Introduction to ICS Security Threats
Industrial control systems (ICS) and operational technology (OT) environments are often perceived as quiet and highly controlled. However, they contain a range of risks, unexpected configurations, and operational complexities that are difficult to uncover through standard penetration testing or conventional risk assessments.
SecurityWeek spoke with several ICS security experts and companies about their most memorable experiences in the field. These stories highlight the gap between written security policies and what actually happens on the plant floor.
Real-World ICS Security Tales
John Simmons, FortiGuard Incident Response, Americas, Fortinet, shared an incident response engagement in the Middle East where an Iranian-linked APT threat actor attempted to laterally move from the customer's IT environment into their OT systems.
The FortiGuard Incident Response team identified a persistent mechanism, an 'n-day' vulnerability, that hadn't been publicly documented as exploited in the wild. This vulnerability gave the threat actor a reliable path to re-enter the network, even after apparent cleanup.
Brian Proctor, Founder and CEO, Frenos, shared an experience where a cybersecurity compliance member conducted a vulnerability scan on turbine networks at a combined-cycle power generation plant, causing both turbines to completely stop.
Morey Haber, Chief Security Advisor, BeyondTrust, shared a story about working at a secure facility in South Florida, where a contractor loaded unauthorized open-source software on the network, which was later discovered and led to the contractor's termination.
Kevin Paige's Experience
Kevin Paige, Field CISO, C1, was hired to assess a federal engineering agency before an upcoming audit. During network discovery, he found a cluster of unaccounted-for servers, which were later discovered to be running the agency's industrial field control systems.
The servers were using default credentials and hadn't been patched in years. Paige was able to reach the servers and cameras from a corporate workstation and later demonstrated that he could log in with default credentials, escalate to root, and issue commands directly into the field control systems.
Agnidipta Sarkar's Experience
Agnidipta Sarkar, Chief Evangelist, ColorTokens, shared his experience as a CISO, where he had to build breach readiness during digital transformation in OT. He discovered a treasure trove of disconnected networks, old vulnerable systems, open USB ports, and Windows XP consoles.
Sarkar worked with stakeholders to draft a plan to ensure they could work within GMP constraints and avoid a CSV. After 48 hours of continuous effort, they reduced exposure to acceptable levels, removed Shadow SaaS, and streamlined Shadow IT instances.
Vivek Ponnada's Experience
Vivek Ponnada, SVP Growth and Strategy, Frenos, walked into an oil and gas refinery to discuss a risk assessment. The refinery had workstations running on Windows XP and out-of-support Cisco Switches, which they knew was risky.
Ponnada explained that a risk assessment would help them move from assuming the worst to documenting and quantifying the risk, then figuring out mitigations that make sense.
Tenable's Stories
Tenable shared two stories about ICS security threats. In the first story, a large manufacturing company had invested in firewall technology, but Tenable's solution was able to discover thousands of devices, including control systems and sensitive OT devices.
In the second story, Tenable's solution helped a company identify and mitigate ICS security threats, including discovering a treasure trove of disconnected networks and old vulnerable systems.
Conclusion
These real-world ICS security tales highlight the importance of understanding the gap between written security policies and actual plant floor practices. By sharing these experiences, experts hope to raise awareness about the risks and challenges associated with ICS security and encourage organizations to take proactive steps to mitigate these threats.
- ICS security threats are real and can have significant consequences.
- Understanding the gap between written security policies and actual plant floor practices is crucial.
- Organizations must take proactive steps to mitigate ICS security threats.
Source: SecurityWeek