations, and expectations regarding risk assessment. ICS environment owners, process engineers, safety specialists, and security practitioners may have distinct viewpoints on the risks associated with an ICS environment and the specific types of tests and assurances they require.

The actual engagement is like other established approaches; however, we pay special attention to demystifying technical security testing and facilitate effective communication throughout the engagement.

While the process is generic in nature, it includes activities tailored to address the unique characteristics of ICS environments. This involves adapting the testing approach to align with the sensitivity of business functions and processes specific to the ICS environment. Factors such as potential adverse consequences and the incident response capability are considered. Additionally, the process incorporates up-to-date threat intelligence and employs a well-balanced combination of offline and online tests that prioritize safety and process awareness, using methods like the check-test-check approach.

There are six characteristics that differentiate this approach from conventional security testing:

Business Process Sensitivity ensuring a clear understanding of the connection between ICS-related risks and the achievement of business goals

Focused Threat Intelligence leveraging relevant threat intelligence, tailored to the target company and industry sector

Integrated Risk Assessment incorporating the risk perspectives of various stakeholders, including process engineers, safety specialists, and IT and Cyber Security professionals

Proven Tools and Methods as special caution should be exercised when conducting online technical security testing in ICS environments

Highly Qualified Technical Security Testers with in-depth knowledge of ICS technologies and their integration with critical business processes

Combined Testing Teams ensuring domain knowledge, process expertise, and a deep understanding of the ICS environment

Cyber Security Platform Selection

Your organization can no longer rely on disjointed and ineffective legacy point solutions to defend critical infrastructure. You need a modern Cyber Security platform with a complete, tightly integrated set of capabilities to prevent threats while reducing the burden on your organization in deploying and maintaining security. Here are some of the areas to consider:

        • Network and Endpoint Security
        • Traffic Classification
        • Network Segmentation
        • Detection and Elimination
        • Shared Threat Intelligence
        • Zero -Day Attacks
        • Centralized Management & Reporting
        • Mobility & Virtualization Technologies
        • APIs and Industry-Standard Management Interfaces
        • Alignment with Industry Standards