Industrial control systems (ICS) are the backbone of some of the world’s most critical industries like healthcare, chemicals, power, communications, food and agriculture, transportation, and waste and water systems. (Some 16 sectors in the U.S. are designated as critical infrastructure.) Historically, these environments were not designed to be internet-facing. But with rising demand for better connectivity, faster maintenance, and greater insight into utilisation and performance, an organic convergence of information technologies and operations technologies (OT) is happening—giving birth to ICS environments that are internet-enabled, cloud-managed and increasingly vulnerable to cyber attack. Between 2013 and 2020, cyber attacks on critical infrastructure grew by 3,900%. In 2021 alone, 80% of OT/ICS organisations reportedly experienced ransomware attacks.
Why is ICS security needed?
Security incidents in the ICS environment can inflict significant operational, reputational and financial damage. Norwegian aluminum producer Norsk Hydro spent nearly $75 million as a result of a cyber attack. Data breaches can expose sensitive OT information like network and engineering diagrams, images of operator panels, and information on third-party services, employees, processes and ongoing projects. Disruption poses risks to critical public services, opening operators up to significant fines and censure. Prolonged disruptions can lead to a credit risk for the business and even threaten its operational viability. Cyber risk can even transcend to physical risk. A hacker group named Predatory Sparrow claimed responsibility for an attack that caused a fire at an Iranian steel factory. By 2025, Gartner predicts that threat actors will weaponize OT or ICS infrastructure to successfully harm or kill humans.
Why are ICS systems vulnerable to cyber attacks?
Most OT or ICS systems were built decades ago without regard for cyber security. Per Microsoft, 71% of ICS devices have outdated operating systems, 64% have unencrypted passwords and 66% have no automatic updates. Since ICS systems operate round the clock, they cannot risk applying untested patches, which is why most ICS systems are left unpatched even when 65% of vulnerabilities have a patch available. In fact, roughly a third of OT organisations admit to shutting down security systems because current security tools lack compatibility with their automation systems.
How organisations can assess threats to ICS
Assessing threats is a crucial step to building an effective plan for deciding what controls and policies are appropriate to protect an ICS environment. Here are some best practices that can help:
- Know what assets and devices make up the environment
- Catalogue and prioritise threats based on profiles
- Use collective knowledge of both IT and ICS teams
- Articulate threats in language the business understands