Claroty study reveals vulnerabilities: Industrial facilities and KRITIS increasingly vulnerable to remote access
by Svenja Koch
ICS is the abbreviation for Industrial Control System, which is an industrial control system. These control systems have been around for many decades. There are several categories of industrial control systems. Programmable logic controllers (PLCs) are particularly well known. Other forms include distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems. The purpose of an ICS is to store sequences of recurring tasks for machines. The commands are stored in local memory and are part of this closed system. Industrial control systems such as PLCs or SCADA are used primarily in automated industrial manufacturing. KRITIS such as power plants, oil and gas processing plants or the chemical industry also use these systems.
The development of ICS in the Industrial Sector: from closed systems to IIoT
ICS has its origins in the industrial sector. Industry needed systems to control simple and also more complex tasks for automation. A good example is robots in the automotive industry. When assembling vehicle components, they perform a series of tasks that recur. This can be, for example, a three-stage assembly of a plug-in part. The robot grips a component, swivels it to the assembly line, and inserts it at the programmed location.
PLCs and similar industrial control systems come into their own when the industrial sector adapts the requirements to these sequences. This is the case, for example, when the vehicle model is updated or when the component is needed at a different location. By updating the memory control, it is possible to quickly adapt the programming. Thus, these systems are flexible and take control of process automation. The classic industrial control systems such as PLCs are based on their own proprietary platform. They have their own communication infrastructure. A connection to the Internet is not available, as corresponding interfaces are missing.
In the course of Industry 4.0, increased networking of all areas of industry is now taking place. This also affects industrial control systems such as PLCs and SCADA. Bridge solutions have quickly established themselves here, which serve as an interface between the ICS and the network or the Internet. In this way, it is possible to integrate technology that is not compatible with IT networks into these very structures with simple means. This is generally regarded as an advantage and a further development. Thus, monitoring, control and adjustment of areas automated with PLC or SCADA is now possible remotely via the Internet. Connected sensors continuously send current data and access to storage is possible via the Internet.
ICS vulnerabilities are challenges for IT security
The fundamental issue is that ICS was never designed to work on a public network. However, due to its integration into network structures, this is exactly what has occurred. Because of this, the systems do not have their own IT security or security culture. In many scenarios, these ICS components are integrated into the network structures without anyone paying attention to these vulnerabilities or IT security in general.
The impact this has in practice has already become clear on several occasions: For example, in Iran in the fall of 2010, when the government announced that around 30,000 computers in the country had been infected by a virus called Stuxnet. Stuxnet is sabotage software that specifically attacks Siemens S7 systems. SIMATIC S7 is a programmable logic controller, so it belongs to the class of ICS. Iran used SIMATIC S7, among other things, in the Bushehr nuclear power plant and for controlling centrifuges in uranium enrichment. A network connection to the PLC existed via software for controlling the SIMATIC S7. This is how Stuxnet infected the systems in Iran's nuclear facilities. There, the virus, either automatically or remotely controlled by a hacker via a command&control server, manipulated the speed of the centrifuges. In addition, the malware was able to conceal the interventions in the control system. This caused the centrifuges to fail or even be destroyed. At the Bushehr nuclear power plant, a reactor cooling pump suffered damage. This damage caused the reactor to fail for a while.
ICS from the Industrial Sector was also at the center of the cyberattack on the Colonial Pipeline in May 2021. The target of the attack was computerized equipment, though Colonial Pipeline did not release specific information about the nature of the system. Forty-five percent of the fuel supply to the entire East Coast of the United States was disrupted from one minute to the next. Within just a few days, there were hoarding purchases, fuel shortages at gas stations, and a price explosion.
These examples make two points clear: First, how vulnerable such systems are due to these ICS vulnerabilities. Secondly, the damage that attacks can cause in the industrial sector. However, this is far from a complete picture of the overall situation. ICSs perform critical tasks in many situations. The example from the Iranian nuclear power plant also illustrates the danger of ICS vulnerabilities. Based on sensor data, the Siemens PLC controls the pump output of the nuclear power plant. Similar functions are performed by programmable logic controllers in power plants all over the world. These pumps are central components for plant operation and safety. In addition, shutdown or disconnection is not directly possible. Without the automatic control and sensor data provided by the system, control of the pumps is no longer guaranteed. However, a nuclear power plant, for example, needs a functioning cooling system even after an emergency shutdown to remove the residual heat. The PLC is also needed for this. An attack on such weak points thus results in the shutdown of the power plant. In the worst case, this could even lead to an accident with the corresponding consequences for people and the environment.
If we take a closer look at these vulnerabilities and their possible effects, it can be described as negligent that ICS vulnerabilities and industrial security are not at the top of the agenda for many companies and CRITIS.
Claroty study reveals vulnerabilities in industrial security
In August 2021, Claroty, a company specializing in Industrial Security, released the ICS Risk & Vulnerability Report on ICS vulnerabilities. This semi-annual study shows that the number of reported vulnerabilities increased by 41 percent in 2021.
There are now 600 known ICS vulnerabilities. Much more serious, however, is that 71 percent of the vulnerabilities are classified as high or critical. A full 90 percent of these vulnerabilities have a low attack complexity, meaning they are very easy to exploit. No authorizations are required to exploit 74 percent of the vulnerabilities, meaning that access is possible without authorization. In addition, 61 percent of ICS vulnerabilities are remotely accessible. These factors further increase the dangers for the industrial sector.
Also of concern is that external sources discover 81 percent of ICS vulnerabilities. For the manufacturers of these ICS, the issue of IT security is apparently not a high priority or they lack the know-how to identify the vulnerabilities. In its study, Claroty concludes by warning of the uncontrollable dangers for the industrial sector currently arising from the integration of ICS in the cloud.
Need for action for industrial security - how to close vulnerabilities in ICS
With the widespread introduction of IIoT and Industrie 4.0, the time has come for IT security to review and improve the security of ICS. Industrial security is a topic in itself and requires a completely different approach than in regular IT.
For this reason, the German Federal Office for Information Security (BSI) has also published an ICS Security Compendium. This compendium summarizes the central threat scenarios for the industrial sector. It also contains a collection of best practices on how such systems can be secured and what needs to be taken into account at the planning stage.
First of all, it is necessary to centralize the management of digital security. This means that the company's own IT security department will also be responsible for industrial security in the future. Traditionally, PLCs and similar systems are not part of IT security. In this way, uniform standards can be established. Identity and access management policies make it possible to control access to PLC systems at network level. Another way to secure ICS is to set up different network zones. IT Security then bundles IoT and IC systems in these protected areas. Basic authorizations then apply in this network. Using an overview list, IT Security creates a topography of all ICS in the enterprise area. In this way, it is possible to capture all ICS and map them into these protected network zones. Network access controls with separate authentication allow access to be logged. In addition, group guidelines, policies and risk profiles are useful for these industrial control systems.
Protection against physical access is also necessary. Endpoint security is the keyword here. In addition to IoT devices and the ICS infrastructure, this also applies to switches, routers and, above all, wireless networks. Unused ports must be disabled, which prevents temporary connections with a portable device such as a laptop. The optimal solution is to completely isolate the ICS networks from the wireless networks so that only wired connections transmit this data. In this way, unnoticed access via the network structures can be effectively prevented.
Industrial security is a highly relevant topic area within IT security, for which, however, there is still an acute need to catch up in many companies. Practical examples show the devastating effects of targeted attacks on ICS vulnerabilities. This threatens not only the industrial sector, but also critical infrastructures such as the energy sector or water supply. The IT security of these institutions has the task of identifying threatened systems as quickly as possible and implementing individual solutions that guarantee industrial security in the ICS sector. Otherwise, there is a threat of attacks on critical infrastructures with far-reaching consequences for the entire population, as was recently observed in the USA with the cyberattack on the Colonial Pipeline.