Industrial Control Systems
Industrial Control Systems (ICS) are critical components in various sectors such as energy, manufacturing, water treatment, transportation, and more. They control and monitor industrial processes, making them essential for operational efficiency and safety. However, their importance also makes them prime targets for cybersecurity threats. For years, CBIZ Pivot Point Security has been helping clients with Operational Technology (OT) networks understand the associated risks and prepare plans for mitigating these risks.
By understanding and addressing risks, organizations can better protect their Industrial Control Systems from cybersecurity threats, ensuring the continued safe and efficient operation of critical industrial processes.
Legacy Systems:
- Outdated Technology: Many ICS use legacy systems that were not designed with cybersecurity in mind. These systems often lack modern security features and are more vulnerable to attacks.
- Incompatibility: Upgrading or patching these systems can be challenging due to compatibility issues with newer technologies.
Network Segmentation:
- Insufficient Segmentation: Poorly segmented networks can allow attackers to move laterally within the network, gaining access to critical ICS components.
- Inadequate Isolation: ICS networks are sometimes insufficiently isolated from corporate IT networks, increasing the risk of cross-network attacks.
Insecure Remote Access:
- Unauthorized Access: Remote access solutions, if not properly secured, can provide a gateway for attackers to infiltrate ICS environments.
- Weak Authentication: Weak or default passwords and lack of multi-factor authentication can be exploited by attackers.
Supply Chain Vulnerabilities:
- Third-Party Risks: Components and software sourced from third-party vendors can introduce vulnerabilities if not properly vetted and secured.
- Software Updates: Unsecured update mechanisms can be exploited to introduce malicious code.
Malware and Ransomware:
- Targeted Attacks: ICS can be targeted by sophisticated malware designed to disrupt operations or steal sensitive data.
- Ransomware: Attacks that encrypt critical system data, disrupting operations and demanding ransom for decryption keys.
Insider Threats:
- Malicious Insiders: Employees or contractors with access to ICS may intentionally cause harm or exfiltrate sensitive information.
- Unintentional Actions: Accidental misconfigurations or poor cybersecurity practices by insiders can also introduce risks.
Physical Security:
- Physical Access: Unauthorized physical access to ICS hardware can lead to tampering or direct attacks on the system.
- Environmental Factors: Physical threats such as natural disasters or deliberate sabotage can impact the integrity and availability of ICS.
Lack of Security Awareness:
- Training Deficiencies: Insufficient training for personnel on cybersecurity best practices can increase the risk of successful attacks.
- Awareness Programs: Lack of ongoing cybersecurity awareness programs can lead to complacency and increased vulnerability.
Advanced Persistent Threats (APTs):
- Sophisticated Attacks: APTs are long-term targeted attacks by well-funded and skilled adversaries aiming to infiltrate and remain undetected within ICS environments.
- Stealth Operations: APTs often use stealthy techniques to gather intelligence and disrupt operations over an extended period.
Denial of Service (DoS) Attacks:
- Service Disruption: DoS attacks can overwhelm ICS networks and devices, leading to operational downtime and loss of control over industrial processes.
Resource Exhaustion: Such attacks can exhaust system resources, making them unavailable for legitimate control and monitoring tasks.
SCADA, HMI, DCS,PLCs and RTUs are essential components in ICS, each playing a distinct role in the automation and monitoring of industrial processes.
SCADA (Supervisory Control and Data Acquisition)
SCADA systems are used to control and monitor industrial processes across large geographic areas. They collect data from various sensors and devices in the field, process this data, and provide a centralized interface for operators to monitor and control the processes.
DCS (Distributed Control System)
Control systems used for localized, complex processes often in a single facility, distributing control functions across multiple interconnected devices and providing real-time monitoring, data collection, and process automation.
HMI (Human-Machine Interface)
The HMI is the user interface that connects operators to the control system, often integrated with SCADA or PLC systems. It provides a graphical representation of the industrial process, allowing operators to interact with and control the system.
PLC (Programmable Logic Controller)
PLCs are specialized industrial computers used to control machinery and processes in real-time. They are designed for high reliability and robustness in harsh industrial environments.
RTU (Remote Terminal Unit)
RTUs are microprocessor-controlled devices that interface with physical equipment, such as sensors and actuators, to collect data and transmit it to a central supervisory systems, often optimized for specific applications and used for the collection of data and executing simple control tasks.
What Are Your Qualifications?
CBIZ Pivot Point Security has a team of seasoned specialist that focuses on ICS cybersecurity. The team holds certifications such as Security Global Industrial Cybersecurity Professional (GICSP) and has received both onsite and virtual training from U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the Idaho National Laboratory.
CBIZ Pivot Point Security utilizes a multi-tier approach to identifying cybersecurity risk in ICS/OT systems, including review of the people, processes and technology deployed, evaluated against industry recognized security guidance, and determining methods to reduce those risks. For most evaluations, CBIZ Pivot Point Security utilizes relevant portions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), with additional guidance provided by NIST Special Publication 800-82 “Guide to Operational Technology Security.”
The CSF Framework was developed to improve cybersecurity risk management in critical infrastructure and provide guidance for organizations in any sector or community. “The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving security and resilience.” (NIST, 2018) The CSF focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.
NIST SP 800-82 is designed “to provide guidance for establishing secure operational technology (OT) while addressing OT’s unique performance, reliability, and safety requirements”, and “identifies typical threats and vulnerabilities for these systems and recommends security countermeasures to mitigate the associated risks”. NIST 800-82 Rev3 Initial Public Draft has provided correlation between earlier revisions and the CSF. (NIST, 2022)
Additionally, CBIZ Pivot Point Security utilizes guidance from CISA, The Center for Internet Security, SANS Institute “The Five ICS Cybersecurity Critical Controls”, the Purdue Model, IEC62443 and other ICS based frameworks based on facility type and risk factors.
Are There Compliance Requirements?
The regulatory landscape is always evolving, and ICS/OT systems are not exempt. Many industries such as the Energy industry have experienced increasing regulatory cybersecurity requirements. Examples include:
Marine Terminals that operate under the authority of the U.S. Coast Guard (USCG) and the Maritime Transportation Security Act (MTSA). The MTSA was created in 2002, shortly after the 9/11 attacks, to protect the maritime industry and commerce, as well as the Marine Transport System (MTS). Regulated facilities are required to assess and document vulnerabilities associated with their computer systems and networks in a Facility Security Assessment (FSA). If vulnerabilities are identified, the applicable sections of their Facility Security Plan (FSP) must address the vulnerabilities in accordance with 33 Code of Federal Regulation (CFR) 105.400 and 106.400. The FSP for each facility also identifies the local Facility Security Officer (FSO) who is responsible for coordination of security operations at the facility.
The MTSA was expanded to include cybersecurity protections with Navigation and Vessel Inspection Circular (NVIC) No. 01-20 (U.S. Dept of Homeland Security, 2020) that was released on February 26, 2020. NVIC 01-20 details specific guidelines for addressing cyber risks at MTSA regulated facilities in accordance with Title 33 of the Code of Federal Regulations Subchapter H, Maritime Security. The cyber landscape in the MTS is continually changing, with increased potential for cybersecurity events. The implementation of NVIC 01-20 aids in addressing cybersecurity risks, which are among the most serious economic and national security challenges for the maritime industry and the nation.
Oil & Gas Pipelines designated as “critical infrastructure” now operate under the Transportation Security Administration’s (TSA) Security Directive Pipeline-2021-02 Series (SD02D). The SD02 requires pipeline operators implement several cybersecurity measures and controls, including the development of a Cybersecurity Implementation Plan (CIP) and annual Cybersecurity Assessment Plan (CAP) for controls within the CIP. A CIP must contain cybersecurity controls for pipeline facilities and related control systems deemed critical by TSA
What ICS Services Do You Provide
CBIZ Pivot Point Security’s highly trained cybersecurity specialists have provided ICS clients with services ranging from regulatory compliance auditing, subject matter expert Internal Audit staff augmentation, and IT/OT cybersecurity consulting. Our team can do physical site visits to facilities to review the people, processes and technologies in use to reduce the risk of a cybersecurity incident. We have experts in network segmentation, identity and access management, physical security, security training and other critical security controls which can help mitigate security vulnerabilities.