The ICS Vulnerability Gap

We have all seen the news out of Ukraine over the last few weeks.

In February 2022, Vladamir Putin used direct military force to invade the former Soviet Union member. Tensions between Russia and Ukraine simmered for hundreds (some would say thousands) of years, with conflict boiling over into the physical and virtual worlds. Part of this war will be fought online, specifically inside industrial control systems, a place where the physical world and internet world directly intersect. In the relatively short and rapidly evolving world of omnipresent cyber conflict and supply chain disruption, critical global infrastructure has never been more exposed. Russia could use potential exploits to counter the sanctions issued in February and March. Ukraine’s exposed critical infrastructure vulnerability is a proxy for the U.S. and the rest of the world. Unfortunately, it seems that the worst may have yet to come.

Cyber attacks in Ukraine

It is not new news that Russia uses malware and zero-day exploits to attack various critical infrastructure systems. Historically, cyberattacks have been a massive part of Russia’s aggression against Ukraine. Outlined in great detail in the book “This Is How they Tell me the World Ends” by Nicole Peroth, Russia launched an outright Cyber-Warfare campaign against Ukraine’s power grid and infrastructure in 2015. In early 2022, Ukrainian banking and defense websites were shut down through a reported attack by Russian military intelligence agency GRU. For now, we are still waiting to see if a material infrastructure attack shows up in this war, beyond just a light denial-of-service attack on certain websites. That said, it looks more than likely as Russia continues its assault through multiple fronts. Ukraine has never been more exposed, and it is a good lesson for other industrialized nations to take a long hard look at the risks with their critical infrastructure.

Industrial control systems — what are they?

The control function in any pipeline, port, or trucking system is where physical processes are controlled. This is where motors run, valves open and close, and actuators are initiated — industrial control systems (ICS) run any critical infrastructure through software. Water, electricity, transportation, and waste disposal are components of industrial infrastructure functions requiring software to operate and execute physical controls. Some of the most prominent names in software like Honeywell, Rockwell Automation, SAP, and Seimens operate in this intersection of the virtual and physical. However, many don’t know how vital these programs are. Cybersecurity was traditionally viewed solely as an IT problem. However, now these problems directly impact what is called operational technology (OT) — referring to the core physical functioning systems like water treatment plants, pipelines, and even connected vehicle infrastructure. Below are some examples of physical infrastructure operated by industrial control systems. This list is by no means extensive.

• Ports / Maritime. Worldwide Maritime trade has increased every year for the last decade and is a critical aspect of national and global economic activity in an increasingly globalized world. The critical infrastructure of this industry was put on display when the “Ever Given” blocked the Suez Canal, costing billions of dollars per day. Industrial control systems are layered all throughout this international system, in docking systems, engine operations software, boat traffic control, locks and dams, and heavy equipment used to load and unload container ships. Despite this, legacy operating technology (OT) is regularly forgotten in maritime cybersecurity. The interconnected nature of the maritime industry complicates the relationship between international regulatory bodies, extending complexity beyond internal and external threats.
• Logistics / trucking. Cyber-attacks are commonly executed in the transportation and logistics industries. Service can be disrupted, causing physical supply chain issues. In 2018, Bay & Bay Transportation became the victim of a ransomware attack that stalled operating systems to a 300-truck fleet. Eventually, the company paid a five-figure ransom. Another risk is exposure to highly sensitive economic and personal delivery data.
• Dams. Dams often deliver critical green energy through water retention and control. Assets include locks, levees, hurricane barriers, and hydroelectric projects. Dams can also have other social benefits, including river navigation; water supply for municipal, industrial, and agricultural uses; flood control; waste management; recreation; and wildlife habitat. In 2015, the Bowman Avenue dam in Rye Brook, New York, was compromised by Iranian hackers through a cellular modem. The command and control system happened to be disconnected for maintenance at the intrusion but could have released all of the water in the dam, causing significant damage downstream.

Security with ICS

When it comes to practicing holistic security in the software baked into the ICS environment, there is no magic bullet. Layers of nuance in the code make up each inter-connected product because of the unique system design in each system and vertical. On top of this, much of America (and the rest of the world) has critical infrastructure considered “legacy.” In the cyber security world, “legacy” is not a positive thing; it means that the OT was not originally designed to be connected to a modern-day IT ecosystem and infrastructure. The OT we use in America is often hundreds of years old and needs to be retrofitted or renovated to properly interface with a modern-day holistic security protocol. Even minor flaws can allow hackers to access ICS to carry out espionage activities or hardware failures.

The safety of critical global infrastructure depends on the resilience of implementing effective critical infrastructure cybersecurity. Whether with Russia, or another malevolent foreign actor, a collective effort must come from private and public partners to decrease our attack surface. In addition, proper configuration to reduce attack surface areas, such as appropriately managing authentication, implementing secure remote access, actively monitoring for insider threats, and hardening ICS code, are all crucially important from the IT departments responsible for the infrastructure operation.