The technological differences between IT systems and industrial process systems, which have traditionally been treated as completely different disciplines, are disappearing. We find ourselves in a new scenario where both worlds coexist, and where it is no longer enough to rely on the proprietary nature of such technologies. A security plan is needed to deal with the new threats that affect systems on which rest a good part of the essential services of the population.
Critical industrial processes—such as oil refineries, gas processing and transportation, water treatment plants, power plants, etc. and/or those requiring a high geographic dispersion and management—are usually managed through networks and industrial control systems (ICS) such as DCS (distributed control systems) or SCADA (supervisory control and data acquisition).
Nowadays, these systems, on which most of the essential services of our society rest, are the object of attacks directed and specially designed against these infrastructures.
There are several reasons why this increase in threats against industrial control systems is observed. Among others, the following could be mentioned:
- Replacement of proprietary technologies with standard technologies. These technologies—such as operating systems (Microsoft Windows), TCP/IP network protocols, web browsers, and wireless technologies—bring benefits to businesses, but also risks. Traditional systems were closed systems, designed to be effective in functionality and reliability. The main concern then was physical security. At present, however, the increased connectivity possibilities have exposed these systems to new threats for which they are not prepared or designed.
- Interconnection of systems. The use of these control networks is becoming more extensive, expanding and interconnecting in a massive way.
- High availability. These systems have been in place for many years, even decades, and due to the requirement of high availability of the service cannot be updated or patched efficiently. This causes them to be exposed to multiple old vulnerabilities and in many cases easily exploitable.
- Remote support. It is increasingly common for providers to support remotely and over phone links or Internet connections that make it another potential attack vector.
- Commercial software and general purpose hardware. They are increasingly used more often to the detriment of specific ones and in some cases do not adapt to the singularity, complexity, requirements, or security of these environments.
Protection Services and New Challenges
Testing should not focus on risk assessment and analysis of SCADA systems, DCS, and programmable logic controllers (PLCs), but rather an effort should be made to understand the risk facets associated with such environments and adopt an appropriate approach for the management of the same.
Based on this premise, a security strategy should be developed according to five key points:
- Adapting technology and focusing on the environment: The methodology and procedures used must adapt to the demands of industrial environments. This implies the use of new tools and training in the different technologies that orbit around them.
- Prioritization of the safe approach: Minimize the possible risks during the audit work, while prioritizing the availability of the assets involved in the tests performed.
- Comprehensive vulnerability management: There is an effort to provide proactive support in which a customized solution is included for each case, as well as the management of vulnerabilities over time.
- Discarding bad security practices: The concept of security auditing should be broadened and focus on new issues that affect SCADA environments that are not usually taken into account. This includes physical security, security policy management, systems basing, and even testing in the field of personal security, using social engineering techniques.
- Real solutions for real environments: All tests should have as a common link the presentation of a realistic and affordable improvement plan that best fits the customer’s needs while solving the problems detected in the audit phase.