Cyber Protection of Automated Industrial Control Systems

Insights | April 13, 2023

Ahmet Veyisoglu

On April 13, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert on their National Cyber Awareness System titled: “Advanced Persistent Threat (APT) Cyber Tools Targeting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) Devices”.^[1] This Cybersecurity Advisory –– released jointly by CISA, the Department of Energy, the National Security Agency, and the Federal Bureau of Investigations –– warned that certain ICS and SCADA devices are at risk of being taken over by APT actors, which should be concerning to us all. This is not the first alert of its kind and it’s safe to say that it won’t be the last. In the year since this alert was published, are we better postured to prevent, prepare, respond to, and recover from risks to ICS?

The term SCADA is both common and critical to industrial processing. SCADA control systems provide facilities with the ability to monitor and interact with the computers and equipment used in their business operations but, similar to most online systems, they face many cyber risk challenges. Mitigating cyber risks is not a simple one-step procedure; instead, it’s a constant process that requires continued vigilance and adaptation. Through our transition into the digital age, both the public and private sectors quickly learned that cyber systems are vulnerable to attacks and must be protected. The ever-evolving cyber threat environment has put enormous amounts of pressure upon various domains and at the top of this list is our critical infrastructure and manufacturing sectors, the gateways to millions of lives. Such threats lead us to require closer monitoring, implement stricter practices, and consider the APT actors’ intentions with automated control systems.

Vital to our modern way of living, automated control systems provide factories the ability to manufacture goods quicker to meet customer demands, perform manufacturing processes via safer methods, and utilize a cost saving approach. However, automated systems are also one of the key vulnerabilities to our modern way of life. Cyber threats posed to the automated controls of manufacturing plants and critical infrastructure such as our national water treatment systems, oil and gas pipelines, and electrical grid not only affect the facilities at risk but millions of citizens that rely upon their secure keeping. Treating our water relies on precise levels of chlorine and other cleaning agents to be controlled and processed by automated control systems for safe consumption. A malicious actor with the ability to launch a successful cyber attack on such systems may have the opportunity to alter chemical levels and cause significant harm to millions of lives.

In February 2021, hackers breached the water-treatment system at a Florida water treatment facility and attempted to raise the level of sodium hydroxide from 100 parts per million to 11,100. Sodium hydroxide is a chemical that is used to control water acidity at safe and regulated levels but becomes poisonous at the high levels the hackers tried to manipulate.^[2] A more recent and well-known example is the cyber-attack that was carried out on the Colonial Pipeline by malicious actors in May 2021. Though primarily a ransomware attack, the perpetrators targeted Colonial Pipeline’s control systems that managed gasoline output.^[3] The attack against the Colonial’s online systems caused massive gasoline shortages across the entire East Coast and demonstrated that our critical infrastructure is prone to hacks. Why is it complicated to prevent such breaches to automated systems?

According to multiple sources such as Cyber Magazine and Trend Micro, a cybersecurity software company,^[4]the dated technology behind a majority of automated industrial control systems is one reason preventing breaches to these systems can be difficult.^[5] Manufacturing systems are one group of automated systems that present such a challenge. According to the cybersecurity consulting firm Performanta. while these systems successfully carry out the functions they were built to do, updating manufacturing systems would pose a risk.^[6] Thus, a large portion are outdated and the cyberattacks against these systems could have devastating and even fatal consequences.^[7] The engineers behind these automated systems could not have predicted the threat landscape that we face today. The issues lie within the core of the systems’ design and programs inherent to system operations that cannot be easily replaced or rewritten.

Attempts to revise legacy programming to better protect against current cyber threats may be incompatible, overly complicated, or even damaging to the entire network of the system. The highly expensive option to replace existing systems in working condition to more modern alternatives is an unpopular choice and, in some cases, not viable due to the lack of new technologies and processes within the sector. How do we mitigate the cyber risks associated with these systems?

OTH Solutions provides consulting and contract support to federal agencies with the mission to identify and mitigate cyber and infrastructure risks, including one of our largest clients – the Cybersecurity and Infrastructure Security Agency (CISA) at DHS. One of the most important programs led by CISA is the Chemical Facility Anti-Terrorism Standards (CFATS) program which regulates facilities with chemical holdings that can be diverted or manipulated to be used in such attacks. Using a risk-based performance standard, the CFATS programs emphasizes cybersecurity and cyber hygiene across this sector which relies heavily on SCADA systems. To encourage better cyber hygiene, CISA provides relevant considerations, impacts, and best practices for users, which can be found here.^[8]

Endnotes

^[1] “APT Cyber Tools Targeting ICS/SCADA Devices,” Cybersecurity and Infrastructure Security Agency, revised May 25, 2022, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-103a

^[2] Mark Montgomery and Samantha F. Ravich, “The cybersecurity risk to our water supply is real. We need to prepare,” The Washington Post, (January 3, 2022), https://www.washingtonpost.com/opinions/2022/01/03/cybersecurity-risk-water-supply/

^[3] Mazen Gazzan and Frederick T. Sheldon, “Opportunities for Early Detection and Prediction of Ransomware Attacks against Industrial Control Systems,” Future Internet, 15 (144), April 7, 2023, https://doi.org/10.3390/fi15040144

^[4] “Unveiling the Hidden Risks of Industrial Automation Programming – Security News,” TrendMicro, August 4, 2020, https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming.

^[5]Vikki Davies, “The Changing Face of Automated Manufacturing and the Risks,” Cybermagazine, December 3, 2021, https://cybermagazine.com/technology-and-ai/changing-face-automated-manufacturing-and-risks.

^[6] Ibid.

^[7] Vikki Davies, “The Changing Face of Automated Manufacturing and the Risks,” Cybermagazine, December 3, 2021,https://cybermagazine.com/technology-and-ai/changing-face-automated-manufacturing-and-risks.

^[8] “Cybersecurity Best Practices for Industrial Control Systems,” Cybersecurity and Infrastructure Security Agency, revised December 17, 2020, accessed August 1, 2022. https://www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems.