The technology behind traffic lights, hospital infrastructure, building operations and more is part of what is known as an Industrial Control System (ICS). ICSs are everywhere in the modern world and play an integral role in all our lives.
ICS is a general term that encompasses several types of control systems and associated instrumentation used for industrial process control. Such systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems with many thousands of field connections.
Previously, most equipment and components used in manufacturing and the operation of power plants, water and wastewater plants, transport/transit industries and other critical infrastructures were quite simple, and those that were computerized typically used proprietary protocols. The networks with these components and equipment were air-gapped and protected from the outside world.
This format has changed over the years, and components of today's ICSs are often connected directly or indirectly to the internet.
Presidential Directive 21 called for classifying critical infrastructures that are vital to the security of the United States. The Department of Homeland Security under Cybersecurity and Infrastructure Security Agency (CISA) has named 16 critical infrastructure sectors. These sectors are as follows:
Each of these 16 sectors can be divided even further into sub-sectors, giving increasingly specific details about what they contribute to the United States’ infrastructure, as well as why they’re deemed “crucial.” The size of each sector along with its sub-sectors shows the significance of ICS today, as well as the growing challenge that comes with protecting them.
The implementation of cybersecurity measures on ICSs is critical because the lack thereof can have severe consequences that harm health, safety and the environment. DMI believes that to “properly converge ICS/OT and IT,” everyone involved must have a proper understanding of what an ICS is and the implications it has for their operation.
Understandably, businesses need to be able to access information from the ICS’s Operational Technology (OT). However, the OT must be segmented and protected from external sources and other IT systems.
Businesses must also implement proper safeguards, including but not limited to:
These are just several suggestions, but remember: an incident on an ICS will have very serious physical and economic implications.
Let’s look at a recent example from a water treatment plant in Oldsmar, Florida. The plant’s ICS used an Internet-connected human-machine interface (HMI) to control their water treatment processes remotely. However, the water treatment plant was using an insecure remote access technology called TeamViewer without multi-factor authentication.
In February 2021, a malicious actor gained access to the water treatment plant's network and changed the water’s sodium hydroxide (NaOH) concentration from 100 parts per million to over 100,000 parts per million. If the plant’s HMI operator hadn’t noticed the threat, this breach could have not only damaged the plant’s pipes but also injured or killed those who ingested the treated water.
This situation is merely one example of the importance of applying cybersecurity practices on ICSs and the dangers that inadequate cybersecurity controls could have on network infrastructure and society at large.
As businesses continue to implement new technologies, cybersecurity becomes even more critical. In fact, it should be a top priority.
If you’re dealing with critical systems, we strongly suggest implementing proper layers and practices to prevent a breach.
DMI offers a wide range of cyber risk management services capable of securing and monitoring critical systems, including industrial controls. For more information, visit our website at DMInc.com.