Targeted attacks against Industrial Control Systems (ICSs) by terrorists pose a threat to most nations around the world.
Industrial control system is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks and controls used to operate and/or automate industrial processes.
As remote telemetry units used to input change become more capable of local control and as the Internet of Things (IoT) and Industrial IoT continue to grow, it becomes increasingly important for strategies to protect ICSs from security threats be top of mind.
There are many ideas among cybersecurity professionals on how to better protect ICSs from cybercrime. ICSs have always presented notoriously difficult security challenges because their microcode is often embedded within proprietary hardware or aging computer platforms that are difficult or impossible to monitor and secure. The attackers in this case used sophisticated tactics, techniques and procedures (TTPs) to compromise sensitive systems, and to erase the evidence of their behaviors on the compromised systems.
An entire industry has sprung up to try to address this problem, involving network segmentation and secure overlay networks that require no instrumentation on the ICS assets themselves. But these do not address the general lack of visibility into existing systems or the difficulty of maintaining a real-time view of what’s happening in these difficult-to-monitor deployments.
The general consensus is there are several events organizations should be watchful for to detect and investigate ICS breaches.
Perhaps at the top of that list: Any login event by an unusual client to a system containing ICS data can be seen on the network and should raise an alarm. If a new user or client logs in, it’s worth investigating.
Also, be aware of any traffic from an ICS system to an unusual external IP space. This can be detected on the network and is worthy of immediate investigation.
Additionally, if an unusual client attempts to access a database containing ICS data, that may not be a sign of malicious intent per se. However, that client’s immediate behavior can indicate whether they’re malicious. For instance, if a suspicious client transmits a SELECT command to the database, requesting sensitive data, that would be cause for alarm.
Even more alarming would be a DROP command against the audit table of that database, removing the log of recent access from the database. The content of these queries would still be visible on the network to the right analytics platform but would be invisible to anything relying on logs from the database or associated devices.
Want to learn more? Tonex offers ICS Cybersecurity Training, a 4-day course designed for security professionals and control system engineers in order to provide them with advanced cybersecurity skills and knowledge in order to protect Industrial Control Systems (ICSs) and keep their industrial operation environment secure against cyber threats.
Additionally, Tonex offers nearly three dozen more courses in Cybersecurity Foundation. This includes cutting edge courses like:
For more information, questions, comments, contact us.