Why industrial control systems need cyber security
You might not know it but due to a lack of technical security testing, some industrial systems are at risk of severe cyber attacks.
Industrial Control Systems, commonly known as ICS, can cover everything from transport and water to nuclear reactors. It’s no surprise then, that potential vulnerabilities are cause for serious concern.
According to a Crest report, the issues surrounding Industrial Control Systems could cause breaches that leave critical national infrastructure in jeopardy.
This report identified six major weaknesses that currently pose the greatest threat. These include outdated hardware, weak file integrity checks, vulnerable Windows operating systems, undocumented third-party relationships, weak user identification and unauthenticated protocols.
These issues are currently considered to be the biggest threats to UK cyber security. Organisations are therefore being encouraged to put a dampener on these risks by making improvement in these six key identified areas to their systems.
By highlighting these vulnerabilities, it is hoped that the situation will improve, as many Industrial Control Systems have little to no idea the extent at which they are at risk or even whether their system has already been compromised.
One of the reasons for this lack of understanding is due to a lax approach to technical security testing. In this sense, the industry is severely lacking compared to others that face similar issues.
Ironically, the sheer importance of these systems are part of the reason they are perhaps not given the attention security-wise that they so desperately need.
Things like power stations, for example, are required to be available and operating at all times. Therefore, the effect of any kind of downtime is far greater than it would be in other industries.
This might go some way to explaining why we find that security is often better in areas where it is not nearly as vital.
For example, an automatic security update would not be possible for Industrial Control Systems for which a system restart or temporary shut down would not be an option. Many ICS are allowed a maximum of five minutes of downtime per year.
Disobeying these rules can be costly in a literal sense too, with nuclear reactors facing fines of £33,000 per hour from industry regulators for any downtime.
This also explains why many may not know if they have suffered from security issues, such as malware infections and in some cases, why many organisations continue to run knowingly with detected problems.
Furthermore, the out of date computing abilities of many systems means that even simple antivirus software can’t be run.
There’s also little doubt that cost is a major factor.
Take the issue of out of date software from the identified six major weaknesses for Industrial Control Systems. While there’s certainly logistical issues related to the necessity of these systems being available 24/7, there’s also a financial disincentive to update them as well.
Major economies, such as the UK, as well as throughout Europe and the USA, are in many cases still using technology from decades past.
Older operating systems, commonly known as legacy systems, are much easier targets, having been built without the possibility of online threats in mind.
A major issue is that many of these systems have so far worked just fine, which alongside the financial and logistical issues surrounding an upgrade, can make that possibility a hard sell.
However, the risk becomes greater as these systems become more and more outdated. An example of how older OS can be exploited can be seen with the recent NHS cyber attack, with the organisation suffering badly due to a failure to upgrade.
Once again, this often comes down to cost cutting. That particular attack came as the NHS systems operated off Windows XP.
Unfortunately, this is far from unusual.
One of the easiest ways for organisations to save money is by using systems such as Windows and Linux and particularly older versions of them.
Put simply, this is a problem that is not going to go away anytime soon. At least not as long as these organisations refuse to directly address the problems at hand. Improved cyber security across Industrial Control Systems cannot be put off indefinitely.
It may be a question of whether these organisations wish to make these improvements as best they can now, or be forced into taking that action after a severe breach of their security.
There are many challenges when it comes to cyber security in Industrial Control Systems. However, this is not a task that is impossible to manage.
What cannot be denied here is the importance of having robust, up to date measures in order to maintain the security of industries that are vital to our everyday lives.