They keep the lights on in cities and towns across the country. They control dams, chemical plants and an array of manufacturing processes.
And increasingly, these industrial control systems, or ICS, that power the nation’s critical infrastructure are accessible by hackers using the public Internet.
That was the warning issued Tuesday by a panel of current and former government cybersecurity officials who spoke at the Security Through Innovation Summit sponsored by Intel Corp. Industrial control systems — also known supervisory control and data acquisition systems, or SCADA systems — are supposed to be among the most secure computing systems in the country because of the importance of their processes to the nation’s economy and security.
“I’ve conducted over 500 assessments of critical infrastructure systems globally and in every instance I was told that there was no connectivity between the IT and the [Internet]. And in no instance did I ever find that to be accurate,” said Seán McGurk, senior vice president at Centripetal Networks Inc., and a former director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.
“On average there was about 11 direct connections between the industrial control environment and the enterprise architecture” at the company that owned and operated the infrastructure, McGurk said. “Some of them as innocuous as a shared printer resource connecting the enterprise architecture to the industrial control architecture because they wanted to save time and money. So there’s a lot of vectors and that’s really what the big challenge is.”
A two-year study of ICS systems connected to the Internet, code-named Project SHINE, found more than 2 million ICS-related devices exposed to the public Internet. That study was published in 2014. In addition, this reporter documented multiple occurrences of SCADA systems with direct links to corporate business networks as far back as 2002.
“The increased connectivity of control systems to the Internet and especially vulnerable control systems is something that we think is very worrisome,” said Michael Darling, director of enterprise performance management at DHS.
Darling said the department works through the ICS Cyber Emergency Response Team to push out anonymous data on intrusions and breaches to other ICS operators. “One of the things that we really believe is that one person’s breach should be everybody else’s protection,” he said.
According to Darling, a “sophisticated actor” recently targeted a small water plant in the Midwest, leading executives at the company wondering why they were targeted. “Sometimes it’s hard to divine the meaning behind the campaigns, but one of the answers was ‘because you’re an easy target,'” Darling said. “Security through obscurity in ICS on the Internet doesn’t work.”
Rod Turk, associate chief information officer for cybersecurity and chief information security officer at the Department of Energy, said a lot of work is underway to improve information sharing for ICS environments. “We’re working with our labs to develop a machine-to-machine-type of information sharing so that even at the speed of the machine we’re able to provide notifications out to our various entities and they can respond to a potentially evolving threat,” Turk said.
Real-time security detection has proven to be a significant challenge for the ICS environment, primarily because of the precision timing — often measured in milliseconds — involved in many of the processes these systems support.
But ICS network environments are known to be dated, McGurk said. “We always talk about on the IT side focusing on zero-day vulnerabilities. We still worry about zero-decade vulnerabilities on the industrial control side,” he said. “There are things that are out there that are unpatched and will remain unpatched because we just can’t do Patch Tuesday,” McGurk said, referring to Microsoft’s monthly security patch release schedule.