Industrial Computer Systems (ICS/SCADA) are used in many industries that have automated their production processes, including for example airports, power plants, refineries and factories. Production has become fully dependent on ICS/SCADA systems and a system failure can put an instant halt to production. If someone breaks into the ICS/SCADA system, they can disturb, corrupt or even destroy production.
The consequences for society at large could be grave. Do you remember the latest stories in the news where for instance cyber-criminals unplugged over 200,000 people from the Ukrainian electricity grid , where other cyber-criminals caused hundreds of domestic and international flights to be grounded at multiple airports across Sweden due to its air traffic control system being disabled , and where a nuclear power plant in Germany was infected with computer viruses via USB sticks ?
The number of reported security vulnerabilities and exploits has grown steadily since 2011 and shows no sign of slowing . Exploits are pieces of software that take advantage of the code on operating systems and other parts of a network, finding weak points and gaining access to the systems.
Number of exploits according the Recorded Future Threat Intelligence Report 
The attackers are often motivated by political reasons, financial gain or terrorism. The attackers can be traditional, but there is increased activity in there of state-sponsored attackers. The attacks tend to be more advanced and persistent targeting specific organizations with a clearly defined purpose. The attacks are often very difficult to detect and can often take place undetected for months before being discovered .
Furthermore, the Darknet (hidden part of the internet often used for illegal activities) has becoming a thriving marketplace for attackers, trading information and exploits to aid them in their criminal activities.
Many companies implemented their ICS/SCADA systems a decade ago. They have become vulnerable due to lack of patching and flaws in the system design and architecture. The implemented controls are often insufficient to mitigate today's threats.
Best practices like defense in depth, server hardening, least privilege, separation of duties, privilege account management, network segmentation, intrusion detection systems, security monitoring, log management, vulnerability scanning, anti-malware and application whitelisting are not always considered sufficiently.
Some companies still perceive their ICS/SCADA systems as other factory assets like tanks and pipes, and they are not always aware of the threats and vulnerabilities imposing a significant risk to the production capabilities. A security incident will most likely have a prolonged impact on the revenue stream and be costly to recover from.
Be careful not to underestimate the importance of sufficient governance. Many try to apply the corporate policies and processes to their ICS/SCADA systems, but it is often better to have editions of these specifically tailored to align with the ICS/SCADA systems.
There is a tendency to focus on system availability because uptime is so crucial for keeping the production running. It is also important to assess whether there is a need for protecting data integrity and information confidentiality.
The following six steps are recommended to help you secure your production systems:
Ensure that you have a common and documented understanding within your organization about the ICS/SCADA systems' business criticality. It is important to know how the ICS/SCADA systems support the business processes, and the business impact of a confidentiality breach, data integrity issue and prolonged unavailability. Also consider the value of documenting the data classifications. When you have those assessments in place, you will know where best to focus your efforts.
Then ensure that you have a common and documented understanding within your organization about the most critical threats to the ICS/SCADA systems. Threats are potential causes of unwanted impact to the systems or organization. Begin by focusing on the most business critical ICS/SCADA systems. Remember to cover threats related to PPT (People, Processes and Technologies).
Then assess and document the vulnerabilities to your ICS/SCADA systems. Vulnerabilities are weaknesses which could be exploited and harmed by one or more threats. It is often difficult to identify the technical vulnerabilities, and you might consider using a technical tool scanning for known vulnerabilities. Also remember to consider vulnerabilities related to user behaviour caused by lack of security awareness and training.
When you know the threats and vulnerabilities of your systems, you are ready to conduct a risk assessment. Identify risks by evaluating the identified threats and vulnerabilities, and by assessing how the vulnerabilities are exposed to the threats. If your organisation has a high maturity within the area of conducting risk assessments and knows the value of the ICS/SCADA systems, you can consider calculating the cost for the Annualized Loss Expectancy (ALE).
As part of mitigating the identified unacceptable risks, you should review your existing controls and investigate whether there is a need for additional controls. Controls are technical or administrative safeguards or counter measures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability.
Finally, compare the Annualized Loss Expectancy (ALE) with the cost of the controls. Is it financially beneficial to implement the controls? The level of residual risk also depends on the system criticality and your organization's risk appetite. Ensure that all risks are allocated an owner and that you have a process for regular review of the risks as they might change over time.
It is crucial to maintain traceability between threats, vulnerabilities, risks and controls. This will strengthen your ability to explain the value of controls internally in your organization and secure budgets. Also ensure that you following measure control performance/efficiency and communicate the good stories when the controls prevent unwanted business impact. Controls are like all other insurances – the business needs to understand the importance and the business benefits.
This is an article from NNIT Security Insights, a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at firstname.lastname@example.org if you want to know more about how NNIT can help your business increase its information security level.