ICS components overview
Today, many industrial sites are directly connected to the internet or the company's information systems (IS). Although this can facilitate and automate operations, these connections can also be targeted by malicious intrusions if they are not sufficiently protected. It is therefore important to clarify the concepts related to industrial system security and provide some keys to prevent them.
First, we must clarify the confusion between the different acronyms frequently used in industrial security OT, ICS, SCADA...
OT, or operational technology, includes all the hardware and software technologies used to maintain the functioning and interact with the components and production infrastructure. Industrial control systems (ICS), building management systems (BMS), heating, ventilation, and air conditioning (HVAC) systems, as well as lighting, access, and security in buildings, are all part of OT systems.
Industrial Control Systems
ICS, or industrial control systems, refer to the software or hardware solutions used for control and supervision operations in the OT environment of industrial production processes. Supervisory Control and Data Acquisition (SCADA) systems are one of the most common ICS solutions, and are offered by various players such as ABB, Rockwell Automation, Schneider Electric, and Siemens… These systems collect information from different production units and sensors to allow operators to remotely visualize or modify real-time production operations.
In the industrial world, Safety and Reliability must be the watchwords, even before the traditional principles of confidentiality, integrity, and availability (CIA) of the IT world. ICS systems are omnipresent in all industries and are a vital element for critical industries such as nuclear power plants, electricity, water, gas, and oil distribution. It is therefore crucial to protect these systems against malicious attacks because compromising an ICS can have serious consequences, including loss of human lives or environmental disasters.
SCADA Architecture
SCADA architectures include both hardware and software components, making them a prime target for cyber-attacks in OT environments. Within a SCADA architecture, there are several common components, including Programmable Logic Controllers (PLCs), Remote terminal units (RTUs), historian databases, Human Machine Interfaces (HMI), sensors, and actuators.
SCADA systems are designed to collect information on geographically dispersed industrial processes, allowing operators to centrally view, supervise, or control operations in real time and remotely. This information may include states, temperatures, and pressures obtained from valves, sensors, pumps, etc.
This information is transmitted to the SCADA software by on-site controllers that are involved in the industrial process, especially by PLCs and RTUs. PLCs are input/output-based microprocessors that execute programmed actions based on received inputs. RTUs do the same but tend to be used for less complex applications than PLCs as they are less flexible in terms of programming than PLCs and are cheaper.
The information collected by the different PLC/RTU is transmitted to the SCADA software, which centralizes it and makes it accessible via the HMI interface. Operators can then view and react to alarms in real-time.
A data historian is a centralized database located on the control system's local network. It enables users to collect a significant amount of real-time data and business data to transform operations by providing information on equipment trends, patterns, and performance.
ICS data historians typically collect data from various sources such as control devices, sensors, and PLCs. The collected data is usually obtained via specific/proprietary SCADA systems or OPC DA/UA protocols. The data is then stored and made accessible via a user interface or API for reporting or analysis needs.
In addition, to be a central point across a network of sensors, control devices, and PLCs, data historians can also be connected to other systems such as Enterprise Resource Planning (ERP) systems and analytics platforms to enable more comprehensive data analysis and decision-making. Therefore, due to its unique position between IT and OT, attackers are most likely to target the data historian and could use it as a pivot point to reach the OT network.
ICS protocols
One of the specificities of the OT environment compared to IT lies in the differences in protocols. Indeed, a whole range of proprietary and non-proprietary protocols connect communications between the various components of the ICS. One common trait of these protocols is that they are insecure by design, as when they were developed (mostly a long time ago), the primary goal was the performance. Messages are transmitted in clear text for most protocols or are affected by numerous security vulnerabilities. As a result, there is a risk that anyone who penetrates the control network would be able to read or send control instructions to a controller.
Some of the most common ICS protocols include:
Modbus/TCP: It is generally used for communication between equipment such as PLCs and supervisory computers or remote control devices. It is relatively simple to implement and deploy, making it a popular choice for industrial applications.
OPC is a communication protocol that allows software from different vendors to communicate with each other. There are 2 versions of OPC protocol, OPC DA and OPC UA. OPC DA is an older protocol where messages are transmitted in clear, while OPC UA supports data encryption.
DNP3 is a communication protocol developed for electric power distribution networks. It has security mechanisms, such as authentication, key management, and cryptography enhancement. DNP3 is designed to work in remote environments, where security is a major concern.
EtherNet/IP is a proprietary communication protocol developed by Rockwell Automation.
Profinet is a communication protocol developed by Siemens.
S7COMM is a communication protocol developed by Siemens for SIMATIC S7 controllers.
From a security standpoint, the most important thing about all ICS protocols is not to know them in detail, but rather to know the expected behaviors and traffic through a baseline in order to quickly detect anomalies on the network.
Common attacks vector to penetrate OT networks from IT
Attackers often seek to penetrate OT systems through attack vectors originating from the IT network, such as malware, phishing attacks, and system vulnerabilities. In this article, we will explore three common attack vectors from IT to OT.
Insufficient network segmentation
Flat networks are widespread in the world of OT (where air-gapped network should be), which allows attackers to move from IT to OT and vice versa. A significant portion of the attacks perpetrated in the ICS network may not necessarily be targeted and prepared for these environments, as can be seen in certain sophisticated attacks. In fact, most attacks target the IT environment, and network exploration allows malware to deploy in the OT and disrupt or interrupt production, which can be easily achieved with ransomware-type malware. It is therefore essential to implement effective security measures to protect ICS systems, including network segmentation and establishing security barriers to prevent attackers from moving easily between IT and OT.
Although segmentation can be used to protect information technology and operational technology systems, there are often gaps and vulnerabilities that persist between them. This can be particularly true for historians, which are databases that serve as a gateway between the two types of systems. Unfortunately, if these historians are not properly segmented, they can become an easy entry point for attacks targeting ICS. Indeed, hackers can exploit a vulnerability in the historian's model to gain access to the rest of the network.
Recently, Claroty's Team82 security team demonstrated how a hacker could compromise a GE (General Electric) historian. To learn more about this attack, you can refer to their article at: https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot.
Unsecured remote connections
There are several types of remote connections that are commonly used in ICS. These include:
- Engineering host on the business side that accesses ICS with poorly configured VPN
- Human-machine interface (HMI) through Virtual Network Computing (VNC) Remote Desktop Protocol (RDP)
- Unsecure VPN with or without credential theft from the IT side
These remote connections are often used to provide remote access for engineers, technicians, and other personnel who need to perform maintenance or diagnostics on ICS equipment from outside the control room. However, these connections can also create significant security risks if they are not properly secured.
Unsecured remote connections present a significant risk to ICS security. Cybercriminals can exploit vulnerabilities in these connections to gain unauthorized access to ICS networks, which can result in severe consequences, such as the loss of production, equipment damage, or even injury to personnel. Moreover, cyberattacks on ICS networks can also cause widespread disruption and harm to critical infrastructure.
Several cyberattacks on critical ICS networks have exploited unsecured remote connections. For instance:
Triton/Trisis: In 2017, the Triton/Trisis malware was discovered targeting a Middle Eastern petrochemical plant. The hackers used an unsecured VPN connection to gain access to the plant's ICS network and executed a malware based on a vulnerability in the plant's safety system. The malware was designed to manipulate the safety system, which could have resulted in a catastrophic incident if it had not been detected and mitigated in time.
Ukraine Power Grid Attack: On December 23, 2015, a group of hackers launched a cyberattack on Ukraine's power grid, the hackers gained access to the grid's network by exploiting a vulnerability in the grid's VPN system causing a blackout that left hundreds of thousands of people without electricity.
These attacks are a demonstration sample of the potential of cyberattacks to disrupt critical infrastructure and highlighted the importance of securing remote connections in ICS networks.
Third parties
Industrial control systems networks are increasingly being connected to third parties such as suppliers, service providers, and maintenance companies to facilitate the exchange of information and interactions between different parties. However, this interconnectivity can pose significant risks to the security of ICS. Third parties can access the OT network through various pathways such as VPN connections, direct cable connections, energy management systems, and building management systems, among others.
Norsk hydro, a Norwegian aluminum manufacturer suffered from a ransomware attack in 2019. The attack began by targeting a third-party IT service provider for Norsk Hydro, which allowed the attackers to gain access to the company's network. Once inside, the attackers deployed ransomware that encrypted the company's files and disrupted its production systems, causing significant financial damage.
The attack suffered by Norsk Hydro is common and highlights the risks associated with third-party suppliers and vendors in the supply chain of industrial control systems. In this case, the attackers were able to exploit vulnerabilities in a third-party provider's systems to gain access to a critical infrastructure company's network and disrupt its operations. This underscores the need for organizations to conduct deep risk assessments of their supply chain and ensure that their third-party suppliers are duly evaluated and secured.
