The technology behind traffic lights, hospital infrastructure, building operations and more is part of what is known as an Industrial Control System (ICS). ICSs are everywhere in the modern world and play an integral role in all our lives.
ICSs: An Overview
ICS is a general term that encompasses several types of control systems and associated instrumentation used for industrial process control. ICS systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems with many thousands of field connections.
Previously, as part of legacy systems, most equipment and components used in manufacturing and the operation of power plants, water and wastewater plants, transport/transit industries and other critical infrastructures were quite simple, and those that were computerized typically used proprietary protocols. The networks with these components and equipment were air-gapped and protected from the outside world.
This format has changed over the years, and components of today’s ICS Systems are often connected directly or indirectly to the internet through ICS environments.
ICSs & Critical Infrastructure Sectors
Presidential Directive 21 called for classifying critical infrastructures that are vital to the security of the United States. The Department of Homeland Security under the Cybersecurity and Infrastructure Security Agency (CISA) has named 16 critical infrastructure sectors. These sectors are as follows:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater
Each of these 16 sectors can be divided even further into sub-sectors, giving increasingly specific details about what they contribute to the United States’ infrastructure, as well as why they’re deemed “crucial.” The size of each sector, along with its sub-sectors, shows the significance of Industrial Control Systems today, as well as the growing challenge that comes with protecting them.
The implementation of cybersecurity measures on ICSs is critical because the lack thereof can have severe consequences that harm health, safety and the environment. DMI believes that to “properly converge ICS/OT and IT,” everyone involved must have a proper understanding of what an ICS is and the implications it has for their operation.
Risk Management of ICSs
Understandably, businesses need to be able to access information from the ICS’s Operational Technology (OT). However, the OT must be segmented and protected from external sources, cyber-attacks and other IT systems.
Businesses must also implement proper safeguards, including but not limited to:
These are just several suggestions, but remember: security incident on an ICS will have very serious physical and economic implications.
Let’s look at a recent example from a water treatment plant in Oldsmar, Florida. The plant’s ICS used an Internet-connected human-machine interface (HMI) to control their water treatment processes remotely. However, the water treatment plant used an insecure remote access technology called TeamViewer without multi-factor authentication.
In February 2021, a malicious actor gained access to the water treatment plant’s network and changed the water’s sodium hydroxide (NaOH) concentration from 100 parts per million to over 100,000 parts per million. If the plant’s HMI operator hadn’t noticed the threat, this breach could have not only damaged the plant’s pipes but also injured or killed those who ingested the treated water.
This situation is merely one example of the importance of applying cybersecurity practices to one’s ICS environment and the dangers that inadequate cybersecurity controls could have on network infrastructure and society at large.
An End-to-End Cyber Risk Management Partner
As businesses continue to implement new technologies, cybersecurity becomes even more critical. In fact, cyber security systems should be a top priority.
If you’re dealing with critical Industrial Control Systems, we strongly suggest implementing proper layers and practices to prevent a breach.
DMI offers a wide range of cyber risk management services capable of securing and monitoring critical systems, including industrial controls. For more information, visit our website at DMInc.com.