Antonio Mauro, PHD Caroline Akawi, MBA December 09, 2020 Industrial Control Systems: Understanding Vulnerabilities, Risk and Mitigation Abstract This paper will introduce and explore the topic of Industrial Control Systems (ICS) from a cybersecurity perspective. It is designed to understand what exactly ICS is, where we find them, the different types of systems that can be found within the ICS framework. The paper is divided into three sections, the first being an introduction to the Internet of Things (IoT) and ICS systems. In this section the reader can expect a thorough analysis of what Operational Technology (OT) is, how it differs from Information Technology (IT) and how it plays a role in our lifeline industries. Section two will explore the technical side of ICS with an analysis of ICS standards and protocols and how these differ depending on the industry. The final section will break down the vulnerabilities in ICS systems, the risks and the mitigation process. This section includes both theoretical and practical knowledge such as understanding what risk is and how to calculate it using the risk formula. It also touches on the securities levels of vulnerabilities and ways to implement mitigation tactics into your own ICS. This section also explores legacy control systems and the differences in risks and mitigation compared to that of a modern system. It is important to note that this paper was majorly influenced by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). Section 1: Introduction to IoT, ICS and SCADA Systems According to the National Institute of Standards and Technology (NIST), "the Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and actuation” [1]. It can be seen as a network of physical objects and these “things” can be considered as embedded sensors, software and other technologies that contribute to the connecting and exchanging of data between devices and systems via the internet. These products can range from household devices to the industrial devices, which will be further touched on in the next section. There is not necessarily a clear definition of IoT, and companies have a difficult time understanding the network of interconnected systems. The goal of IoT is to create new products and services by adding connectivity to objects and machines while increasing data knowledge. The OSI reference model describes the architectural layers of IoT products which include physical layer, the data-link layer, the network layer, the transport layer, the session layer, the presentation layer, and the application layer [2]. The model begins with the physical layer which describes the sensors, actuators, devices and machines which are then connected to a set of networking technologies and protocols in a connecting phase. The data from these devices are to be collected and analyzed by inferring new knowledge both online and offline through data analytics and machine learning techniques. Finally, there is the application layer that implements business/ operational decisions based on data acquired and inferred from the devices [2]. OSI MODEL APPLICATION PRESENTATION SESSION TRANSPORT NETWORK DATA LINK PHYSICAL [3] Industrial Control Systems describes any system that has the ability to gather information in an industrial process and modify, regulate and manage the process to a desired state. These systems produce and distribute goods and services that we use on a daily basis. There are a few ICS systems that are important to note: -Supervisory Control and Data Acquisition (SCADA) -Distributed Control System (DCS) -Process Control System (PCS) -Energy Management System (EMS) -Automation System (AS) - Safety Instrumented System (SIS) - Any other automated control system The most common types of ICS systems are SCADA, DCS and PCS. SCADA systems are used to transport processes which include oil, gas, water, electricity, and people [3]. DCS are used in refineries and chemical plants whereas PCS are usually used in manufacturing facilities as well as in small chemical plants. ICS systems improve the quality of these products and services by ensuring lower costs and an increase in safety [3]. ICS systems provide valuable business making decisions as they are able to implement real-world actions making them very powerful but also very dangerous. ICS/SCADA systems are different from IT systems and unlike IT systems, they lack standard security guidelines. It is the responsibility of companies that should create, maintain and manage system specific ICS cybersecurity practices which should be documented, enforced and updated on a regular basis. [4] The control system environment can be a sensitive area particularly when it comes to internet connection and bringing in outside devices. The applications in the control room should never connect with the internet, however if they must, a restricted proxy must be used [5]. If internet access is needed in the environment, then it should be access from a different network than that of the control system network. If internet traffic is allowed in the control room, for example downloading software upgrades, then the downloads should be scanned for malware prior to installation on the control system device [5]. Computers are not allowed in a control system unless they are needed for operations, the reason this is critical is because emails, websites and files are common sources of malware and some companies do not have internet connection in the control room for this reason [5]. Because the systems are so delicate and hold so much value, they have become targets from cyber attackers due to the real- world kinetic events. One small case of unauthorized access or manipulation of an ICS can cause a destructive impact that will affect many people.[6] As previously mentioned, ICS/SCADA systems are different from IT. Information Technology (IT), refers to anything that relates to computing technology for example data servers and could fall under OT. Operational Technology (OT) refers to a system that monitors events, processes and devices that are able to implement adjustments to industrial operations [7]. In the IT area, confidentiality is the highest priority followed by integrity and then availability, however, in OT areas, availability has the highest priority, followed by integrity then lastly, confidentiality. The reason for this is because having access to the OT systems is crucial, followed by ensuring that the information they do have access to is reported properly. Having unauthorized users with access to this information or manipulating it can cause more catastrophe than ensuring the data hasn’t been leaked [4]. It is important to merge together IT and OT because the two departments usually do not have cross training and in many instances many companies believe there is little to no cross-over between the departments [4]. The goal of this merger is to secure both environments to create a working team that can better provide cybersecurity to the system [9]. Legacy systems are outdated pieces of technology; in particular software and hardware that are still meet the required needs that it is intended for. They pose a high risk and carry may vulnerabilities and it is not easy to replace the aging systems due to cost and disruption to operations [8]. These systems were originally designed to implement efficient and safe operations that is required to have high availability as well as to be used on systems isolated from untrusted networks. [8] However, with an average life cycle of 15 years, these systems were not designed to provide protection from modern-day attacks, and they may not be updated to provide those protective mechanisms developed since being in service. There is a security vulnerability in legacy systems particularly in ICS that are a product of previous engineering and development activities that have been discovered through ongoing assessments, cybersecurity research, and self- disclosure forms from vendors [8]. Legacy control systems contain features that pose a risk to the system due to their vulnerabilities. Many of the same features could be used to harm the system if used by a disgruntled operator or if an unauthorized user acquires access and issues an attack to the system. Due to the older technology posing security risks as it cannot keep up with modern applications and this can be seen as one of the root causes of ICS cyber vulnerabilities is that legacy control systems. The ideology of “if it isn’t broken, then don’t fix it” cannot always provide protection to the system, and it will be clear why this is not a viable solution [8]. There are different types of ICS depending on the production/ distribution of different goods and services. For example, SCADA systems are used particularly to transport processes such as oil, gas, water, electricity and people. DCS are used particularly in refineries and chemical plants and PCS are used in manufacturing facilities and come small chemical refineries. SCADA systems have certain digital assets that can be targeted by an attacker. These include but are not limited to; Programmable logic controllers (PLCs) which act as an actuator for field devices, Remote terminal units (RTUs) which interface the sensors to SCADA by transmitting telemetry data, human machine interface (HMI) that is a console responsible for the data presentation to a human operator, the supervisory system that acquires data and controls the process activities, and communication infrastructure that connects to the RTUs [19]. Section 2: ICS/SCADA Standards and Protocols Protocols are developed for applications of vendors that are specific for each product and can depend on the requirements of the business or system. Often times there are different priorities (needs and prices) from management and the reliability a system need [11]. Some of these protocols are created for a particular product that can only actually be used for a couple vendors.