In March 2016, Iranian hackers conducted a cyberattack against a critical infrastructure target located in New York, successfully taking control of a government computer system. The target wasn’t a nuclear power plant or a major defense contractor. It was the Bowman Avenue Dam in the small town of Rye Brook — a modest dam on a creek that runs beside an interstate near a Chipotle. This 20-foot structure is hardly the type of target anyone would expect to find on a list of Iranian priorities. But the successful attack sent an important signal to government agencies who operate industrial control systems: The threat is real.
Industrial control systems are nothing new — government agencies and private companies have used ICS tech to run critical infrastructure and industrial processes for decades However, the emergence of the Internet of Things (IoT) has rapidly and dramatically changed the threat environment for these systems.
ICS devices that previously sat underneath desks in the bowels of a government office are now connected to the internet, allowing them to offer real-time analytics and remote management. Unfortunately, that same capability can also expose ICS devices to remote attacks, creating the potential for attackers to cause utility outages and dangerous operating conditions.
The National Institute of Standards and Technology recognizes the importance of securing these systems as well as the burden facing understaffed government agencies that are often responsible for operating them. NIST’s “Guide to Industrial Control Systems (ICS) Security” provides detailed information on securing these systems against modern threats. Here are a few key steps state and local government agencies can take today to reduce the risk of a compromised ICS.
1. Agencies Should Locate and Inventory ICS Components
Before agencies can apply appropriate security controls to their ICS components, they must have an accurate inventory of them. Industrial control systems are often installed and managed by departments responsible for infrastructure operations, sometimes outside of the purview of IT teams, because they are viewed as infrastructure components rather than technology systems.
Cybersecurity teams launching an ICS security effort should begin by soliciting information from other departments on the type and nature of any ICS components operated by agencies under their purview. It may be helpful to provide officials with descriptions of how these systems are commonly used to help identify them.
2. Conduct a Risk Assessment of ICS Components
After developing an accurate inventory of ICS components, cybersecurity teams should turn to a risk assessment designed to determine the likelihood and impact of potential attacks against each system. Conducting automated vulnerability scans provides crucial information to assist in this assessment process, identifying systems with known vulnerabilities as well as those exposed to the public internet. The risk assessment should yield a prioritized list of systems requiring remediation.
3. Segment ICS Networks
Many successful ICS attacks occur when system components are inadvertently connected to the internet and assigned public IP addresses. Other attacks occur when an adversary compromises a normal workstation on a government network and then uses that workstation as a jumping-off point to identify critical infrastructure components running on the same network.
Network segmentation limits an attacker’s ability to conduct these simple scans and is, therefore, one of the most important controls available to boost ICS security. ICS components should be placed on special-purpose networks dedicated to sensitive control systems. Administrators should only access these networks by using a physically connected terminal or connecting to an administrative VPN that requires strong multifactor authentication.
Network segmentation does not necessarily require the use of expensive, dedicated networks. Instead, agencies can use logical security controls in firewalls and network devices to isolate sensitive systems from other devices. NIST’s ICS security guide provides information on using firewall rules to protect ICS devices.
The number of new ICS vulnerabilities discovered in 2018, a 30 percent increase over 2017
Source: ptsecurity.com, “ICS vulnerabilities: 2018 in review,” April 11, 2019
4. Monitor ICS Components Security
Cybersecurity teams understand the importance of real-time monitoring of systems and networks. Most government agencies now either operate their own security operations centers or utilize a shared-service SOC that correlates information from multiple agencies. Security logs from ICS devices should be fed into the monitoring tools used by SOCs, and SOC analysts should be trained to identify and prioritize potential threats to critical infrastructure systems.
MORE FROM STATETECH: Find out how to make smart cities safer and more secure.
5. Build Security into IoT Deployments
Smart city and smart state initiatives are driving the rapid adoption of IoT technology across all levels of government. Citizens are demanding smart lighting, streets and sewers from agencies that struggle to maintain these technologies. As IoT deployments increase, agencies should develop IoT security requirements that are built into future requests for proposals and become standard operating procedure for agency technologists. Incorporating security requirements at the design phase goes a long way toward improving the efficiency and effectiveness of security operations when the system goes into production.
This is a unique moment in the evolution of government technology. Advances in industrial control systems and IoT promise to bring new levels of insight and control to the delivery of government services. As these advances proliferate, government technology leaders should ensure both legacy and future deployments are protected against the security threats that seek to undermine them.
Illustrations by Michael Morgenstern