There are many vulnerabilities in industrial control systems (ICS), and some are due to products being insecure by design because security or connectivity was never considered when they were created. It is established that ICS plays an enormous role in critical infrastructure, such as power plants, manufacturing facilities, and transportation networks. Increased digitization and interconnectivity of these systems have already happened in many critical infrastructure sectors, and the importance of addressing ICS vulnerabilities should not be a surprise to anyone working in this industry.
I will attempt to delve into the significance of ICS vulnerabilities and briefly explore exploitation, threat modeling, and potential targets. Further, I will discuss the best approaches for dealing with these vulnerabilities.
ICS vulnerabilities matter for several crucial reasons. First, exploiting critical infrastructure through cyberattacks can potentially lead to severe consequences such as service disruptions, equipment damage, or even endangering human lives. This is not surprising considering the attacks on ICS over the past 20-plus years, such as cyberattacks against oil and gas companies in Saudi Arabia and Qatar and insider threat-enabled attacks against a water treatment plant in Australia.
More recent attacks on critical infrastructure have been impacted indirectly by ransomware more than direct attacks on ICS assets (e.g., PLCs, RTUs, HMIs, etc.), as observed during the Colonial Pipeline ransomware attack and the numerous other ransomware attacks against public health and healthcare systems. We should acknowledge that ransomware is and can be a significant threat to engineering workstations running on Windows operating systems in ICS environments and have a significant impact on operations regardless of whether they impact specific OT/ICS assets. Not all cyberattacks against critical infrastructure are as sophisticated as Stuxnet, but they can still significantly impact society. ICS vulnerabilities should be taken seriously.
Interconnected ICS with IT networks has exposed once air-gapped devices to network-based attacks, which enable attackers to infiltrate and pivot across networks and increase the severity of an attack. The prevalence of ICS vulnerabilities increases their attractiveness as targets for cybercriminals, state-sponsored threat actors, and hacktivists.
While not all ICS vulnerabilities are equal in terms of their severity and impact, it is important to assess their relevance to the OT/ICS asset owner environments and consider the following:
Determining the exploitability of an ICS vulnerability’s criticality as it applies to the OT environment and configuration. Some vulnerabilities may have a low exploitability due to network segmentation, access controls, and monitoring, which could limit the attacker's ability to exploit the weakness and avoid detection.
b. Impact Potential
The potential impact of an ICS vulnerability must be evaluated carefully. High-impact vulnerabilities can lead to catastrophic consequences, compromising safety that could result in loss of life and damage to the environment. Not to mention the significant financial losses and regulatory fines depending on the critical infrastructure sector. OT/ICS asset owners should prioritize mitigating high-impact vulnerabilities that apply to vendor products in their environment when operationally and financially feasible. As discussed in my previous blog, mitigation and patching efforts may not always make sense due to operational challenges implementing them, and financial costs may be too high to address immediately. Compensating controls may be the answer to reducing costs and achieving security goals in lieu of patching or upgrading to address the vulnerability.
c. Threat Modeling and Target Identification
Only some OT/ICS asset owners will have the time to learn threat models or how threat actors identify potential targets. However, it is crucial for them to understand that their ICS and other critical infrastructure sectors may eventually become a target by a threat actor for geopolitical or economic reasons or financial gains. Over the past few years, we’ve also observed an increase in ransomware attacks that have indirectly impacted the OT environment due to the interconnectivity between IT and OT networks.
Vendors of ICS devices will sometimes release updates and security patches to fix known vulnerabilities and other times, the vendor will release an entirely new version of firmware, software, or hardware to address and mitigates the vulnerability to reduce the attack surface and improve system resilience. However, there are significant challenges for each. In the case of patching ICS devices, this can be complicated by risk to operational availability due to required system downtime, compatibility issues, and the potential for patch failure or introduction of bugs, or loss of system configurations. Upgrades to ICS device firmware, software, or hardware will address the vulnerability but will also require downtime to implement. There also may be costs associated with purchasing the new hardware or software depending on the terms and conditions of the service level agreement with the vendor or licensed distributor. Further, additional time will be required for configuring and testing the new hardware/software or firmware.
When patching/upgrades are not immediately feasible, implementing other mitigations or compensating security controls can be an alternative solution. This approach may involve implementing a segmentation plan for the vulnerable ICS device or critical systems from external network exposure, restricting logical/physical access, and deploying an intrusion detection system for monitoring network activity. There are operational considerations with mitigations to ensure they are not disruptive to availability and that ICS asset owners or operators have the knowledge to implement alternative mitigation solutions and time to perform additional system monitoring beyond daily operations. These suggestions for mitigations are limited, but CISA provides a list of Seven Strategies to Defend ICS and a comprehensive list of documents containing recommended ICS security practices.
Some individuals might question whether addressing ICS vulnerabilities is worth the effort. ICS vulnerabilities that have physical or local attack vectors may not matter or be as high of a priority as vulnerabilities that are exploitable through network attack vectors with low complexity and no privileges required to execute the attack. However, the consequences of overlooking ICS vulnerabilities can far outweigh the cost of preventive measures.
Depending on the industry sector the OT/ICS asset owner operates in, they should understand what financial losses would look like based on disruption to operations, regardless of the cause. From there, they should be able to calculate the additional financial cost to be incurred from continued downtime beyond scheduled and unscheduled downtimes as well as additional or applicable regulatory fines depending on the critical infrastructure sector. Not to mention the potential loss of life and damage to the reputation as a reliable source of critical services to the public. Being proactive in security can significantly reduce the likelihood of an OT/ICS asset owner being the victim of cyberattacks and minimize potential damage to ICS, the environment, loss of human life, and significant financial losses and fines.
ICS vulnerabilities matter significantly. Left unaddressed, they can lead to catastrophic consequences. OT/ICS asset owners must understand the relevance of each vulnerability, its exploitability, and other potential targets in their environments. These are crucial steps in developing effective security strategies either through patching/upgrades or implementing mitigations. OT/ICS asset owners acting to secure ICS is an essential responsibility that cannot be ignored.
Dan Ricci is founder of the ICS Advisory Project, and a Senior Systems Security Engineer focused on securing critical infrastructure. He retired from the U.S. Navy after serving 21 years in the information warfare community.