How to Protect Your ICS in 2024
Brief: In this article, we define ICS security, provide a few examples of recent ICS security issues here in Canada, and what Canadian businesses can do to better strengthen their ICS security posture.
“You can’t stop the change, any more than you can stop the suns from setting.”
— Shmi Skywalker in The Phantom Menace
Industrial Control Systems, pivotal to managing and automating essential services and processes, have traditionally been seen as targets for external threats, especially from nation-states aiming to steal corporate or government secrets.
In response, numerous guidelines and ICS security protocols have been established, especially for businesses aiming to work with government entities like our Canadian government. These protocols are designed to safeguard sensitive information and ensure the integrity of critical infrastructure.
ICS Security Is Changing Landscape: A Broader and More Nuanced Threat
However, the threat to ICS is changing and becoming broader and far more nuanced.
As we move into a time where the boundaries between physical, digital, and cloud environments blur, the security of ICS faces challenges from within as well. The integration of various technologies and the increased reliance on contractors, both local and offshore, amplify these risks.
One of the key points to consider is how the convergence of IT (information technology) and OT (operational technology) systems, combined with the adoption of cloud services, creates new vulnerabilities. This convergence increases the attack surface, making ICS more accessible to cyber threats.
Additionally, the frequent use of contractors and third-party service providers introduces risks related to data access and management. These entities often have access to critical systems and sensitive information, potentially opening the door for insider threats or breaches stemming from less secure third-party systems.
Let’s consider a few hypothetical scenarios to illustrate these ICS security points:
A Contractor’s Compromised Credentials
Imagine a scenario where a contractor hired to work on the ICS of a utility company has their credentials compromised due to a phishing attack. The attacker gains remote access to the system, manipulating control settings to disrupt service. This scenario highlights the risk of relying on external parties for critical system access.
Misconfiguration in the Cloud
A company moves part of its ICS data monitoring to a cloud service for better analytics and decision-making. However, due to a misconfiguration during setup, sensitive operational data is exposed on the internet without proper security controls. This incident could lead to data theft or manipulation by malicious actors.
A “Too Big” Canadian Company is Breached
A Canadian telecommunication company offering cyber security services experiences a breach where internal data, including source code and employee information, is sold on the dark web. This situation becomes particularly alarming when considering the potential for SIM swapping attacks, which could undermine multi-factor authentication measures, not just for the company’s customers but also for other businesses relying on its cybersecurity solutions. This scenario illustrates how internal vulnerabilities and third-party risks can cascade, affecting broader ecosystems.
These examples underscore the importance of a comprehensive security strategy that addresses both internal and external threats to ICS. It’s about guarding against the stereotypical nation-state hacker while also about securing the entire supply chain, from contractors to cloud services, ensuring robust access controls, and continuously monitoring and auditing the security posture of all involved parties.
In this article, we’ll define the modern ICS stack, look at what ICS security is all about, provide a few examples of recent ICS security issues here in Canada, and what you can do to better strengthen your ICS security posture.
So, let’s get started with defining ICS security.
What is Industrial Control Systems (ICS) Security?
Industrial control systems are the backbone of industrial operations, controlling everything from water treatment facilities and electric grids to manufacturing processes. These systems manage the physical operations of these sectors, ensuring efficiency, safety, and reliability.
However, their critical nature makes them attractive targets for cyber attacks.
Historically, ICS were isolated systems, running proprietary protocols and were not connected to IT networks or the internet. This isolation provided a form of security to ICS through obscurity.
However, with the drive towards digital transformation and the integration of IT (Information Technology) and OT (Operational Technology) environments to gain efficiency and data insights, these systems are now more exposed to cyber threats. This convergence means that vulnerabilities in IT systems can potentially be exploited to access and disrupt critical infrastructure operations.
Considering that financial, healthcare, and professional services sectors rely heavily on data integrity and availability, a breach in any of these areas could lead to significant financial loss, erosion of customer trust, and regulatory scrutiny. The stakes are even higher for the utility operation due to the potential for physical damage and public safety risks.
ICS security focuses on safeguarding these systems from cyber threats while ensuring they can continue to operate even when under attack. ICS security involves a mix of cybersecurity measures tailored to the unique needs of industrial environments, including:
Network Segmentation: Dividing the network into distinct zones to contain any potential breaches and limit access to critical systems.
Access Control: Ensuring only authorized personnel have access to critical systems, often through role-based access controls.
Regular Patching and Updates: Keeping systems up to date with the latest security patches while also recognizing that many ICS components cannot be updated as frequently as IT systems due to the need for constant uptime.
Monitoring and Detection: Implementing tools specifically designed to detect abnormal activities that could indicate a cyberattack on operational systems.
Incident Response Plans: Developing and regularly updating response plans tailored to the unique challenges of ICS environments, ensuring rapid containment and recovery.
Employee Training: Educating staff on the importance of cybersecurity measures and their role in maintaining security, especially as phishing and social engineering attacks become more sophisticated.
Given the complexity and specialized nature of ICS security, it’s crucial to work with ICS security experts who understand the unique challenges of protecting industrial environments. This involves not only implementing technical measures but also understanding the regulatory landscape, which can vary significantly across sectors and geographies.
ICS Security is about protecting the systems that keep our physical world running. ICS Sec requires a blend of cybersecurity knowledge, understanding of industrial operations, and strategic planning to ensure that these critical systems remain resilient in the face of evolving cyber threats.
For your businesses, this means taking a proactive and informed approach to cybersecurity, recognizing the interconnected nature of IT and OT, and ensuring that your teams are equipped to protect these vital assets.
With that in mind, how much of an issue is this here in Canada?
Let’s take a close look.
Examples of ICS Security Issues in Canada
ICS security is a critical area of focus here in Canada due to our nation’s reliance on these systems across various sectors, including utilities that are vital for everyday life and economic stability.
Recent incidents and assessments highlight the growing threat landscape and the importance of bolstering defenses (both physical and digital) against potential cyber-attacks targeting these systems.
Telus Cybersecurity Event
Telus, a prominent telecommunications company (that also offers cybersecurity services), recently found itself in a compromising situation. In 2023, the company discovered that a database containing sensitive information, including employee contact details, internal data, along with internal source code and their API, was being offered for sale on the dark web. This breach raises significant concerns, especially since Telus is entrusted with safeguarding the digital assets of numerous Canadian businesses.
According to the article, the breach’s specifics are troubling: 76,000 unique employee emails and internal information were compromised via the company’s API. Additionally, the threat actor advertised the sale of Telus’ entire private source code and GitHub repositories for $50,000, highlighting a potential goldmine for malicious actors. Among the most alarming aspects is the inclusion of the SIM swap API in the data for sale, which could enable dangerous SIM-swapping attacks. Such attacks could bypass multi-factor authentication, granting unauthorized access to highly protected accounts.
While Telus has stated that no corporate or retail customer data was compromised, the breach’s nature and the type of data exposed pose significant risks. The sale of Telus’ internal source code, including sensitive APIs, for tens of thousands of dollars on the dark web is particularly concerning, suggesting a breach of considerable depth and severity.
This incident not only undermines confidence in Telus’ own cybersecurity measures but also casts doubt on the advisability of relying on a company for cybersecurity needs when it has experienced such a significant compromise of its systems and data. The occurrence of hacks is a reality in the digital age, yet the scope and implications of this incident inevitably lead to questions about the robustness of Telus’ security practices and their capacity to protect clients’ digital assets effectively.
Northwest Territories Power Corporation
Another One notable example of a cyber-attack on Canadian infrastructure occurred in April 2020, when the Northwest Territories Power Corporation’s business systems and website were encrypted by ransomware. Although this incident primarily affected business systems without directly compromising the ICS network or electricity supply, it underscores the vulnerability of interconnected IT and OT environments to cyber threats.
Such incidents serve as a stark reminder of the potential for more sophisticated attacks to target ICS directly, disrupting essential services and posing risks to public safety and national security.
National Cyber Threat Assessment 2023-2024
The evolving cyber threat landscape is further detailed in the National Cyber Threat Assessment 2023-2024 by the Canadian Centre for Cyber Security. This comprehensive report sheds light on the various tactics used by cyber threat actors, including misinformation, disruptive technologies, and the targeting of digital assets. It emphasizes the growing sophistication of cyber threats and the critical need for enhanced security measures to protect both IT and OT environments. The assessment also points out the importance of recognizing and mitigating the risks associated with the increased use of machine learning, the advent of quantum computing, and the expansion of the Internet of Things (IoT), all of which can have significant implications for the security of ICS.
These examples highlight the critical need for a multi-faceted approach to ICS security that includes not only technological solutions but also strategic planning, workforce training, and collaboration between the public and private sectors. Ensuring the resilience of Canada’s critical infrastructure requires ongoing vigilance, investment in cybersecurity capabilities, and a proactive stance towards emerging threats.
As such, a comprehensive security strategy that addresses both IT and OT components, coupled with a clear understanding of the threat landscape, is vital for maintaining the safety, reliability, and efficiency of critical infrastructure operations in Canada.
What Industries Need ICS Security?
ICS security is a necessity across a wide array of industries and sectors, particularly those considered part of our country’s critical infrastructure. These systems play a fundamental role in managing and controlling industrial processes and utilities.
Here’s a look at some key sectors where ICS security is essential:
Utilities and Energy
Electric Power: The generation, transmission, and distribution of electricity rely heavily on ICS for operations, making it a prime target for cyber threats aiming to disrupt power supply.
Water and Wastewater: These systems ensure the delivery of clean water and the safe treatment of wastewater, where a breach could lead to public health crises.
Manufacturing
Advanced manufacturing facilities use ICS to control production lines, manage supply chains, and ensure quality control. Cyberattacks could lead to significant economic losses and supply chain disruptions.
Oil, Gas, and Chemicals
These sectors use ICS to monitor and control refining processes and distribution and ensure safety measures. Attacks could result in environmental disasters and energy supply disruptions.
Transportation
Rail networks, airports, and shipping use ICS for traffic management and safety systems. Security breaches could endanger lives and cause extensive logistical and economic damage.
Healthcare
Although not traditionally associated with ICS, healthcare relies on industrial-type control systems for managing everything from air quality to power and water supply within facilities. With the increasing digitization of healthcare, ensuring these systems are secure is critical to patient safety and care.
Agriculture and Food Production
ICS are used in agriculture for monitoring and controlling environmental conditions and machinery operation. A security breach could impact food production and supply.
Nuclear Facilities
Nuclear power plants use ICS to monitor and control nuclear reactors. Given the potential consequences, the security of these systems is of utmost national security importance.
Public Safety and Government Facilities
Emergency services, defence installations, and other government facilities rely on ICS for various control functions, from building management systems to critical communication networks.
In each of these sectors, the security of ICS is paramount not only to prevent economic loss and maintain competitive advantage but also to protect public safety and national security.
The interconnectedness of today’s digital space means that a breach in one sector can have cascading effects across others, highlighting the need for robust ICS security measures across all industries reliant on these systems.
Let’s look at how ICS security has evolved over the years.
A Brief History of ICS Security
Let’s break down the evolution and integration of ICS with IT environments into a more digestible timeline and overview. This journey from isolation to integration reveals not only technological advancements but also the emerging challenges in cybersecurity.
The Past: Isolation and Obscurity (Pre-2000s)
Isolated Systems: Initially, ICSs were standalone, operating on proprietary protocols without any connection to IT networks or the Internet. This setup offered a kind of security by obscurity; since the systems were not accessible via standard networks, they were less susceptible to widespread cyber threats.
Physical Security Focus: The main concerns were physical security and the reliability of these systems. Cybersecurity, in the modern sense, was not a major focus because the threat landscape was vastly different, with fewer digital threats and attackers.
The ICE Security Shift Begins: Early 2000s
Beginning of Convergence: With the advent of the internet and the proliferation of digital technologies, businesses began to see the value in connecting their ICS with IT networks. This was driven by the desire for efficiency, real-time data access, and remote control capabilities.
Emerging Vulnerabilities: As these systems started to connect to broader networks, the inherent security through obscurity began to diminish. Vulnerabilities in IT systems could potentially be exploited to access and disrupt ICS operations.
ICE Security Acceleration and Integration: 2010s to Present
Rapid Digital Transformation: The 2010s saw a significant push towards digital transformation, with industries seeking to leverage big data, cloud computing, and automation. This period marked a notable acceleration in the integration of IT and OT (Operational Technology, which includes ICS).
Increased Exposure to Cyber Threats: This convergence exposed critical infrastructure to a broader array of cyber threats. As IT systems became more interconnected with OT systems, vulnerabilities in one could be exploited to attack the other. This era highlighted the need for cybersecurity measures that span both IT and OT environments.
Regulatory and Security Focus: Recognition of these vulnerabilities led to increased regulatory scrutiny and a focus on developing cybersecurity frameworks specifically for ICS. Organizations began to implement more rigorous cybersecurity protocols, including network segmentation, access controls, and continuous monitoring.
Looking Ahead: Future Trends in ICS Security
Continued Convergence: The integration of IT and OT is expected to continue, driven by advancements in IoT (Internet of Things), AI (Artificial Intelligence), and machine learning. These technologies offer the potential for even greater efficiency and capabilities.
Growing Cybersecurity Challenges: With continued convergence, the complexity of cybersecurity challenges is expected to grow. Protecting interconnected systems requires a comprehensive approach that includes both technology solutions and organizational strategies.
Adaptive Security Measures: Future security measures will likely be more adaptive and proactive, utilizing advanced analytics, real-time threat intelligence, and automated response mechanisms to protect against sophisticated cyber threats.
This timeline captures the journey from isolated, secure-by-obscurity ICS environments to today’s integrated, digitally-transformed landscape. The evolution highlights the growing importance of cybersecurity in ensuring the safety, reliability, and efficiency of critical infrastructure operations.
As we move forward, the challenge will be to balance the benefits of integration with the need for robust cybersecurity measures to protect against an ever-evolving threat landscape.
With that in mind, it’s crucial to apply security practices tailored to their unique environment and operational needs. ICS security requires a blend of cybersecurity knowledge and an understanding of industrial operations.
Here are some expert-level ICS security best practices:
1. Network Segmentation and Control
Purposeful Segmentation: Divide networks into zones based on their function and risk. Critical control systems should be on separate networks from those used for IT tasks to limit the spread of malware and reduce the attack surface.
Implement Secure Gateways: Use secure gateways for any necessary communication between IT and OT networks. These gateways can inspect and filter traffic to ensure only authorized commands or data pass through.
2. Least Privilege and Access Controls
Role-Based Access Control (RBAC): Ensure users have access only to the resources necessary for their roles. This minimizes the potential impact of compromised accounts.
Multi-Factor Authentication (MFA): For systems that support it, implement MFA to add an additional layer of security for accessing critical systems.
3. Application Whitelisting
Controlled Execution: Unlike traditional anti-virus solutions that block known malware, application whitelisting allows only pre-approved applications to run. This is particularly effective in ICS environments where the software footprint is typically static.
4. Hardware and Software Inventory
Comprehensive Inventory Management: Maintain an up-to-date inventory of all hardware and software components within the ICS environment. This aids in vulnerability management and ensures unauthorized devices are quickly identified.
5. Patch Management for ICS Security
Regular Updates with a Caveat: While regular patching is advised, ICS environments often run legacy systems that cannot be updated frequently. In such cases, employ compensating controls like virtual patching or network segregation and monitor for any exploitation attempts actively.
6. Incident Response Planning
Tailored Incident Response: Develop and regularly update an incident response plan that accounts for the unique operational requirements of ICS environments. This includes establishing protocols for manual operation of systems should the need arise.
7. Continuous Monitoring and Detection
ICS-Specific Monitoring Tools: Utilize monitoring tools designed for ICS that can detect abnormal activities indicative of a cyber attack, such as unexpected communication between control systems or unauthorized changes to control logic.
8. Physical ICS Security Integration
Holistic Security Approach: Integrate physical security measures with cybersecurity efforts. Unauthorized physical access to control systems can bypass many cybersecurity controls.
9. Vendor Risk Management
Supply Chain Security: Assess the security practices of third-party vendors and contractors who have access to the ICS environment. Implement strict controls on remote access for maintenance or updates.
10. ICS Security Awareness and Training
Specialized Training for Staff: Conduct regular training sessions for all employees involved with ICS operations, focusing on the specific threats to these systems and the importance of security protocols.
Implementing these practices requires a deep understanding of both the technical and operational aspects of ICS security. Given the potential consequences of a breach, it’s imperative that organizations not only adopt these practices but also continually reassess and update their security posture in line with evolving threats and technologies.
Next Steps for Strengthening Your ICS Security
If you’re wondering how to bolster the security of your ICE security, here’s how we can begin to alleviate your concerns today:
As a leading Canadian MSSP, we specialize in understanding the unique cybersecurity landscape, including compliance with local regulations and standards. We bring a wealth of knowledge specific to securing ICS against both common and advanced threats.
Our expertise can help you navigate the complexities of safeguarding critical infrastructure, ensuring that your ICS security measures are both effective and compliant with Canadian standards.
We also have access to extensive threat intelligence networks, allowing us to stay ahead of emerging threats. This can be particularly valuable in regards to ICS, where threats may not only be digital but also physical or engineered through social engineering. We can provide insights into potential threats before they reach your systems, enabling proactive defence strategies.
One of the key services we offer is around-the-clock monitoring of your ICS for any signs of intrusion or abnormal activity. This constant vigilance ensures that any potential threats are identified and mitigated quickly, minimizing the impact on your operations.
Additionally, in the event of a security incident, We can deploy rapid response teams to contain the threat and restore systems to normal operation, significantly reducing downtime and associated costs.
By partnering with us, F12.net, a top Canadian MSSP, you gain access to specialized knowledge, advanced tools, and continuous support tailored to the unique requirements of securing ICS. This partnership can significantly enhance your cybersecurity posture, protecting your critical infrastructure from both current and emerging threats.
Get started by contacting us today for an audit of your ICS security.