During the years I worked in the oil and gas industry, a question I was often asked was, “What keeps you up at night?” Since I was responsible for network communication and the security of the industrial controls and SCADA environment, there was a lot that kept me up at night. As time progressed and ICS/SCADA became more integrated with enterprise security, my restless nights rapidly increased.
Years ago, the concerns were simple compared to today’s standards. Back then we were worried about malware potentially infecting the HMIs or a control server, or someone accidentally accessing the controls network, or misconfigured equipment.
Jumping forward to the mid-2000s, our concerns changed. Stuxnet was a seminal event in ICS security, and suddenly, we were worried that someone could reprogram PLCs to damage the line compressors. On top of that, there was BlackEnergy and the possible exfiltration of confidential company data out of the systems, or terrorists launching attacks against the systems with the hope of damaging part of the Unites States’ critical infrastructure.
Thinking back, just one of these events would have been a horrific financial loss to the company I worked for, considering the costs for repair, replacement of damaged equipment, lost production and potential fines. Of course, the worst-case scenario would be a security breach resulting in product discharge into the environment—or loss of life.
Defending systems in the ICS
The answer to how to protect the ICS/SCADA environment seems easy, yet complicated. Industry agreed-upon and accepted “best practice” solutions show promise of being effective. However, the problem is that many of these solutions can be costly and difficult to implement for ICS operators.
Solutions offering better patch management processes to help ensure that the operating systems and software are not vulnerable to known malware or exploitations. These sound great in theory, but in truth, they offer no real relief. The reason is that many of these systems are running on end-of-life (EoL) operating systems and software packages. This leaves the option of either upgrading to the latest version of OS and controls software or paying vendors extravagant amounts to maintain support.
Another option to consider would be implementing host-based firewalls on machines in the ICS. These solutions are often rich with features like antivirus, data loss prevention, and auditing for running processes on the system. Alas, the biggest shortcoming of the technology is it is easy to circumvent. Also, a misconfiguration of the product can be very problematic and difficult to find. HBFs may not scale well either, depending upon the number of systems you have to protect.
Most IT groups encourage an antivirus solution, not fully understanding the deterministic nature of SCADA. Antivirus packages are cost-effective solutions, but the risks to the production network far outweigh the cost savings. Operators know that antivirus has the potential to be resource intensive from the continuous system scans and having to reside in memory. In addition, antivirus is signature-based, so it offers no defense against unknown malware and must be continually updated to provide protection against known threats. Most important is the fact that antivirus provides no protection against zero-day exploits for critical infrastructure machines.
The good news is now there are new technologies that are capable of overcoming the shortcomings of traditional endpoint solutions, like antivirus or host-based firewalls.
There are many vendors out there pushing “advanced endpoint” solutions, but true advanced endpoint protection must be capable of preventing known and unknown threats by leveraging features such as:
· Machine learning, which is capable of providing an instant verdict on an unknown executable before it runs on any of the systems in a process network.
· Virtual sandboxing technology that can determine if an executable file is malicious before it executes on the machine.
· Identifying software packages from vendors that are trusted in the environment and blocking those that are not.
ICS/SCADA systems require advanced endpoint protection capable of disrupting known and unknown cyberattacks and not affecting plant production. That protection must be innovative, powerful, lightweight, scalable, and able to integrate and complement other best practice solutions. Most important, it must be SCADA friendly.
By leveraging such features such as static analysis via machine learning and trusted publisher execution restriction, operators will be better-positioned to block and prevent known and unknown malware. Preventing security breaches must never jeopardize plant production. Legacy endpoint security solutions, such as traditional antivirus and host-based firewalls, are ineffective and place production at risk. Plus, they consume resources your ICS systems cannot afford to lose.
About the author: Lionel Jacobs is part of the Palo Alto Networks ICS and SCADA solutions team working as a Sr. Security Architect. Coming from the asset-owner side, He has spent the last 20 plus years working in the IT/OT environment with focus on ICS systems design, controls, and implementation. Jacobs graduated from Houston Baptist University with a double degree in Physics and Mathematics and has held certifications as a MCSE, CCA, CCNP, CCIP, CCNA, CSSA, and GICSP.