Industrial Control Systems
Industrial Control Systems run our world…
They are the key to controlling every critical process of modernity, what separates us as humans with critical thought. Without ICS, there would be no developed manufacturing processes necessary for nearly every good for providers to supply required demand. There would be no widespread electricity, wastewater management, oil, natural gas, pharmaceuticals, food and beverage distribution; we would quite simply be in a primitive state without something that can control these wide-scale processes.
Many people do not realize the importance of the little computers running our critical infrastructure, allowing us a life of comfort and convenience, but Crest is here to share the processes of ICS and how they should be secured, despite the lack of security measures being implemented in ICS systems.
Let's get down to the basics. What exactly is an Industrial Control System?
An industrial control system is a computer, or group of computers that is programmed to complete a task. It is given an input that tells it what to do to produce the desired output, and using data collection allows for modifications and control. There are three basic categories of ICSs:
Programmable Logic Controllers (PLC) → These are the most basic level of ICS, it is responsible for controlling an entire process from start (input) to finish (output), these are going to be in almost every ICS, and there will most likely be multiple of them to complete a desired total output. For example let's say there is an automotive industrial plant where a specific PLC is tasked with placing a wheel on a car. The input or program would say “hey when the car gets to X stage, this is where your job begins” allowing the car to receive its wheel at the right moment. There may be many PCL’s with the same task, but because they are all individually programmed, if one were to shut down, the entire process that PLC was supposed to perform would not occur.
Supervisory Control and Data Acquisitions (SCADA) → These are slightly more complex than PLC’s based on the fact that they control the PLC’s and report the data and logistics of how they are working together. For example if one PLC were to stop working, because all the PLCs are “linked” to the SCADA, the rest of the processes from the other PLC’s can continue, while the SCADA alerts the system control of the issue. Note: because the PLC’s first have to communicate with an OPC (Open Platform Communication) server which then communicates with the SCADA, it is ultimately a slower form of ICS.
Distributed Control Systems (DCA) → This is going to be the most complex but heavily used ICS programming within most critical infrastructure. It is the fastest form of ICS, simply because it comes already equipped with SCADA in the DCS structure, it also requires a Fieldbus component (a system that allows for real time changes) in order to communicate within fractions of a second with the DSC controller (basically the PCL of DCS) and the DCS Remote Input Output (RIO). This makes more complex processes like refining oil and gas in which the system has to be able to change in milliseconds based on the conditions of the process. This also allows for widespread control over multiple sites in a range of areas.
The huge difference between the PLC and SCADA compared to DCS is the inherent programs found within the DCS. With PLC and SCADA they come completely blank, requiring an engineer to program those systems to complete the tasks necessary. DCS however, is programmed with intention for specific processes, therefore making them easier to install for building a ICS foundationally.
Now that we know a little bit about ICS and how they function, let's get into some of the problems they face when it comes to security…
Here is the list of what ICS is responsible for controlling:
Electrical
Water
Wastewater
Oil
Natural gas
Chemical
Transportation
Pharmaceuticals
Pulp and paper
Food and beverage
Discrete manufacturing (automotive, aerospace, durable goods)
As you can see, ICS control basically all the functions of the modern world, making them probably the most important invention since fire. It's imperative to make sure they are secure right?
Well at a certain point they were, air gapping was one of the main security measures for ICS, basically completely isolating all the computers and systems from external networks the business has in order to ensure breaches and vulnerabilities were unlikely. Air gapping is no longer an option however, due to the increased implementation of Information and Operation Technologies. ICS must be connected to alternate servers and networks in order to function properly; this is where the problems lie.
Without the isolation of ICS, these systems become a playground for malicious attacks, creating vulnerabilities that if exploited, could lead to catastrophic physical, economic, and social repercussions. There are ways to secure these newly evolved ICS, but because many ICS were created for longevity at a time air gapping was the status quo, it is an obstacle to apply modern security measures to outdated, or newly IT/OT integrated systems. Protections like zero trust, AI, firewalls, antivirus, are all fantastic ways to combat data breaches, but if the system does not have the structural capabilities to implement those security measures, the entire system becomes a liability.
Here are some possible effects of ICS breaches:
Impact on national security—facilitate an act of terrorism.
Reduction or loss of production at one site or multiple sites simultaneously.
Injury or death of employees.
Injury or death of persons in the community.
Damage to equipment.
Release, diversion, or theft of hazardous materials.
Environmental damage.
Violation of regulatory requirements.
Product contamination.
Criminal or civil legal liabilities.
Loss of proprietary or confidential information.
Loss of brand image or customer confidence.
Scary huh? So how do we avoid these catastrophes?
Crest believes the main way to combat these problems is staying fully informed on the system’s vulnerabilities. A combination of risk management, vulnerability scanning, cybersecurity policy, and creating new ICS with the proper security measures for a system linked with business networks is the only way to mitigate threats. There needs to be constant monitoring, searching for any and all changes that could prove malicious, making sure there is a team specifically designed for cybersecurity for the organizations’ specific systems. ICS are fantastic mechanisms, producing the quality of life we all know and love; this is why vigilance and attention to detail are required.
Click here to read more how the NIST (National Institute of Standards and Technology) view proper security of ICS
Crest is dedicated to the security of all systems, click here for our services and learn how we can secure the critical systems of our critical infrastructure.
