How to protect industrial systems from malware and targeted attacks

Over the past few decades, the automation of industrial systems has been steadily gaining momentum. In turn, the industrial facilities in which these systems are housed are now connected to the corporate network.

While this provides benefits – for example, it means they can be managed remotely – it has also brought new threats into the world of industrial automation.

The stable operation of today’s industrial networks could be disrupted by a number of factors – not just a headline-grabbing cyber attack but also a technical failure at a production unit, an operator’s error, a simple software error, or an accidental infection of workstations with malware.

Despite warnings from experts, until recently the concept of industrial control system (ICS) security was based on the premise that isolating a network would be sufficient to secure it from all threats.

>See also: Operational technology and the need for automation in industrial control systems security

This concept was conclusively shattered by the notorious Stuxnet: a computer worm of a modest 50KB in stature, which was used to penetrate an isolated network, re-configure programmable logic controllers (PLCs) and sabotage physical industrial processes within the targeted plant.

Not just Stuxnet

Whilst Stuxnet is the best-known example of how malware can negatively affect technology processes, it is not alone. Studies show that many industrial computers are infected with malware, where it can cause far greater damage than when it infects a regular office or home computer. For instance, it may block the operation of critical applications, thus leading to hardware failure.

In fact, the potential consequences may go far beyond even the plans of the original malware author. For example, cases have emerged when the Sality virus infected industrial networks – one recent modification copied the USB exploit that Stuxnet took advantage of (though not for the purpose of re-configuring PLCs).

In one case, the Conficker worm infected an industrial network on which Windows had not been updated. The worm sent millions of network requests, disrupting the operation of the entire industrial network.

Maintaining the stable, continuous and proper running of a technological process is the main task for ICS. In fact, this is the key task of any industrial enterprise – be it power generation, water treatment etc. If that technological process is disturbed it may lead to lost profits, loss of business, technological disaster or even lives.

To comprehensively address this problem, ICS needs security procedures typical for standard corporate IT systems, such as auditing, testing for intrusion, scanning for vulnerabilities and training courses for the personnel.

These procedures are often lacking, however. Unfortunately, many ICS systems, once commissioned, remain formally preserved in the same state for many years while they are in use.

>See also: The new breed of internet service provider: frontline of cyber security

Strict corporate regulations and standards prohibit any changes or modifications to a once-certified system, even operating system or software security updates. But at the same time, they may be accessed remotely – for example, to update software or re-configure the system. The uncontrolled use of personal devices and the movement in and out of removable media introduces another level of risk.

Ensuring ICS security

It is important to follow a comprehensive, process-oriented approach. Here are five tips to ensuring industrial systems are protected from both regular malware and sophisticated targeted attacks.

1. Deny the default

Industrial enterprises should enact default-deny mode as a standard policy. In this mode, the ICS works in a protected environment which only allows the running of programs specifically required for the technological process to function. All unknown and unwanted applications, including malicious programs, are blocked. Thus, a secure running environment is created with minimum load on system resources.

2. Be proactive

Proactive protection against unknown malicious programs and automatic protection against exploits enables enterprises to scan executable programs, assessing the security of each application by monitoring its activities when in operation.

3. Audit devices

Device control technology helps to manage removable devices (USB storage, GPRS modems, smartphones, USB network cards) and create limited lists of permitted devices and the people who can access them.

4. Get a bird’s eye view

An all-in-one IT security console helps to monitor and control all solutions to ensure IT security. With the single management console, admins can install, configure and manage security, and access reports.

5. Integrate with other systems

Integration with SIEM (security information and event management) allows administrators, using special connectors, to export information about security incidents at protected nodes of the technological network into the corporate SIEM system.

>See also: Cyber security guide to the 10 most disruptive enterprise technologies

Maintaining the reliability and safety of industrial processes requires reliable protection of its ICS against all hazards, including cyber threats.

It is therefore not only important to adhere to the points above but also to create a multi-layered, highly configurable defence to protect critical infrastructure and the societies that depend on it.


Sourced from David Emm, Kaspersky Lab

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...