ICS security in the cloud age

Critical infrastructures are not operating in a vacuum anymore. The emergence of the cloud, and the increasing necessity to integrate IT and OT systems, to further boost production or improve processes using analytics, for instance, has accelerated both the IT/OT convergence and the use of modern IT cloud infrastructures to support ICS/OT systems. This has obvious security implications. The increasing attack surface due to the remote connectivity of these traditionally air-gapped systems requires a fundamental change in how we design and deploy these systems to make them as secure as possible from the outset.

Introduction

Industrial control systems (ICS) have been traditionally built as stand-alone, air-gapped systems, non-reliant or connected to the external world. This, however, has become impractical in an interconnected world, where services and resources can no longer be centralized. Telemetry and data traveling to and from these systems is justified by a number of business and technical imperatives. Some examples include security integrations and monitoring, application updates, or inventory and configuration management.

There is obviously a flip side to the increasing connectivity. Adversaries can take advantage of the widening attack surface introduced by these communication channels. In many reported incidents, attackers first gain access to the IT networks or exploit third-party suppliers before a subsequent pivot into the ICS/OT networks. The SANS/Nozomi Networks report, 'The State of ICS/OT Cybersecurity in 2022 and Beyond'¹ has concluded that the ‘IT business network remains a common initial intrusion point for adversaries’.

It is then necessary to leverage guidance from the community and leading standards bodies in cybersecurity, such as NIST, or the IEC, to secure increasingly connected networks and systems. IriusRisk implements the IEC 62443, parts 3-3 and 4-2, to help automate the security requirements of ICS environments and their surrounding ecosystems.

Remote connectivity and the XaaS model

Remote connectivity is not intrinsically bad. If done well, it can even contribute to improving the security posture, e.g., remote telemetry monitoring from an outsourced security service provider. What remote connectivity and the XaaS (anything as a service) model do is essentially provide an additional hacking path from the IT network or the cloud to the industrial network. When this is not correctly done, it is indeed potentially devastating.

Weaknesses and vulnerabilities found on the cloud or the corporate information system, coupled with an insufficiently isolated industrial network, can then potentially allow an attacker to pivot and gain a foothold into the critical industrial system. A report from Positive Technologies on attack vectors in industrial systems concluded that ‘ICS security hinges on the effective administration of the network and network equipment’².

The potential benefit, however, is growing more apparent every year and has outweighed the potential risk. Data analytics, optimization algorithms, advanced security processes, and advanced support and maintenance services, have all been good incentives for critical infrastructure operators to allow for and support external connectivity. All of the major cloud providers have already introduced solutions specifically tailored to industrial automation, although they can be sometimes marketed as IoT given the prevalence of the Internet of Things in every aspect of life nowadays, beyond industrial automation. Some examples include AWS for Industrial³, Azure Industrial IoT⁴, or the Google Cloud IoT core⁵.

What security guidelines?

Cloud providers can offer significant advantages in terms of security, where some of the responsibilities can be shifted⁶, and more internal resources are allocated to securing in-house assets, networks, and external connectivity. Based on the findings of the above-mentioned reports, more focus should be put on securing the network integration and the perimeters.

Two standard families are specifically tailored for industrial automation and control systems; the IEC 62443 and the NIST 800-82. The following table presents these standards, their scope, and how they help secure OT environments and networks. The non-ICS parts might each have specific security needs incorporating additional provisions about cloud-based security for instance. Some example standards and frameworks for IT and cloud environments include the ISO 27001/27002 series⁷, the NIST Cybersecurity Framework⁸, and the CSA (Cloud Security Alliance) guidance⁹.

Standard

Scope

How to secure integrations?

IEC 62443¹⁰

This standard series takes a holistic risk-based approach that covers security aspects throughout the entire lifecycle of industrial automation and control systems.

It covers policies and procedures, focusing on methods and processes associated with establishing an IACS security program, as well as system- and component-level security requirements and development lifecycle management.

The 62443 standard series prescribes a clear definition of the so-called 'zones and conduits' (what is referred to as 'network segmentation' in IT) to establish higher control over the access and security of an ICS network.

This would allow the elimination of implicit trust in interactions and continuously validate each communication stage using a 'Zero Trust Architecture'¹¹.

Security requirements and increasing security and maturity levels are also defined to allow continuous improvement and defensive controls’ implementation against different classes of attackers and misuse cases, from unintentional misuse up to nation-state actors. IriusRisk automates the security levels and requirements found in the IEC 62443.

NIST 800-82¹²

NIST 800-82 provides guidance on how to secure ICS systems from typical threats and vulnerabilities while recommending security countermeasures to mitigate these risks.

It presents an ICS-tailored security control coverage based on NIST 800-53¹³ providing customization of controls as they would apply to the unique characteristics of the ICS domain.

NIST 800-82 provides a complete section (section 5) on integrating security into network architectures that are typically

found in ICS, with an emphasis on network segmentation and segregation practices.

This NIST guidance recognizes that network segmentation and segregation is one of the most effective architectural concepts that organizations can implement to protect ICS environments. It presents illustrative security architectures and recommendations on effective policies, configuration, and implementation.

The security control baselines are described in the NIST SP 800-53, which are tailored to ICS. It follows the same control allocation based on the impact (low, moderate, and high), which would be similar to the concept of security levels in the IEC 62443. Additionally, ICS supplemental guidance are added to control enhancement when needed.

Conclusion

While cloud integration and the IT/OT convergence trends have immense potential to improve industrial processes, there are still significant barriers to its secure implementation. We believe there is a need to shift the security left for an effective merging and integration of ICS's traditionally siloed networks and processes.

IriusRisk is uniquely positioned to assess the ICS system security, against the IEC 62443 standard series, as well as the risk and extended attack surface associated with its external connectivity with IT and cloud environments. The platform offers all the necessary guidance for this inevitable path ahead of ICS systems deployments.

References

‍