More than five years ago the Stuxnet worm was deployed at a uranium enrichment plant in Iran, causing uranium centrifuges to malfunction. One of the first attacks on a non-networked airgapped system, Stuxnet focused the world’s industrialists on a difficult truth: sophisticated cybersecurity attacks will be an ongoing threat for the foreseeable future.
Industry experts such as Kaspersky Lab agree that targeted cyber attacks on industrial control systems (ICS) have the potential to compromise national security, not to mention causing major economic damage. Yet there are some major challenges in improving ICS cybersecurity.
A legacy of security
Traditionally ICS cybersecurity did not keep pace with system developments in other areas. Industry relied on restricting access through passwords and utilizing airgapped systems, believing this would provide adequate protection from both meddling employees and external attack. Attacks like Stuxnet, introduced to an airgapped system through an infected flash drive, proved this to be wrongheaded.
Security strategy has moved on to a “defense-in-depth” model, employing defensive layers around the most vulnerable parts of a system. Cyber attackers need to jump through an ever-increasing number of security hoops to enter a system and remove or damage data without detection. Physical barriers such as locked enclosures; biometric door systems and security cameras help to control access to the system.
The high cost of attack prevention
One reason why industrial systems have been slower to implement security measures than other sectors is the higher associated cost. Whereas other sectors may risk data loss or customer inconvenience by adopting a new system, the toll in reputation loss, public safety and fines from a regulator can be mammoth if an ICS controlling energy or water supply has teething problems with a new security system. Downtime to investigate possible security breaches is simply not an option for many ICS operators.
Many Intrusion Detection and Prevention Systems (IDS/IPS) have high rates of false negatives, meaning the flagging of incidents indicating an attack that turns out to be benign. A large number of false positives can be a security risk in itself, serving to screen a true malicious attack. As industrial cyber attacks are relatively infrequent, an IDS can seem more trouble than it is worth.
No easy answer
Some industrial systems are working with outdated software, installed up to three decades ago. It is not uncommon for older systems to be unable to run the most basic antivirus packages, making them more vulnerable to attack. But simply removing and replacing systems is not an option for industries such as nuclear.
More recent ICS systems are frequently based on off-the-shelf products using Windows or Linux, with well-known vulnerabilities. As any change to the underlying system often triggers a recertification process with regulators, ICS operators frequently continue using a system with known weaknesses instead.
The future of ICS cybersecurity
Awareness about the importance of ICS cybersecurity is steadily increasing, particularly as Western governments become more wary of cyber threats from terrorists and hostile nations.
Good practice guidelines such as the U.S. National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems, or the UK’s CPNI Security for Industrial Control Systems set out ways of improving standards within the industry. However, it remains to be seen whether the costs and risks of implementing security systems will outweigh the threat posed by cyber attackers.