1660317421875 Howtoassessandaddressnetworkvulnerabilitieshero2

How to assess and address network vulnerabilities

Feb. 3, 2022
When is immediate ICS-OT patching mandatory?

We all know that information-technology (IT) cybersecurity experts are frequently updating and patching the organization’s network, computers, laptops and all devices that are exposed to the Internet. Obviously, this activity is incredibly important for compliance with the confidentiality-integrity-availability (CIA) triad, as applicable for IT operations. However, industrial-control-system (ICS) or operational-technology (OT) experts know well that every modification—hardware, software, application program—represents a risk to the operation safety. Consequently, they are not seeking to comply with the CIA triad or any of its rotated versions, such as IAC or AIC, but they must take a proactive action to comply with the safety-reliability-productivity (SRP) triad.

Also read: Postured to forge the digital future

After reviewing and understanding the principal differences between protecting the IT network and protecting the ICS-OT network, it’s important to conduct a detailed assessment of the ICS-OT architecture. During this process, we shall answer these questions:

  • Is the ICS-OT zone directly or indirectly exposed to external networks?
  • Does the industrial operation represent a safety risk?
  • Does the ICS-OT include unresolved cybersecurity vulnerabilities?
  • Are built-in measures capable of reducing the known impact?
  • Can exploitation of known vulnerabilities risk lives, cause damage to machinery, cause an operation outage or reduce the productivity?

Understanding these topics may lead to a critical management decision related to urgency of deploying a corrective action and patching a known vulnerability.

Identify the level of risk

Prior to deciding about the patching, it’s important to assess the risk of the ICS-OT operation. If the ICS-OT system is managing the operation of a chemical plant, water-treatment plant, refinery or combined-cycle power plant (CCPP), the risk to lives of people is high. On the other hand, if the system is monitoring the pressure along water pipes or performing a collection of data from utility meters, the risk is extremely low. The extended formula for calculating the risk level (R) takes into consideration four factors:

  • P—factor for probability of occurrence
  • I—factor for the level/severity of the impact
  • V—factor for unsolved vulnerabilities
  • D—factor for exiting defense measures, which assures the operating resiliency.

The calculated risk will obviously dictate the level of urgency for corrective actions.

R=I*P*V/D

ICS-OT network exposure

If the industrial zone is directly exposed to the Internet, the ICS-OT network can be seen on the Shodan website. If the ICS-OT is connected to an IT zone, which is exposed to the Internet, the IT attack might also compromise the ICS-OT operation by exploiting an unpatched vulnerability.

On the other hand, if the industrial zone is strongly isolated from the IT zone, using a unidirectional data diode or other strongly protecting appliance, attackers might perform only an internally generated attack, which requires physical access to the facility where the ICS-OT system resides. Lighter physical security—lack of guards, simple cameras or simple door locks —might encourage the attacker to initiate an internally generated attack. On the other hand, if the IT operation is not strongly protected and people are not trained to deal with social media risks, attackers might start with penetrating to the IT zone and in a next step compromise the barrier between the IT and ICS zones.

Known vulnerabilities

Vendors of industrial hardware and software often publish identified, reported and detected vulnerabilities and ask users to perform the recommended correction. However, can the responsible ICS-OT expert install them right away, similarly to what their IT peers are doing? The answer is “no” because modifications in the ICS-OT zone might risk lives, cause malfunction of industrial machinery or lengthy operation outages. Consequently, prior to deploying any modification, the team responsible for the ICS-OT Operation must ask:

  • Might an attacker access the critical component or zone and exploit the vulnerability?
  • Might exploitation of the vulnerability risk lives or cause severe damage to the plant?
  • Which attack vectors might be activated to access the critical ICS component or zone?
  • In case of indirect exposure via the IT zone, how strong is the segregating appliance?
  • What is the probability factor that an adversary might initiate an attack against the plant?
  • Is there an adequate safety instrumented system (SIS) installed to eliminate a severe impact?

Receiving answers to all of the above questions is not easy and requires involvement of an expert who understands the specific industrial process and cybersecurity solutions. The team may decide conducting a typical risk-management process may help reach the decision:

  • The plant may suffer just a minor impact and the organization may accept the risk.
  • The plant owns cybersecurity insurance, which covers the expected damage caused by an attack.
  • The organization may decide to take a risk-reduction action by degrading the productivity.
  • The plant manager may instantly stop the operation and implement the patching process.

Schedule the patching

Taking the above considerations, the plant management may decide to delay the patching process or schedule it during a weekend or a holiday without interrupting the operation. However, if the risk is high and alternative options are not possible, management may decide to stop the plant operation and immediately conduct the patching process. The decision must be taken during a collaborative discussion with ICS and IT cybersecurity experts, industrial process management experts, finance and legal teams and senior management.

Safety first

It’s important to remember that operation safety must always be the top-priority goal for industrial facilities, and none is allowed to delay a corrective action if a vulnerability might risk lives or cause severe damage, which might lead to a lengthy shutdown. According to ISO 27001-2013 Section 5 Paragraph 1, the CEO and the senior management are responsible for cybersecurity, which includes cyber defense compliance according to CIA and SRP triads as applicable.

About the author

Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts (SCCE). He presents at industry conferences in Israel and abroad; Ehrenreich has more than 45 years of engineering experience and more than 30 years of experience with ICS/OT for electric, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security. He was reselected as the chairperson for the 7th ICS Cybersec 2021 conference, planned in Israel for November 2022. Contact him at [email protected].

Sponsored Recommendations

2024 State of Technology Report: PLCs and PACs

Programmable logic controllers (PLCs) and programmable automation controllers (PACs) are the brains of the machine in many regards. They have evolved over the years.This new State...

2024 State of Technology Report: Packaging Equipment

Special considerations and requirements make packaging equipment an interesting vertical market unto itself. This new State of Technology Report from the editors of ...

High Sensitivity Accelerometers to Monitor Traffic and Railroad Vibration for Semiconductor Manufacturing

This paper examines highly sensitive piezoelectric sensors for precise vibration measurement which is critical in semiconductor production to prevent quality and yield issues....

Simulation for Automation Guide

How digital twin solutions are expanding the capabilities of plant engineers.