Protecting industrial control systems

Operational technology relies on outdated security models based on invalid assumptions.

By Siv Hilde Houmb, PhD August 21, 2015

Operational technology (OT), such as industrial control systems (ICSs), relies on outdated security models based on invalid assumptions. At the same time, the frequency and sophistication of cyber attacks against ICSs are increasing and have become a prime target for criminal and terrorist interests. These sophisticated attacks are difficult to detect because they operate covertly, are hidden, and typically start with seemingly benign activities that don’t trigger a warning. These attacks are also executed over a long period of time, which makes it hard for antivirus and other traditional IT security technologies to detect them.

Cyber attacks have evolved in sophistication and aggression over the past 25 years. Since "Morris," the first known Internet worm in 1988, there has been an increase in the number of reported attacks and a gradual escalation of the impact of cyber attacks. The trend is that the attackers continue to accelerate their knowledge and have access to more resources compared to the first attacks. However, what is even more important to notice is that the goals of cyber attacks have changed toward deliberate and disastrous results for the attacked targets. The era of attackers testing out and playing with cyber attacks for the sake of demonstrating what is possible and then bragging about it is definitively over. 

When it comes to OT and ICS, note the following:

  • It has only recently been disclosed that hackers blew up a section of a Turkish oil pipeline in 2008. In the control room, the operator’s console showed that everything was nominal before a phone call from the field triggered the alarm. What’s interesting about this attack was that the attackers also manipulated the CCTV feed to the control room, covering up what was actually happening at the site.
  • This is similar to what was done during the Stuxnet attack in 2010, where operator consoles showed normal operations when the centrifuges of the Iranian Natanz nuclear facility were running at such high speeds that they were destroyed. Furthermore, Stuxnet was resident in the attacked control system for a number of years before the attack took effect. The attack set the Iranian nuclear facility back several years. 
  • In 2014, there was a successful malicious attack on a steel plant in Germany affecting its production.

 Advanced persistent threats

Why was Stuxnet successful? Why was it not detected? Stuxnet is what has recently been referred to as advanced persistent threats (APT). These attacks have a specific target in mind and are advanced as they have a high level of coordinated human involvement to monitor and control the attack using one or more control centers. The persistent part of the attack refers to the capability of the attack to remain invisible to the target for as long as possible with priority to complete its mission and get out of the attacked system undetected. APTs use deep system and attack knowledge to ensure a covert operation. APTs have three things that the system owner does not have: people, money, and time. Actually, the attack program could be removed if it is discovered or it might also be programmed to destroy itself. This means that the attack leaves very few traces on the attacked system.

However, although we have had some catastrophic cyber attacks on ICSs, a bigger and perhaps even more prominent challenge for owners and operators of control systems, are viruses, spyware, and malware that migrates from IT systems to control systems. Viruses are accidentally introduced to control systems every day through engineers’ laptops, websites, emails, thumb drives, and external computers that for some reason need or gets access to the control system. These cyber attacks are more annoying than a real danger to the system, but cause delays, shutdowns, and other problems every day. In reality, the general scare stems from catastrophic attacks that may or may not happen. However, the daily struggle are the viruses and malware, as these often look like something else-software errors-and dealing with this is costly and causes unneeded downtime. It is hard for an engineer to see the difference between a virus and a software error when the equipment is malfunctioning. Cyber attacks lead to increased processor and memory usage on the attacked host and may cause heat generation, which also can lead to software errors. Often it is hard to diagnose what’s actually the real problem.

Protective measures

If viruses are daily recurring problems, why can’t we just remove the viruses? That’s what we do in IT systems (our laptops and office network). Control systems operate in real time and are critical systems that rely on deterministic behavior to execute their strictly time-critical operations. Scanning and removing viruses breaks the determinism. In addition, there are even cases where antivirus software causes more harm to the control system than the virus. What complicates the matter, is that IT security solutions, such as antivirus, require continuous updates to work efficiently. This is the case for antivirus solutions, intrusion detection/prevention systems, and similar systems. This technology must be updated with details on new attacks to be able to detect them. If not, they simply will not recognize the attack, as these solutions are only able to detect the viruses and malware that was known at the time of the last update.

Furthermore, having a secure firewall with the best filtering and access protection possible is not going to be enough either. Firewalls can only protect the system from attacks initiated from the outside of the control system and are helpless against attacks initiating from the inside, such as malware coming from USB sticks or computers inside the control network. A control system needs nonintrusive network- and host-based protection operating on the inside of the control system, as well as perimeter protection such as firewalls. Furthermore, protection must be layered and must go deep into the control system to be effective. What is needed is defense in depth. What is interesting to notice is that 2010 represented a paradigm shift for security attacks. This year marked the shift where attackers moved from targeting IT systems and started devoting resources and time to attacking ICSs. The new security attacks target specific systems and are carried out by organized groups with access to specialized equipment. Some of these attacks may also never be discovered or they may operate hidden for years before they are detected. This was the case with the Flame and Stuxnet attacks. ICSs are the prey of new security attacks, possibly leading to disruption or interruption of operations and production and manipulation of data. The challenge is that the industry has only really been focusing on developing cyber security solutions for industrial control systems the past five years and is still developing strategies to build cyber protection into control systems. OT security is an infant and has yet to mature into viable and sustainable OT cyber-defense technology.

The biggest dilemma of securing a control system against cyber attacks is that one cannot automatically remove viruses and malware because of the way that the malware protection systems are designed. Furthermore, currently there is no sustainable and trustworthy manner to detect APTs. Also, there will not likely be a one-technology-fits-all situation.

The National Institute of Standards and Technology (NIST) Cyber Security Framework for the U.S. and the international cyber security framework standard ISO/IEC: 21827 IT-ST – Systems Security Engineering-Capability Maturity Model define core principles for securing ICSs: These five cyber security principles are also the basis for a defence in depth strategy. 

  1. Identify: continuous identifying, evaluating and managing of cyber risks using best practice risk assessment and management methods.
  2. Protect: structured and robust built-in security architecture, network perimeter protection, host protection, network protection, interface protection, and secure remote connection.
  3. Detect: capabilities to detect viruses and other cyber annoyances, as well as sophisticated cyber attacks such as APTs, both on the network and inside of the system and each host.
  4. Respond: well-established and efficient processes to handle cyber attacks. 
  5. Recover: ability to quickly return to normal or degraded operation after an attack – the after-the-fact part of defence in depth. There are some cyber-attacks that are not possible to prevent or respond to. Most often, such cyber attacks are APTs and other catastrophic attacks that have a very low probability of happening and a high impact should they occur.

– Dr. Siv Hilde Houmb is the CTO of Secure-NOK AS, and works as an associated professor at the Norwegian National Cybersecurity Laboratory, part of the Norwegian Center for Cyber and Information Security (CCIS) at Gjøvik University College, Norway. She has a Ph.D. in Computer Science focusing on cyber security and decision theory. She founded Secure-NOK AS, a cyber security specialist company focusing on Oil and Gas, in 2010 and has an extensive background in controls security and cyber security in general, including penetration testing, risk assessment, security protocol development and ethical hacking. She has published more than 50 scientific papers and articles on cyber security and risk assessment. Before creating Secure-NOK AS, Dr. Houmb worked as a security specialist and risk analyst for Telenor from 1999-2011, was a guest researcher at Colorado State University (US) from 2004-2006, and held a post-doctoral at the University of Twente (the Netherlands) from 2007 to 2008. She has served as a security specialist for the European Telecommunication Standards Institute (ETSI) and the European Commission (EC) on topics such as RFID, car-to-car communications, privacy impact assessments, risk assessment and security evaluations of new and emerging ICT technologies. Dr. Houmb leads the cyber security work group under the Drilling Control Systems (DCS) subcommittee at the International Association of Drilling Contractors (IADC). Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering,

Original content can be found at Oil and Gas Engineering.