ICS Demystified

What are Industrial Control Systems? And how easily can they be secured?

Industrial Control Systems (ICS) are highly prevalent in a wide ranging number of industries and are used to automate a number of different activities, dependent on the industry. In car manufacturing, they will control the assembly line and the manufacture of vehicles by autonomous robotics and in Oil and Gas they will control the pipeline transport and storage. Needless to say, they control some of the most potentially dangerous activities that are deemed critical by the majority of nation states and industries.

Many organisations and businesses require up to date information regarding their infrastructure, such as number of cars rolling off the production line, meaning that these critical systems are connected to the corporate network to allow analysts, senior management and third parties such as regulators or business partners access to this critical information. However, due to the now well documented security issues surrounding ICS with its enhanced connectivity and capabilities, such as Stuxnet and Aurora, this presents a number of issues such as the potential to disrupt operations or damage equipment.

There are, however, solutions on the market that allow an organisation to help mitigate against some of these problems. Typically, information is collected from the industrial network via the use of Object Linking and Embedding for Process Control (OPC). One collection server will be located in the industrial Local Area Network (LAN) segment, with an OPC viewer located in the corporate network allowing pulled back analysis of statistics.

In between these network segments, traditional firewalling is used to only allow OPC traffic between the differing network segments. This should be configured to only allow OPC network traffic to flow between the industrial LAN and the corporate LAN but, this is not always the case – over time further access is typically added, allowing corporate user’s and engineers further improved access to the ICS LAN infrastructure. If not, the OPC server can be used as a pivot point into the industrial LAN from the corporate LAN.

Securing ICS systems is made more difficult as they are typically installed with a large lifespan of ten or more years and upgrading systems, even supporting systems can lead to both costly downtime and extended regulatory input to ensure safety cases are maintained. This can meanICS systems are not updated during their lifespan, meaning that unpatched and insecure systems are controlling highly sensitive processes. This can be an ideal situation for aggressors wanting to cause potentially physical harm, disrupt operations or steal intellectual property.

There are, however, a number of security solutions and services that can help to improve ICSsecurity and mitigate potential security concerns and issues. There is a growing market for ICSspecific firewalls that implement Deep Packet Inspection (DPI). As an example, if an ICS network is using the protocol Modbus over TCP/IP as its transmission medium, an engineer will know which Modbus commands are allowed and which should be denied – this can be implemented in the firewall to block non-allowed Modbus commands from hitting the ICS network from illegitimate sources.

Further, typical services such as security assessments and vulnerability research can be adapted for an ICS environment. This will show where security controls are and are not effective and to provide researched vulnerabilities to both ICS operators so that mitigations can be put in place and to the vendor so that issues can be fixed, usually through the issuing of patches. This leads to greater security and better understanding of risks in the ICS environment.

A concern though is that advanced aggressors are capable of bypassing these security restrictions and are capable of having an effect. However, it is common that advanced aggressors will use typical attack methodologies to cause the effect. If security controls and monitoring are in place this can dramatically reduce the ability for advanced aggressors to have an effect. Vulnerability research can lead to discovered security flaws being patched by the vendor and ICS operators being able to put in place mitigation before an aggressor can exploit these weaknesses.

These solutions therefore can be utilised to bring about a secure ICS environment that is less likely to be compromised by threat actors ranging from collective organisations such as anonymous or state level actors intent on causing damage to a countries CNI and should be considered throughout the lifespan of an ICS installation from design and planning, installation to day to day running to ensure that critical systems are kept available.




MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
As a Certified Simulated Attack Manager and Certified Simulated Attack Specialist, MWR are authorized by CREST to perform STAR penetration testing services.