Data communications and control technologies are critical in today’s increasingly global economy. As industrial devices and infrastructure become more connected than ever before, the safe operation of this equipment is also becoming increasingly complex and growing in importance. More specifically, connecting an industrial control system (ICS) to the internet can create an access path for possible malicious activity, placing both proprietary and confidential information at risk while also creating the potential for bad actors to take control of the system.
Critical infrastructure and higher-profile industries are particularly vulnerable due to their appeal to bad actors, especially when third-party software is used in an ICS outside of the control of the ICS system manufacturer. Despite being one of the most damaging points of vulnerability, third-party software, including open source or vendor-provided software and snippets of code taken from internet-based sources, often remains as a key unidentified cause of security breaches. Thus, an important first step toward securing your system is understanding how these security risks are evolving and where they are most prevalent.
Fortunately, while these risks will never be entirely eliminated and have already affected various industries and economies around the world, there are important steps you can take to secure your ICS and your business against mounting threats in our increasingly cyber world.
How Risk is Evolving
With critical infrastructure serving a central role in everyday life, it presents an attractive target for cyberattacks. The vulnerable position of these critical industries — any network or service that, if tampered with, would negatively impact civilian health, security or economic well-being — makes them the primary focus for cybersecurity improvement efforts. In 2015, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 reported cybersecurity incidents in the United States, with 57 percent of those incidents occurring in the critical manufacturing, energy, and water industries.
Due to the prevalence of these issues and the potentially serious consequences of an attack, all entities working within critical infrastructure are often required to comply with mandated or recommended cybersecurity requirements and practices. For example, the European Programme for Critical Infrastructure Protection (EPCIP) adopted requirements for the transportation and energy industries in the European Union (EU) and the North American Electric Reliability Corporation (NERC) has taken similar steps in the energy industry in North America.
In the interest of remaining on budget and accelerating the ICS development process, many companies are turning to off-the-shelf solutions from third-party software providers. Though many of the most used and reliable applications come from trusted third-party developers, the prevalence of such systems is putting industry and infrastructure at risk, due in large part to ineffective processes involving the selection, implementation and use of this software.
For example, several attacks in 2014 and 2015 took advantage of security system deficiencies and exposed the personal records of more than 21 million U.S. federal employees. Similarly, poor user management/installation of Internet of Things (IoT) devices allowed a piece of malware, known as Mirai, to successfully carry out the 2016 Dyn cyberattack that essentially shutdown a long list of major websites including Amazon.com and various social networks.
Despite growing risks, the increasing number of attacks and the incredible sophistication in the world of cyberattacks, companies can still take action to help safeguard their information and systems. Even for companies with robust ICS and safeguards against cyberattacks already in place, additional precautionary steps and internal procedural changes can help ensure continued security. For example, companies should guard against attacks that use Havex malware which can compromise an industry standard like OLE for Process Control (OPC) to gather intelligence on ICS systems that are prone to the use of OPC.
Five Next Steps You Can Take Now
A safer, more secure ICS starts with stronger internal procedures, attention to detail and diligence. In addition to internal efforts, third-party review such as UL’s Cybersecurity Assurance Program (UL CAP) can help improve security in the infrastructure supply chain. Developed with input from the U.S. federal government, academia and industry, UL CAP uses the requirements of the recently-issued UL 2900-2-2 (specific to ICS) to assess software vulnerabilities and help companies become more aware of security issues. In addition, these five steps can help you work toward a more secure future:
No. 1 - Formalize Security Specifications
Establishing and implementing internal security specifications will help you narrow the list of potential software providers and other supply chain partners. Once complete, these specifications should be provided with every RFP to simplify the process and avoid surprises.
No. 2 - Due Diligence of Software and Supply Chain
Guaranteeing specifications in a quote is one thing, ensuring ongoing compliance with current requirements and the presence of adequate safeguards is something else entirely. Assessing all suppliers and performing regular audits ensures continued compliance and reduces risk. Additionally, an independent evaluation of all software should be conducted to identify security flaws and weaknesses for all software applications.
No. 3 - Formal Update Policy
Many security issues arise from using outdated software. Formalizing a policy to perform routine updates and maintenance to a system will ensure that all security precautions are in place and as strong as possible.
No. 4 - Validation Testing
Following an initial review, routine evaluation of the software — a process that can often be automated to improve efficiency — should be conducted to ensure compliance with security specs. If these specs change with your business, these evaluations will also help to identify shortcomings. Further, a “track and trace” program will help monitor the software supply chain and ensure updates that will help guarantee ongoing compliance.
No. 5 - The Right Information for the Right People
Proper staff training is essential to maintaining security. This training should include security practices and third-party vendor selection requirements. Additionally, all vendors should be treated on a “need to know” basis, meaning that only necessary information about your software and ICS structure should be provided.
Though the sophistication of bad actors is only likely to increase, that does not mean the industry needs to remain ill-prepared and vulnerable to attack. With proper procedures in place and an ongoing focus on security throughout the software supply chain, it is possible to remain one step ahead.
Ken Modeste is the principal technical advisor and SME for UL’s cybersecurity program.