The world had a security wake-up call recently. Organizations were alerted to nearly 100,000 exposed industrial control systems (ICS), potentially allowing an attacker to access and control physical infrastructure such as power grids, traffic light systems, security and water systems, and more. That’s not only a stark statistic but a critical call-to-action for organizations around the world. For both organizations directly using ICSs and those dependent on them, the potential impacts are serious and need immediate attention. This article breaks down why ICS security and visibility should be on every organization’s agenda:
Full Stop: OT is not IT
As a first step, let’s consider the differences between OT and IT. Operational technology (OT) is an encompassing term for the many technologies and systems used in industrial settings, including industrial control systems. These systems bring with them unique challenges not found on the IT front:
Long or Nonexistent Patching Cadence Cycles
Unlike the typical IT operating systems like Windows and iOS, ICSs tend to use proprietary operating systems, complicating the patching process.
Shutting down a power grid or otherwise critical industrial environment to fix issues has far reaching consequences typically greater in magnitude than those experienced from shutting down an IT environment. ICSs are therefore more complicated to secure and present hurdles unlike those experienced on the IT front.
These attributes and subsequently high availability needs can make incident response a challenge.
Workforce Challenges Exacerbate Risks
There is an evident lack of qualified professionals who understand these risks and are trained in ICS security. Reports validate this assessment:
- “83% [of 3,500 security experts from around the world] believe there is a significant shortage of OT security workers.
- Sixty-nine percent of respondents believe organizations are having a hard time finding these types of employees due to potential candidates lacking the right amount of skills.”
And the status of OT security only compounds concern:
- “75% of experts believe their OT security risk level is high or severe for the company’s overall risk profile.”
Industry 4.0 continues to be the driving force behind these challenges. Formerly analog systems are increasingly coming online, from internet-of-things (IoT) and internet-of-medical-things (IoMT) devices to internet-connected ICSs. Rapid and global digitization means security professionals, executives, and members of the board must consider nuanced cyber risks.
Direct Risks to Organizations Using Industrial Control Systems
Industrial control systems have significant operational importance. From manufacturing to utilities, ICSs underpin many of the processes that modern businesses rely upon. Their smooth functioning is synonymous with operational continuity. An exposed ICS could potentially translate into halted production lines, interrupted utility services, and unforeseen downtimes. While these systems have increased efficiency and capacity, lacking ICS security can have far-reaching consequences.
An attack on these systems could render them inoperable, potentially resulting in halted production, equipment damage, and in sectors like utilities, widespread service disruptions.
The costs of a compromised ICS could potentially run deep, from system repairs and data recovery to legal liabilities and regulatory fines.
An ICS security incident that leads to public backlash or jeopardizes human safety could potentially damage an organization's reputation.
National Security Risks
Government organizations and societies at large depend on ICSs. Amid the ongoing Israel-Palestine conflict, actors are targeting water supply and agricultural systems in Israel, serving as real-world examples of industrial control systems being leveraged during times of conflict.
Organizations Need Not Directly Use ICSs to Face Risks
ICS risk can arise from both direct and indirect use of industrial control systems. Organizations may be dependent on organizations using ICSs without even realizing it.
Consider a hypothetical manufacturing supplier dependent on an industrial machine to produce and ship business-critical supplies. Unexpectedly, the ICS controlling that machine is attacked, rendering it inoperable. Through potentially several degrees of separation, organizations depending on this supplier stop receiving supplies for as long as the supplier’s machinery is down and out. Similar scenarios have played out in reality – the Colonial Pipeline attack caused fuel shortages that disrupted business on the east coast of the U.S. for extended periods of time. Here are some of the potential third-party risks associated with an attack on industrial control systems:
Supply Chain Disruptions
The simple times are over. Organizations are now part of a massive and intricate network of supply chains. If one link in this supply chain is ICS-reliant, it could present the potential for delays, service interruptions, and contract breaches across the supply chain.
A natural continuation of the above risk, delays and other factors inducing business disruption could potentially inflict financial loss. Organizations dependent on ICS-reliant partners could find themselves waiting on deliveries for extended periods of time if their partner’s ICSs are attacked.
Collateral Reputation Damage
Having a business association with a compromised organization, even indirectly, could potentially raise concerns and questions about one’s own security practices and ability to consistently provide goods or services.
ICS Manufacturers Face Unique Risks
Widespread Targeting of Vulnerable ICSs
If an ICS manufacturer deploys vulnerable industrial control systems, it could potentially result in widespread attacks targeting the same ICS after one is found vulnerable. Similar to a typical IT scenario, once a software vulnerability hits the news as known and exploited, attackers tend to scan the internet and attack other instances en masse. For this reason, launching one vulnerable ICS could potentially result in countless attacks impacting many users of that model.
If this happens, the manufacturer could potentially face backlash and suffer financial loss. This is why it’s critical for ICS manufacturers to adopt secure-by-design principles to deploy secure technology in the first place.
The Vital Need for ICS Visibility
Without a clear view of exposed industrial control systems, organizations are navigating their digital security blindfolded. This is unfortunate given the critical role ICSs play in our society.
Mapping your Digital Landscape
To safeguard against these risks, organizations need to map their digital footprint. This isn’t limited to internal systems but extends to partners, suppliers, and other entities they’re connected with. Without a holistic view, addressing exposure — especially ICS exposure — remains a complicated effort.
Today’s risks may not be tomorrow’s risks. That’s why it’s paramount to continuously monitor your — and your third-parties’ — environments. Solutions that offer a continuous view can provide an edge in this respect.
Cyber Risk Benchmarking
Benchmarking is vital if organizations are to effectively manage ICS risk. Organizations must benchmark their security performance against their peers to ensure their risk tolerance is within accepted boundaries. By benchmarking against industry standards, organizations can refine their security strategies and measurably reduce their risk of experiencing a cybersecurity incident.
A Chance to Take Action
The revelations around ICS exposure are more than just a wake-up call; they’re an invitation to action. While understanding the associated risks is a significant first step, the next logical move is obtaining visibility into these systems and potential exposures across your digital ecosystem. Embracing solutions that offer a clear view of the digital landscape isn’t just a security imperative; it’s a strategic investment into a resilient and trustworthy future.