The Top 3 Cybersecurity Issues for Industrial Control Systems in 2021

The culture clash between IT an OT operators has taken a back seat to three emerging security issues for the industrial control systems (ICS) community. “That won’t work for OT” was a common mantra in the days before SolarWinds and smart device source code snafus. IT expert staff ranging from a single employee to robust round-the-clock teams are reconciling with emerging unknowns rather than racing to secure Windows XP vulnerabilities and dealing with technical overshare from system vendors. Security leaders and security operations centers face three major hurdles in 2021: debates over proprietary versus open source security tools, supply chain management battles, and an increasingly bleak landscape of Internet of Things (IoT) vulnerabilities.

Proprietary Vs. Open Source

Open source programs are free and essentially crowd-sourced, and therefore also potentially debugged rather than manipulated by many. At the same time, the utility of any software goes only so far as humans know how to extract value from its outputs. To get full utility, end users usually provide data, sometimes confidential, which must be part of the risk calculus before purchase. End users have limited visibility into proprietary code in software that relies on access to and exchange of their data. The same is true for managed services. A security team might decide on an open source tool for network monitoring, but purchase a third-party software as a service solution-such as SolarWinds-for management and orchestration. It is increasingly difficult to weigh the costs and benefits on either side when both options present unique and unforeseen risks.

Supply Chain Management

The supply chain for ICS is an added stressor to communication networks that already lack the visibility required to engender a defense-in-depth cybersecurity program. Many static OT data protocols and processes live in spreadsheets, with outdated software versions running on industrial machines 10 to more than 30 years old. ICS hardware and software in a single environment come from dozens of different vendors. Among the switches, firewalls, gateways, and port mirroring devices, network traffic might be segmented, but recent incidents reveal unknown internet connections on OT devices and vendor-supplied systems and subsystems. To ensure the integrity of software going forward, a required software bill of materials could go a long way in terms of prevention and integrity. Unfortunately, cataloguing ICS to retroactively track supply chain metadata and provenance is an expensive, time-consuming, and arduous task.

IoT Vulnerabilities

Although endpoint security in industrial operations is gaining traction, it won’t treat the underlying causes that make IoT insecure. More data feeds, connectivity, and data management tools offer a band-aid for weak password, authentication and encryption protocols, insecure update mechanisms, and mundane privacy protections. A novice threat actor can find internet-connected devices on the website Shodan and learn how to circumvent network segmentation and penetrate isolated IoT networks using open source tools such as Nmap and Ncrack. Managing intrusions will be a constant battle between detection and response, with little attention left for addressing underlying issues after IoT products are bought and deployed from vendors.

Next Steps for Stakeholders

A new standard in the ISA/IEC 62443 series, ISA/IEC 62443–3–2: Security Risk Assessment for System Design, defines a set of engineering measures to guide organizations through the process of assessing the risk of a new or existing ICS or IIoT system. It also establishes how to identify and apply security countermeasures to reduce that risk to tolerable levels.

Another new methodology from experts at the Idaho National Laboratory (a member of the ISA Global Cybersecurity Alliance), Consequence-Driven, Cyber-Informed Engineering (CCE) , focuses on worst-case access and exploitation scenario planning. CCE proceeds from the assumption that the only way to understand attacks before they occur is to think like an attacker and stress-test your network and security policies.

These approaches are individualized, and allow experts to address security risk in critical systems to begin to confront and mitigate major pain points in 2021.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Originally published at https://gca.isa.org.

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation.