Protecting ICS From Attack

Updated: Jun 3

The COVID-19 pandemic has driven a major increase in cyber threats and attacks, and while many attacks have targeted end users, a growing number have gone after entities whose employees must access critical infrastructure, such as industrial control systems (ICS) and operational technology (OT) networks, from their homes.

Unfortunately, this same critical infrastructure, which keeps businesses and society going even during today’s trying times, is well under-protected against attacks.

Critical infrastructure goes beyond the obvious, to include chemical plants, transport networks, commercial facilities, communications, manufacturing, dams, power grids, defence, emergency services, financial, government facilities, healthcare, and technology. Attacks on these sectors aren’t new. A Siemens/Ponemon Institute study at the end of last year, revealed that more than half (56%) of gas, wind, water and solar utilities across the globe experienced at least one attack within the previous year that resulted in either a shutdown or a loss of data.

It is clear that nation state attackers are eyeing all possible aspects of the network perimeter for vulnerabilities, and bad actors in general, are focusing on ICS processes which stresses the need for better security controls in these environments.

In reality, threat actors have a lot to gain when they breach ICS systems, and on the flip side, a successful attack can have catastrophic consequences for the breached organisation. These attacks could result in operational shutdowns, damaged equipment, monetary losses, IP theft, as well as very real risk to human health and life.

As to the motivations behind these attacks, malefactors have a slew of reasons, ranging financial gain or political ideology, to military objectives or the theft of confidential data. Attacks are be state-sponsored or might could also come from competitors, malicious insiders, or even hacktivists.

The initial stage of an ICS attack normally involves attackers reconnoitring the target environment, followed by attempts to gain a foothold on the victim’s network. Bad actors will exploit all possible vulnerabilities as well as specific configurations of these systems. Once they have been successful, attackers will have the ability to change operations and functions or make adjustments to the current controls and configurations.

Some ICS are harder to breach than others, depending on the security of the system in question to the intended impact, be it manipulating a service and hiding the effects from its controllers, or performing a DDoS attack which is far easier to carry out. Moreover, while there are already a range of ways for threat actors to damage ICS environments, as these actors get more sophisticated, determined and well-funded, new tactics are bound to emerge.

Another important attack evolution is about to appear soon – ransomware targeting ICS specific files: backups, project files, firmware etc.. Such attacks might become a bigger problem for asset owners. Like a Shamoon attack caused gigantic loses for Saudi Aramco, ICS targeted ransomware might show the same or similar results.

So how should the industry protect itself from attacks of this nature? In a COVID-19 world, a growing number of remote employees means more remote connections. Keeping these connections secure is critical, so employ VPNs, and actively monitor remote connections to OT networks and ICS devices, use multi-factor authentication, and always employ the principle of least privilege.

Next, educate and train all staff to prevent phishing attacks, as it only takes one successful attack to compromise an ICS system. Teach them to never open mails untrusted sources or click on links in emails, as well as to never share login credentials over email.

Also, ensure that all Internet-facing ICS devices are kept safe. Although connecting ICS devices is sometimes necessary, it is also easy for a sensitive device to end up online by forgetting to close a port or accidentally setting a software setting in the wrong direction. Check, double check and check again, and follow all the top standards and recommendations such as NIST and CERT. Those operating ICS should also protect all internet-facing devices by changing passwords regularly, and assigning permissions on a granular level to enforce the least privilege we spoke about. Finally, make use of ongoing threat monitoring, threat intelligence, and segment OT networks to boost security.


Check out our webinar hosted together with our partner Sababa Security and learn more insights from our trainer Vladimir Dashchenko, VP of Threat Intelligence at DeNexus.