Industrial control systems (ICS) are high-value targets for cyberattacks. We provide specific best practices for securing industrial systems and for device manufacturers to follow when designing ICS products.
Industrial control systems (ICS) are everywhere: they run factories, control power generation stations, steer ships, and run water treatment plants. When industrial control systems malfunction, consequences can be catastrophic, and purposeful exploits of these high-value systems pose a grave threat. Nation-states with virtually unlimited resources are adding infrastructure disruption to their arsenal of cyberweapons.
Industrial control systems are often insufficiently hardened to prevent virtual or physical tampering. Their long expected lifetimes (often measured in decades) further compound security issues.
In this article, we review current cybersecurity threats facing industrial and infrastructure operators. We look into risks posed by unmanaged Single Board Computers (SBCs), like the Raspberry Pi (RPi). Finally, we list best practices for securing mission-critical systems and discuss the principles device manufacturers need to use when building ICS products.
The growing threat of industrial exploits
Perhaps the most well-known example of industrial sabotage occurred over a decade ago. Stuxnet was an exploit designed by Western intelligence agencies to cause damage to Iran’s nuclear program. The code hijacked an air-gapped SCADA system and caused centrifuges used for uranium enrichment to self-destruct.
Prior to Stuxnet, in 2007, Idaho National Laboratory conducted the Aurora Generator Test showing how a carefully crafted cyberattack can damage physical components on the power grid. Interestingly, while the attack targeted and successfully destroyed a diesel generator, it did so via a programmable digital relay on a circuit breaker, which then caused the generator to go out of phase. Even if a critical system is not vulnerable to direct attacks, ancillary systems can be exploited to cause failure through unplanned behavior.