Cyber incidents are current and should be considered among the risks that may occur and which may have even considerable impacts for all companies, especially those with industrial activities. Mind you that we are talking about "IT incidents" and not just "IT attacks".
In the last decade we have seen a significant increase in the number of cyber incidents in the industry: starting in 2010 with the advent of Stuxnet, which affected control systems in Iranian nuclear plants and then immobilized a few hundred production plants around for the world, also in Italy.
Studies and reports tell us that cyber incidents have accelerated during the pandemic.
The attack surface for cyber threats has increased due to remote connectivity, integration with corporate networks (IT/OT convergence), and the advent of the Internet of Things (IoT).
All companies with control systems in both industry and utilities are therefore forced to think about cyber security in their strategic decision-making processes and risk management.
Also according to recent analyzes of ICS (Industrial Control Systems) incidents, over two thirds of all incidents are "unintentional", mainly attributable to the lack of attention paid during routine work performed by IT/OT staff of companies, to malware (especially ransomware! ) and incorrect configurations of network devices, such as switches, routers and firewalls.
However, by addressing these issues, organizations can significantly reduce the likelihood of a cybersecurity incident and overall risk.
The ISA/IEC 62443 standard advises users of factory systems to adopt a lifecycle approach to implementing cybersecurity in their systems, from the conceptual design phase through installation and commissioning, in day-to-day operation, to maintenance and finally to decommissioning/obsolescence. This ensures complete protection throughout the lifecycle of the asset.
While there is no single recipe for implementing cyber security, here are some of the cyber security guidelines that managers and users can follow to remedy some of their possible problems.
OT cyber risk assessment
The basic principle that also applies to ICS applications is “you can't control what you can't measure”. Although the steps mentioned above help improve cyber security, they cannot be considered a complete solution.
Each Company/Organization has plants with different risks, conditions and challenges and this requires conducting an assessment to identify Cyber vulnerabilities and a risk assessment to identify the areas most at risk and then devising strategies (countermeasures) to address these risks.
And here one should plan to conduct these risk assessments according to the ISA / IEC 62443 standard, so that the required guarantees covering all three aspects are evaluated: people, processes and technology. This will lead users not to waste their efforts (even the economic ones) and to invest in methodologies and technological solutions suitable for the OT world, which can give the necessary protection against specific OT IT threats.
Training and awareness
With cybersecurity incidents on the rise, people are the weak link and must be placed at the heart of any cybersecurity program's strategy. It follows that the first steps concern training programs and awareness in the field.
We know that many incidents are attributable to phishing and social engineering, where field technicians and control room operators become victims just by plugging in an infected USB stick, or subconsciously providing access to restricted areas, and so on. To create better awareness, all Company employees need to understand what can go wrong and what they can do to prevent such incidents. The aforementioned ISA/IEC 62443-2-1 standard tells us that qualified personnel are assigned specific cybersecurity roles and responsibilities.
Here is a list that includes some practical ways to raise awareness of cyber risk:
- Explain to all employees the ways in which IT security gaps can lead to security incidents (even safety ones!), damage to plants and loss of production
- Teach technicians and operators to recognize "anomalies" or events or activities that can lead to an ICS accident: in the recent attack on the Florida aqueduct (which was widely reported on the net), the plant operator performed a fundamental role, preventing a potentially dangerous increase in the concentration of chlorine and other chemicals
- Make a list of what to do and other absolutely not to do
- Organize meetings between IT and OT staff to let them understand the differences of the systems and how each can benefit from each other
- Organize "ad hoc" training courses
- Launch an internal awareness campaign, also via email, on specific topics such as the importance of protecting passwords, the correct use of USB media and so on
Access control and protections during use
Physical access
All facilities should have physical access control measures in place to prevent unauthorized personnel from entering control rooms, engineering offices and where cabinets containing control systems components are located. Areas should be labeled as restricted and all entries should be logged. Additional commonly employed improvements include the installation of CCTV cameras in these rooms and entry with badges or biometric controls.
Logical access and usage control
All users with access to control systems, SCADA, PLCs and network devices should be uniquely identifiable and authenticated. User profiles with related rights for each role should be clearly defined and a role-based access log should be extended to all users. This of course includes a continuous review and update of the list – intra-company transferees and those who leave must be removed from this list of who has access to the system. It should be noted that users should have limited access, only to actions they need to perform.
Another frequently encountered problem is that network devices, SCADA, PLC and control systems in general continue to maintain the default accounts and with administrator privileges (it is convenient not to have different user/passwords…). This sometimes provides unauthorized access to users, and allows a low-skilled user to make changes that could potentially bring the entire network down with serious consequences. It is therefore important that all default credentials are changed and all unused accounts are removed.
As indeed another best practice provides for the blocking of all unused ports in the system.
ICS system administrators should ensure that they have a secure and effective password policy: minimum length and complexity should be defined and passwords should be changed frequently. If it is not convenient to use passwords, let's assume the use of other tools, such as tokens, biometrics, etc.
To prevent unauthorized access, it is also a good idea to set the automatic log-out after a period of inactivity, setting however a minimum access that allows complete operations for the management of anomalies and alarms.
Remote access
Sometimes it is necessary to allow remote access to external suppliers and maintainers. By policy, remote access should be limited to essential requirements only and enabled only when needed.
Controls could include multi-factor authentication, one-time password logins for a limited period of time, and of course encryption of the communication channel. Remote access software should only be installed after ensuring that existing vulnerabilities in the system have been updated and remedied, as well as setting different default ports and using strong credentials.
In conclusion
In summary, those who have production plants, in industry as in utilities, should focus on processes and people to improve their cyber security. Training and awareness of all staff, as well as tightening controls over access and use, are key steps to a successful cybersecurity program. Additionally, these steps prepare the teams involved to take the next steps towards a comprehensive approach, conducting a cybersecurity assessment and making improvements to their existing cyber protection technology.