Improving ICS Safety Through ICS Security

In late December 1994, the National Research Council appointed a Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety. The ideas behind the initiative were to get in front of safety and reliability issues that would surface as nuclear power plants transitioned from analog to digital operations, and to create a set of standard industry practices to be used during plants’ adoption of digital instrumentation. Though this committee was focused on nuclear power plants, the concerns highlighted in its findings report[i] could easily be applied broadly across industrial control systems.

In the years preceding the issuance of the report, the industrial base had spent significant effort transforming analog systems, which required highly-manual operation, to digital systems. The introduction of digital systems (what we now term “digital transformation”) was driven by safety, efficiency, availability, and accuracy concerns. However, digital transformation also raised questions about ease of use, technical problems, lack of understanding, and a host of unknown variables about how industrial control systems would henceforth operate.

Yet, the change was inevitable, and the industrial base embraced digitalization for its myriad benefits. For over a decade, industrial control systems (ICS) relied on operational technology (OT) that ran and communicated on its own, self-contained network of programmable logic controllers (PLCs), COM modules, and other equipment under control—motors, pumps valves, and sensors, for instance. But then came the Fourth Industrial Revolution, and OT systems began to mix with IT systems, and the boundaries weren’t always clear. OT that was once always air gapped was now connected to IT networks and the cloud, and were accessible via mobile and industrial internet of things (IIoT) devices by field workers.

Naturally, this evolution introduced an expanded attack surface and offered cyber criminals new avenues to target ICS. Prior to IT/OT convergence, attackers needed familiarity with ICS-specific technology to infiltrate a network. Today, OT networks at upper levels look a lot more like traditional IT networks and thus make attackers more effective in this arena.

Over the last 6+ years, the cyber security industry has started focusing more seriously on IT/OT convergence and what a successful attack against manufacturing, power generation, wastewater treatment plants, and the like would look like. And then the attacks started coming. The first notable attack against ICS was Stuxnet in 2010—foreshadowing, for sure, but largely considered a sophisticated attack by highly-skilled individuals. More recently, CrashOveride, BlackEnergy, and Havex have all demonstrated how adversaries are using common IT attack techniques to affect damage against OT networks.

Managing the threat against OT

Six years ago, PAS Global, a software solutions provider to the industrial base, expanded on its origins to help organization secure and manage OT, whether converged with IT or standalone.

Founded in 1993 by Eddie Habibi, a computer scientist and veteran of the oil & gas, refining and chemical industries, PAS’ initial focus was improving documentation and configuration change management of control systems. As a former automation engineer, Habibi knew that companies were generating revenue and operating critical infrastructure with these control systems, but much of the information about how to do so was tribal knowledge—intelligence contained in engineers’ and operators’ heads but not written down or formalized. This, of course, created a seam—an opportunity for information to be lost or steps to be missed—which meant that mistakes were introduced and human safety was at risk.

Habibi decided to build a software package that captured and formalized documentation to help companies standardize and reduce risk in the management and maintenance of their ICS. Over the years, PAS grew, but the company has maintained its roots in running industrial control systems. “Safety has always been the priority for the industrial sector," said Matthew Selheimer, CMO at PAS Global, during a recent briefing. “Before digitalization, ‘safety’ meant something very different. Now, though, safety and cyber security are intertwined. A breach of an OT system could compromise human lives, so our mission statement has become, ‘we save lives.’ It's an ingrained part of our culture and it’s what drives our company.”

Selheimer explained how industrial organizations are at a critical juncture: “Digital initiatives are driving a faster pace of innovation and increased efficiency, but they’re also introducing greater complexity and expanding the digital attack surface,” he said. This is the problem PAS is trying to solve for their customers: How to embrace a safety-first mindset in a converged IT/OT world. While some organizations are adopting an IT mindset and managing OT programs with traditional IT networking staff, PAS believes it’s important to balance expertise. “There is quite a bit of difference between what happens if a server in an IT network goes down and if a compression valve in a power plant does,” said Selheimer.

Integrity at the core

As such, PAS has centered its products around integrity. The idea is that cyber security, process safety, and digitalization are integrated; the require interconnected processes and strategies to ensure systems stay up and running and free from any risks, whether that’s the risk of a cyber attack which renders data unavailable or one that shuts down PLCs and causes physical destruction.

PAS’ main security platform is called Cyber Integrity. It allows industrial organizations to take stock of all assets, configurations, and cyber security controls in their OT environment. After inventory, the solution can apply vulnerability management to show system admins where there are issues and where suspicious activity is occurring. Importantly, workflow is built into the process so that any vulnerabilities or concerning changes to device configurations can be investigated and acted upon. As would be expected of any discovery technology in a digital environment today, Cyber Integrity integrates with many industry-leading SIEM, ID/PS, and ITSM tools for ease of use and reporting.

The above features and functionality don’t sound significantly different from IT-based asset discovery and management tools, of which there are many in the commercial market. But the key point for ICS environments is that trying to deploy IT network tools with passive detection in OT environments doesn’t always account for the idiosyncrasies of ICS technology. To start, industrial environments often use low bandwidth to communicate. While this may change in the future, today, this is reality. What it means is that, using traditional IT technology, changes for certain OT assets won’t be captured accurately or in real time, and that could affect operations and cause availability issues or worse. Further, ICS don’t communicate with the same regularity or frequency as IT, and some assets might not communicate at all over networks, leaving blind spots and introducing vulnerabilities.

Most importantly, network-based approaches to asset inventory and management struggle below level 2 in ICS models.[ii] This leaves controllers, COM modules, and other instrumentation completely exposed from an attack surface point of view. It is therefore prudent for companies running OT networks to look for solutions purpose built for these environments and by teams that have worked in these environments and can understand the rate of change, the complexity of change, and how digitalization of these critical systems could affect more than a loss of data or availability.

Health and safety in OT environments

In addition to Cyber Integrity, PAS Global offers Automation Integrity and Decision Integrity, which help customers leverage configuration data to understand the health and safety of their environments. The company also offers PlantState Integrity to assist industrial organizations with alarm management, boundary management, control loop performance, and monitoring of independent protection layers including safety instrumented systems.

Given the criticality of ICS, industrial organizations should seek out cyber security solution providers that understand OT asset management, the context in which OT communicates, and the implications of a cyber incident—beyond confidentiality and availability. PAS certainly seems to have a lock on that market, and we highly recommend a conversation with their team if you’re looking to mitigate risk and improve process safety.