For decades now, industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, have helped utilities to automate critical infrastructure. In the past, utilities often relied on "security through obscurity." Since these systems were highly customized, proprietary, and isolated, utilities assumed that only someone with specialized inside knowledge could gain access. That comforting assumption is no longer the case.
Utilities are increasingly using standard technologies, including hardware, operating systems, and databases, as well as open industrial protocols such as IEC 60870-5-104, distributed network protocol 3 (DNP3), and MMS/GOOSE (IEC 61850). Global initiatives—for example, operational technology (OT) platform convergence—are fueling this trend and will result in more ICS and SCADA equipment becoming connected to corporate networks.
Critical Services at High Risk for Attack
While technology convergence can improve efficiencies, enrich customer service, and reduce operating costs, it also dramatically increases the risk of critical services falling victim to a cyberattack.
Consider this: while conducting an ICS research study, the experts at Positive Technologies were able to remotely access more than 200,000 solar power stations because of a weak password encryption algorithm in the web server of one smart-grid manufacturer.
Security shortcomings like these are all too common. They leave your utility vulnerable to the full range of IT security risks, including cyberwarfare, and put entire populations at risk of losing basic services.
Common security problems that Positive Technologies has identified based on its experience performing ICS security assessments include:
- Uncontrolled connections—ICS components that should have strictly limited access are made vulnerable by unauthorized or unreported links to corporate networks or portable devices, often resulting from operators bypassing security settings on human machine interface (HMI) stations.
- Threats to system availability—non-ICS-specific malware or viruses are introduced to ICS components, causing system damage or downtime by triggering machine reboots or changing basic configurations.
- Password policy violations—when ICS systems become accessible via the Internet, default or weak passwords leave them exposed to cyberattacks.
Find Your Weaknesses
To keep your control systems both secure and operational, Positive Technologies can help you to proactively identify vulnerabilities and potential attack vectors, assess and prioritize threats, and remediate weaknesses, with a top-to-bottom approach that includes:
- ICS-specific security assessments from researching user activity to penetration testing, audits, and compliance checks; we take into account the very different security assessment goals, threat models, operational procedures, and organizational complexity that set utilities apart from other enterprises.
- Close cooperation with such leading ICS vendors as Honeywell, Schneider Electric, and Siemens. The regular security audits we conduct on these large-scale systems give us a full understanding of how to detect vulnerabilities and how to work with the vendor community to permanently eliminate them.
Get Smarter About Protecting Your ICS Investments
Smart grids and smart homes may be the future, but "smart" means that your services are always available, and therefore outages and interruptions from cyberattacks are unacceptable. When your ICS is exposed to a network, it is open to all of the network’s risks. ICS security cannot be effectively managed in isolation as separate segments or technologies, so you must consider a unified approach across all systems.
Positive Technologies helps many large manufacturing, petrochemical, utility, and transportation companies meet their ICS security challenges head-on. With unrivalled expertise in critical infrastructure protection backed by one of the world’s top research teams, Positive Technologies is the ideal partner to help you secure your ICS networks from bad actors so you can "keep the lights on".