Antonio Mauro, PHD Caroline Akawi, MBA December 09, 2020

Industrial Control Systems: Understanding Vulnerabilities, Risk and Mitigation

Abstract

This paper will introduce and explore the topic of Industrial Control Systems (ICS) from a cybersecurity perspective. It is designed to understand what exactly ICS is, where we find them, the different types of systems that can be found within the ICS framework. The paper is divided into three sections, the first being an introduction to the Internet of Things (IoT) and ICS systems. In this section the reader can expect a thorough analysis of what Operational Technology (OT) is, how it differs from Information Technology (IT) and how it plays a role in our lifeline industries. Section two will explore the technical side of ICS with an analysis of ICS standards and protocols and how these differ depending on the industry. The final section will break down the vulnerabilities in ICS systems, the risks and the mitigation process. This section includes both theoretical and practical knowledge such as understanding what risk is and how to calculate it using the risk formula. It also touches on the securities levels of vulnerabilities and ways to implement mitigation tactics into your own ICS. This section also explores legacy control systems and the differences in risks and mitigation compared to that of a modern system. It is important to note that this paper was majorly influenced by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

Section 1: Introduction to IoT, ICS and SCADA Systems

According to the National Institute of Standards and Technology (NIST), "the Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and actuation” [1]. It can be seen as a network of physical objects and these “things” can be considered as embedded sensors, software and other technologies that contribute to the connecting and exchanging of data between devices and systems via the internet. These products can range from household devices to the industrial devices, which will be further touched on in the next section. There is not necessarily a clear definition of IoT, and companies have a difficult time understanding the network of interconnected systems. The goal of IoT is to create new products and services by adding connectivity to objects and machines while increasing data knowledge. The OSI reference model describes the architectural layers of IoT products which include physical layer, the data-link layer, the network layer, the transport layer, the session layer, the presentation layer, and the application layer [2]. The model begins with the physical layer which describes the sensors, actuators, devices and machines which are then connected to a set of networking technologies and protocols in a connecting phase. The data from these devices are to be collected and analyzed by inferring new knowledge both online and offline through data analytics and machine learning techniques. Finally, there is the application layer that implements business/ operational decisions based on data acquired and inferred from the devices [2].

OSI MODEL

APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

DATA LINK

PHYSICAL [3]

Industrial Control Systems describes any system that has the ability to gather information in an industrial process and modify, regulate and manage the process to a desired state. These systems produce and distribute goods and services that we use on a daily basis. There are a few ICS systems that are important to note: -Supervisory Control and Data Acquisition (SCADA) -Distributed Control System (DCS) -Process Control System (PCS) -Energy Management System (EMS) -Automation System (AS) - Safety Instrumented System (SIS) - Any other automated control system The most common types of ICS systems are SCADA, DCS and PCS. SCADA systems are used to transport processes which include oil, gas, water, electricity, and people [3]. DCS are used in refineries and chemical plants whereas PCS are usually used in manufacturing facilities as well as in small chemical plants. ICS systems improve the quality of these products and services by ensuring lower costs and an increase in safety [3]. ICS systems provide valuable business making decisions as they are able to implement real-world actions making them very powerful but also very dangerous. ICS/SCADA systems are different from IT systems and unlike IT systems, they lack standard security guidelines. It is the responsibility of companies that should create, maintain and manage system specific ICS cybersecurity practices which should be documented, enforced and updated on a regular basis. [4] The control system environment can be a sensitive area particularly when it comes to internet connection and bringing in outside devices. The applications in the control room should never connect with the internet, however if they must, a restricted proxy must be used [5]. If internet access is needed in the environment, then it should be access from a different network than that of the control system network. If internet traffic is allowed in the control room, for example downloading software upgrades, then the downloads should be scanned for malware prior to installation on the control system device [5]. Computers are not allowed in a control system unless they are needed for operations, the reason this is critical is because emails, websites and files are common sources of malware and some companies do not have internet connection in the control room for this reason [5]. Because the systems are so delicate and hold so much value, they have become targets from cyber attackers due to the real- world kinetic events. One small case of unauthorized access or manipulation of an ICS can cause a destructive impact that will affect many people.[6] As previously mentioned, ICS/SCADA systems are different from IT. Information Technology (IT), refers to anything that relates to computing technology for example data servers and could fall under OT. Operational Technology (OT) refers to a system that monitors events, processes and devices that are able to implement adjustments to industrial operations [7]. In the IT area, confidentiality is the highest priority followed by integrity and then availability, however, in OT areas, availability has the highest priority, followed by integrity then lastly, confidentiality. The reason for this is because having access to the OT systems is crucial, followed by ensuring that the information they do have access to is reported properly. Having unauthorized users with access to this information or manipulating it can cause more catastrophe than ensuring the data hasn’t been leaked [4]. It is important to merge together IT and OT because the two departments usually do not have cross training and in many instances many companies believe there is little to no cross-over between the departments [4]. The goal of this merger is to secure both environments to create a working team that can better provide cybersecurity to the system [9]. Legacy systems are outdated pieces of technology; in particular software and hardware that are still meet the required needs that it is intended for. They pose a high risk and carry may vulnerabilities and it is not easy to replace the aging systems due to cost and disruption to operations [8]. These systems were originally designed to implement efficient and safe operations that is required to have high availability as well as to be used on systems isolated from untrusted networks. [8] However, with an average life cycle of 15 years, these systems were not designed to provide protection from modern-day attacks, and they may not be updated to provide those protective mechanisms developed since being in service. There is a security vulnerability in legacy systems particularly in ICS that are a product of previous engineering and development activities that have been discovered through ongoing assessments, cybersecurity research, and self- disclosure forms from vendors [8]. Legacy control systems contain features that pose a risk to the system due to their vulnerabilities. Many of the same features could be used to harm the system if used by a disgruntled operator or if an unauthorized user acquires access and issues an attack to the system. Due to the older technology posing security risks as it cannot keep up with modern applications and this can be seen as one of the root causes of ICS cyber vulnerabilities is that legacy control systems. The ideology of “if it isn’t broken, then don’t fix it” cannot always provide protection to the system, and it will be clear why this is not a viable solution [8]. There are different types of ICS depending on the production/ distribution of different goods and services. For example, SCADA systems are used particularly to transport processes such as oil, gas, water, electricity and people. DCS are used particularly in refineries and chemical plants and PCS are used in manufacturing facilities and come small chemical refineries. SCADA systems have certain digital assets that can be targeted by an attacker. These include but are not limited to; Programmable logic controllers (PLCs) which act as an actuator for field devices, Remote terminal units (RTUs) which interface the sensors to SCADA by transmitting telemetry data, human machine interface (HMI) that is a console responsible for the data presentation to a human operator, the supervisory system that acquires data and controls the process activities, and communication infrastructure that connects to the RTUs [19].

Section 2: ICS/SCADA Standards and Protocols

Protocols are developed for applications of vendors that are specific for each product and can depend on the requirements of the business or system. Often times there are different priorities (needs and prices) from management and the reliability a system need [11]. Some of these protocols are created for a particular product that can only actually be used for a couple vendors. These vendors will then publish their protocols for others to use to contribute to interoperability however, they are not secure for reliability (not security). The reason for this is because they often are not encrypted, so they are in plain text, which is a vulnerability we previously looked at, it is good for eavesdropping to conduct man in the middle attacks where data is modified in transit, and the final reason is because TCP/IP is not a secure protocol [11]. The Transmission Control Protocol Internet Protocol (TCP/IP) has been proved to be beneficial to vendors and asset owners for network management but one of the biggest vulnerabilities is has is that that IPv4 does not check the validity of the sources address and source port in a packet’s headers [8]. Although there is a large number of protocols for ICS systems, some of the most popular ones include DNP 3.01, ICCP2, and Modbus3. DNP 3.0 is designed primarily for the electrical industry and some supported functions include; sending request/response, SCADA/EMA applications, RTU-to-IED communications, emerging open architecture standard (port 20000), master-to-remote communications, and also available DNP, over UDP (user diagram protocol) which does not use TCP/IP but there is no reliability that what is being sent it being received [11]. This protocol works well with Wireshark to view the communication. ICCP4 (IEC60870 or TASE.2) is also used in the electrical sector between control centers (port 102) where the data is sources and mapped at the client and server level but does not own any components on the grid so it is usually used in conjunction with another protocol to implement viewing capabilities. The secure version of ICCP incorporates digital certificate authentication and encryption and because of this, some non-SCADA networks are beginning to incorporate this into their systems [11]. Modbus is one of the first ICS protocol that was initially created for use over serial connection but was then adapted for TCP/IP. There is no official standard, but vendors have implemented their own versions. Modbus uses a port 102 for communication or siemens [11]. OPC5 is a standard, not a protocol that vendors often use due to the single common framework or “interface”. Vendors use proprietary protocols to communicate between their components (PLC’s, controllers, data servers, etc.) and multiple specific drivers are required for this integration [11]. Protocols are an inherent vulnerability in ICS as they are made available and commonly used across sectors it can easily be downloaded from the internet and this will affect the integrity of the control system network as well as the field controllers [7]. Although vulnerabilities can be found in each layer of the OSI model, using well- known IT communication protocols (which can be insecure) in ICS for taking advantage of current network functionality (which can also be insecure), critical infrastructure systems are exposed to attack [8]. Network vulnerabilities refer to the protocols originally developed for industrial automation that were created to be deployed in an isolated environment for ease of use, however, many of these protocols we devoid of any inherent

1 https://www.ni.com/it-it/innovations/white-papers/10/introduction-to-dnp3.html 2 https://www.corrosionpedia.com/definition/1237/impressed-current-cathodic-protection-iccp 3 https://modbus.org 4 https://www.corrosionpedia.com/definition/1237/impressed-current-cathodic-protection-iccp 5 https://opcfoundation.org/about/what-is-opc/ security measures due to the correlation to availability and access to the system has been defended with physical countermeasures. As these traditional control system protocols have been modified for use in modern networking environments, inherently unsecure protocols are laid over these ICS communication protocols which increases ICS cyber risk [8]. ICS systems can be seen as unique in the IoT world and although these impacted industries have been around for a long time, ICS/SCADA lack standard security guidelines and it is not as uniform as IT systems. There needs to be a push in companies creating and maintaining these system- specific practices and they must remain document, enforced, and regularly updated [10]. There is currently no federal or international mandate to standardize requirements for owners and operators of national critical infrastructures, and hopefully with the presentation of ICS/SCADA systems, there can soon be a way to separate them from IT systems which can easily be regulated and standardized. Cybersecurity in ICS/ SCADA systems should not be thought of as an after- thought, however this should be an ongoing process that is created at the start and revised as the process continues.

Section 3: Cyber Security; Vulnerabilities, Risks and Consequences

The International Organization for Standardization (ISO) refers to information security as the preservation of confidentiality, integrity and availability [6]. Confidentiality is the preservation of data and ensuring there is only authorized access, integrity indicates that the data has not be altered, and availability refers to the timely and reliable access to the information [6]. Traditionally protecting confidentiality was thought of as a primary goal for cybersecurity and although there is a need for ICS asset owner’s cybersecurity protection it is not necessarily the most important part of information security in ICS systems [6]. Each of these priorities differ depending on the goals of the department. As previously mentioned, IT and OT departments vary in terms of what they prioritize: IT prioritizes confidentiality but, data integrity holds more power and the reason for this is because if the wrong action is implemented then the data is not secure. Many of these control systems require safety functions so it is vital that the system has the correct information inputted, and due to the large vital sectors ICS covers, wrong data is worse than none at all [6]. Availability requires 99.999% of uptime particularly the critical infrastructure (water, energy, communications, transportation, electricity, oil/ natural pipelines) and is available 24/7x365 days [6]. Vulnerabilities can be found in hardware, software and firmware as well as in any layer of the OSI model. There are some common ICS cyber vulnerabilities and some of which will be further explained in the next sections; however, it is important to note that these vulnerabilities are problems ICS asset owners and operators have a very difficult time dealing with. These include plain text traffic and open protocols, DoS susceptible systems, systems susceptible to buffer overloads (stack and heap) that have not been patched properly, weak passwords, lack of embedded countermeasures, dependence on underlying operating system, advanced features create more vulnerabilities and lastly, the use of contemporary IT countermeasure in ICS which do not necessarily work seamlessly together [7]. Some of the root causes of these vulnerabilities include legacy control systems which will be thoroughly explored in the chapter, migration to IT including platform and network vulnerabilities that may be difficult to patch, connectivity and network architecture and cybersecurity culture which is not inherent in the ICS world [7]. There are many inherent vulnerabilities that are found in the network architecture and some of these include firmware vulnerabilities that can be found in the field devices and field controllers while protocol vulnerabilities are usually located in the field controllers and control system network. Trusted access can be disrupted in the control system modem pool, remote network router and in servers. Software vulnerabilities can be found in engineering workstations, servers and HMI [9]. There are two broad ranges that split system operations; operational and non- operational events that lead to system failure and impact the confidentiality, integrity and availability of the system [6]. Operational events occur within normal working conditions and can be avoided through training, implementing procedure, better materials and engineering, and improvement processes. Non-operational events occur outside of the control of the ICS asset owner and the harmful event can either be intentional by an adversary or unintentional such as natural events (tornado) [6]. Operational security (OPSEC) is a process that should be integrated in the cybersecurity plan. This process includes identifying critical information, analyzing threats and vulnerabilities, assess the risks and apply the countermeasures [4]. ICS communicate using three main components of the architecture: field devices, field controllers and human-machine interfaces (HMI). Field devices are physical devices that connect to the physical environment and examples include pumps, sensors, and valves that are on-site and measure the process parameters and also has the capability to perform actions to support the process [6]. The pumps or valves will provide inputs to the system while the sensors collect outputs, and this equipment will observe the process or adjust it [6]. Field controllers are a vital component of the communication process in ICS, the support this process by being the median that exchanges data from the field devices to the HMI and vise-versa. The controllers include the system based on the data received from the sensors and changes made to the state of the pumps/valves [6]. The field controllers ensure that process information was properly collected, interpreted and presented from the field controllers to the operators and they communicate the instructions back to the field device from the field devices [6]. The last component is the HMI, and this is where an operator views the illustrated representation of the process and may influence the process if needed [6]. Command and control can be described the speed in which a process operates, and it can determine how it is controlled [6]. There are two ways this could be done; an open loop or a closed loop. An open loop is the process of data being sent from the field device to the field controllers where the data is aggregated then sent to the operator for review [6]. In this instance the operator can review the information presented and determine if changes should be inputted. A closed loop however occurs when operation happens in a fast and continuous pace where the field controller performs the process management instead of the operator [6]. There are a few types of attacks that can occur in this process including loss of view, loss of control and denial of service (DoS) [6]. Loss of view is an attack that impacts the visibility an operator has to view the process through the HMI. Another attack would be loss of control where the operator has the ability to see the process but cannot control it and this could happen in a number of ways; a targeted attack, a control loop being stuck in a mode that doesn’t grant the operator access or even an operational failure such as a stuck valve [6]. The last type of attack and one of the most common ones is a denial of service (DoS) which occurs when the ICS network becomes flooded with traffic and causes devices to shut down or stop communicating efficiently or all together. This is attack in particular is most sensitive in an ICS because it affects the availability of the system and poses a risk to that [6]. PLC’s are also vulnerable to these attacks due to the real-time and remote data collection; it is more difficult to maintain and resolve problems as they are detrimental to the process. Another vulnerability to PLCs us that they can be exposed to the internet, and this is a remote attack that could happen to PLCs that are internet-facing. PLC worms is another type of attack which are difficult to detect and can be easily missed. Payload sabotage attacks which can destruct data, spam emails, infect an account or even send offensive messages. The final type of attack that can take place on a PLC are PLC rootkits which affect the input/output of the interface [20].

RISK= Consequence x Vulnerability x Threat

What is a risk? Risk refers to the possibility of loss or injury. The consequence of the attack refers to the amount of loss or damage that could be expected from a successful attack. Vulnerability is any weakness that can easily be exploited by a hacker or by accident. Threats can be divided into three categories; mainstream threats which is the largest threat group and usually done by accident, organized threats and finally, terrorists and nation-state threats. The ISO 31000 is a popular standard that covers risk management, encouraging continuous assessing, updating and optimizing of the processes [21]. The NIST SP 800-30 Rev.1 similarly touches on risk assessment in federal information systems that is carried out at all three tiers in the risk management hierarchy [22]. NIST has recently released a statement regarding guidance for federal agencies and IoT device manufacturers (SP 800-213, NISTIRs 8259B/C/D) that explores the cybersecurity activities and capabilities for the devices manufacturing in this specific area. Risk management in ICS cybersecurity can be a delicate process, however it must be done quickly and effectively. It is important to first assess the cyber risk by identifying the threat, determining the likelihood of the impact it could bring and identifying the vulnerabilities associated with it [3]. The next step is cyber risk mitigation which is the process of taking actions to protect the availability, integrity and confidentiality of the system. In this step it is important to establish goals, identify alternatives the choose the best alternative for the ICS system based on all the information gathered in step one and two [3]. The final step is the cyber risk evaluation which includes designating an evaluation team, verifying that the alternatives chosen have properly been implemented, conduct periodic reviews on the effectiveness of the alternatives and documenting the review [3]. Legacy control system features can contribute to the vulnerabilities in the system and may lead to failure. Through the analysis of seven system features, it will be discussed how these features are useful to the system, but it will also explore the negative impacts it could have to the system and the vulnerabilities they hold. These features are necessary to the legacy systems, and are components that contribute to the utilization and the system. Legacy control systems are outdated, and although the technology has not changed much, throughout time, there have been more discoveries on potential vulnerabilities in these systems. Plain text traffic uses an easy integration of disparate solutions however, it promotes traffic analysis with malicious intent. Adversaries that gain access to these control system networks have the opportunity to perform real-time traffic analysis and harvest network traffic for offline security testing [8]. The attacker who has captured a plain text password can impersonate cyber assets to injecting data into the data stream causing an undesirable outcome to occur. Adversaries gaining access to this control traffic in plain text can allow for numerous attacks, including; denial of service, man in the middle, session hijacking and other network-based attacks that impact the integrity and availability of the system. [8] Another feature of legacy systems is hard-coded or easy passwords. Due to ICS always being “on”, most asset owners use a password that can be easily remembered and is usually shared among all operators. The backup or default passwords that are set up during installation often remain the same and are never changed. Hard-coded passwords or un-changeable passwords are sometimes integrated into the system and are used internally when ICS programs need authorization to communicate with computer resources or used to simplify software installations and program configurations. [8] This allows operators a quick and easy access to the system, but the problem is that it also allows adversaries to do the same. Hard-coded passwords are easy to discover especially when passed in plain text across the network or openly published in manuals or on the vendor website. These passwords and other vulnerabilities can be exploited through the use of an advanced malware that leave systems at risk [8]. No least privilege restrictions in applications is feature that operators require to complete the system control. This meaning running systems, processes and applications with the minimal amount of authority needed, ensuring that there is a restriction of accessibility if the system becomes compromised. There are different accounts when a user logs in; for example, a user level vs. administrator level, and each one has restrictions implemented that permit higher levels to access to more of the system. Due to availability being the most important aspect for the system and accompanied application, they were run with unlimited privileges which allowed operators to have complete control of the system. The problem ensues when adversaries compromise the system and they have the capability of attaining full control and implementing damaging commands to applications and processes [8]. No authentication is another feature of legacy control systems that can be seen as a failing consequence. A problem with this is that new applications are added to the system without a security check. This means that ICS cannot afford to lose time and it is crucial that local and trusted entities must install applications quickly and efficiently. The cybersecurity framework is important to note, as it is necessary to identify, protect, detect, respond and react accordingly to the attack. As ICS have developed over the years, some new third-party applications have been developed and are integrated into the systems, however, not all of these applications can be trusted. A no check feature refers to when an operator is monitoring the ICS information, it is important to ensure that data integrity checks are implemented to ensure that the data hasn’t been modified. When ICS had limited connection, there was no reason to believe that the data had been altered but as ICS has matured over the years, and have become interconnected, the risks increases [8]. When analyzing ICS, availability is the top priority, and this means that the coding system often has vulnerabilities that can easily be found by potential hackers or adversaries. Security vulnerabilities are not ideal in products however, it is possible that a vendor may be slow to fix the vulnerability due to different factors including the level of effort required. If security is not built into the application it is difficult to implement it as an afterthought, which is often seen in products. The severity of the vulnerability can increase if the public has access to easy to use exploit code. The final feature that our research analyzed is that of easy connectivity. As the need for real-time control and information processing are growing in the corporate world, this also means that new information exchanging methods between a trusted control system and an untrusted enclave are developed. Although there are many positives of connecting the control system with business systems, including improving productivity, every new connection and data channel creates a new potential for vulnerabilities, thus increasing the risk. These channels are often the targets of malware or facilitating unauthorized remote access. Although these features have the ability to provide the ICS with positive features, the reality is that there are many vulnerabilities that can appear and pose a high risk to the control system, and the organization itself. [8] There are four phases of risks that are defined by CISA, these include; defining the risk, prioritizing, managing and reporting. These are crucial steps in understanding and mitigating the risk. Once the risks have been defined, it is time to determine resources that are able to accompany it along with primary and secondary points of contact for mitigation. It is important to consider that following the assessment and calculation of the risks from the previous section, critical-risk issues must be prioritized into finding these recommendations. According to CISA, there are two aspects of cyber risk threat and vulnerabilities, however in order to properly calculate and assess the cyber risk, one must consider the third aspect which is consequence [6]. When assessing the risk, calculating elements such as loss of life, time of recovery, and environmental impact could be beneficial. Usually financial impact is the first element that comes to mind; however, it is not the most crucial and immediate. Something as simple as the failure of a control system could result in the organization receiving a poor reputation which has its downfalls including that of future financial loss [12]. The risk management process includes four steps; (1) finding the recommended mitigations for critical risks (2) identity the current gaps in practices and processes from step one (3) establish/ append the business artifacts, (4) complete an evaluation report [14] As described from IEC 62443-1-1 section 10.4.3, there are 5 different security levels, ranging from 0-4 that measure the vulnerabilities in the system and classifies them as low to high protection [15]. Level 0: does not include any specific requirements or protection Level 1: protection against casual or coincidental violations, Level 2: protection from intentional violations using simple means with low resources and generic skills Level 3: protection from intentional violations using sophisticated means with moderate resources, IACS specific skills and moderate motivation Level 4: protection from intentional violations using sophisticated means with extended resources and IACS specific high skills and high motivation

These security levels are to be applied to system vulnerabilities and allow asset owners and vendors to understand the protection needed to keep their artifacts safe and secure. Another way to calculate the risks includes creating a security maturity model which measures the current security level (as explained above), benefits, cost and necessity. It describes the degree of confidence in the effectiveness of the security implementation while meeting organizational needs [15]. The security maturity model helps achieve a new level of security maturity; it distinguishes where the organization currently stands in terms of security levels and maturity levels, what level they would like to achieve and creates a model to achieve those goals. If it falls short, a gap analysis is implemented that creates a roadmap to address the shortfall. Once this is done, it is time to implement necessary improvements and repeat the process consistently [15]. Calculating risk includes finding the mean time to failure as well as other associated function-based metrics that are used to mitigate system problems before they cause too much damage. If an undesirable effect does impact an asset, this could also lead to the loss of integrity and availability of data [6]. Ideally, previous of the attack, asset owners would be able to identify what exactly would happen if a piece of technology stopped working and would already understand the risks it poses to the organization and its impact by calculating the cost of failure (system restoration/ production costs). Determining the consequences and potential risk threats is not always clear when deciphering which security strategies to implement [6]. Things to consider when assessing a risk include the likelihood of occurrence, the impact which includes the potential loss of business-critical information and lastly, the prioritization of the risk. Mitigating and managing risks can be a difficult task particularly in legacy control systems especially because updating a system is not necessarily an option [12]. Two measures can be implemented into legacy systems to prevent vulnerabilities from being exposed. The first one is called hardening, which refers to the disabling of unnecessary services within the system as well as introduce least privilege into the system to reduce general exposure. The other measure that can be used would be monitoring the systems to ensure that the defined security baseline is being met, and if there are any suspicious activities they can be detected early on. Many attacks are performed when processes are started/stopped, and permissions are altered so it is important to include security configuration and authentication of events [12]. It is important to note that the longer the vulnerabilities are not properly reported the larger the impact it holds and mitigating the risk will be quite difficult. [16] In the paper “Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures”, the authors refer to the lack of consistency in vulnerability reporting as “in the wild”, and on average they found a vulnerability could be “in the wild” for over five years [24]. Therefore, the authors have created a new set of guidelines that will be further explored in our paper and how vulnerabilities in legacy control systems can be found “in the wild” [16]. These include improving safety and management processes, actioning particular actioned vulnerabilities, improving the data quality and overall bridging the inconsistences between reporting systems. CISA has released a set of cyber essential toolkits that include crisis response. The main goal is to limit damage and implement quick restoration of operations. It is necessary to plan, prepare and conduct drills for these cyberattacks in order to properly react if the attack does occur [17]. Five action items are identified for the management team and the IT Staff and service providers. - The first essential action involves leading the development of incident response and disaster recovery plan [17]. This includes the impact on asset protection and business continuity and by developing and testing the plan in a realistic environment, these attributes can remain protected. - The second action item regards prioritization of resources and identifying which systems should be first to be recovered given the impacts on the business [17]. This helps create a hierarchy of business needs that are most crucial to protecting the system. - The third action item outlines the importance of resources, understanding what is available and who to contact given regarding the cyberattack [17]. - The next action item involves the internal reporting structure that is able to detect, communicate and contain attacks. Effective and continuous reporting and communication are important aspects to prevent data breaches [17]. - The final action item particularly concerns the IT and service providers, and it requires the employees to leverage containment measures to limit the impact from cyberattacks when they occur. This action item includes implementing the response plan and isolating a segment of the network that could potentially be infected. By taking into account these action items, management and employees can better prepare for attacks and will be comfortable executing the response plans [17]. Executing these recovery action items is essential and even more so to have it implemented and supported from a managerial level as mitigating threats is a large responsibility.

Conclusion

Understanding ICS/SCADA systems is crucial to improving our infrastructure that is used on a daily basis, such as the lifeline industries. By acknowledging the vulnerabilities, assessing the risks and implementing a mitigation plan, one is able to properly prepare should there be a cyberattack directed to these lifeline industries. According to CISA and NIST, one can never be too prepared for a cyberattack, and thus it is important for not only the managerial team, but all employees to improve their knowledge about the systems and ensure a strong level of security.

We have completed this research and this paper to the best of our knowledge. References

[1] NIST Special Publication (SP) 800-183 [2] https://nicolaswindpassinger.com/osi-reference-model [3] ICS Cybersecurity Landscape for Managers [4] ICSJWG Session 4- Cyber Risks to ICS [5] CyberSecurity Practices for Industrial Control Systems (ICS): [6] CISA Course: 210W-08 Cybersecurity Consequences [7] ICSJWG Session 1- ICS Basics [8] CISA Course: 210W-07 ICS Cybersecurity Vulnerabilities [9] ICSJWG Session 3- Cybersecurity differences within ICS and IT domains [10] ICSJWG Session 7- ICS Analysis and Evaluation Process [11] ICSJWG Session 2- ICS Communication Basics [12] The Living Dead: How to Protect Legacy Systems by Reto Zeidler [13] CISA Course: 100W Cybersecurity Practices for Industrial Control System [14] CISA Course: ICSJWG Session 8- Determining Critical Risk [15] Security Maturity Model Training Course: Module 2 [16] Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures by Richard J. Thomas, Joseph Gardiner, Tom Chothia, Emmanouil Samanis, Joshua Perrett, and Awais Rashid [17] CISA Cyber Essentials Toolkit Chapter 6: Your Crisis Response [18] Antonio Mauro’s patent named “Forensics Investigation in the Internet of Things (IoT) Devices” – since 2015. [19] https://resources.infosecinstitute.com/topic/scada-security-of-critical-infrastructures/ [20] https://www.controlglobal.com/articles/2018/how-plcs-are-hacked/ [21] https://www.iso.org/iso-31000-risk- management.html#:~:text=ISO%2031000%2C%20Risk%20management%20– %20Guidelines,a%20process%20for%20managing%20risk.&text=Using%20ISO%2031000%20 can%20help,use%20resources%20for%20risk%20treatment [22] https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final#pubs-abstract-header [23] https://content.govdelivery.com/accounts/USNIST/bulletins/2b114ef [24] Critical Infrastructure Risk Assessment by Ernie Hayden [25] https://www.scribd.com/book/474266160/Critical-Infrastructure-Risk-Assessment-The- Definitive-Threat-Identification-and-Threat-Reduction-Handbook [26] https://www.congress.gov/bill/116th-congress/house-bill/1668/text