Remote Monitoring Learning Center logo
Phone headset
Expert Helpline

Top 6 ICS Security Weaknesses And How To Avoid Them

Morgana Siggins
Morgana Siggins
Monitoring Specialist

Industrial Control Systems security, or simply "ICS security", aims to safeguard industrial control systems.

The security of Industrial Control Systems was something much simpler before the web. The only main concern companies had was about physical facilities. With the advent of the internet, however, cyber-attacks threats came along as well.

Nowadays, mission-critical data flows through your network. The threat of cyber-attacks is greater than it ever was. Every network element has to have protection to keep people out of where they shouldn't be. With increased automation of your systems, the impacts of these attacks on your elements could impact core system operations.

As a result, you need to make sure that your data is confidential and that unauthorized people won't have access.

People and technology must work together to develop processes that can fight intentional - or accidental - security threats. So, let's take a look at some facts about ICS security, its top six weaknesses, and what you can do to avoid them at your company.


ICS Security and SCADA Security

SCADA (Supervisory Control and Data Acquisition) is one of the most common types of ICS. SCADA networks are responsible for providing automated control and remote human management of essential services, such as water, natural gas, electricity, and transportation to millions of people.

SCADA is one of the types of ICS. In order to protect your SCADA implementation, it's important for you to adopt strong ICS security measures.

SCADA security involves the protection used for SCADA networks. SCADA systems need to be protected because, just like any other network, they are under threat from cyber-attacks that could bring them down quickly.

As a result, it's critical that you implement robust ICS security measures to protect your SCADA system and safeguard your infrastructure.


ICS Security Threats

Every organization that works with industrial control systems is vulnerable to ICS security risks.

These threats can include:


Some Quick Stats about ICS Security

In 2016, the US Cybersecurity and Infrastructure Security Agency (CISA), conduct 130 assessments in FY 2016. The following image shows us their results.

You can read all of the details in the full CISA PDF report


The 6 Most Common ICS Security Issues

According to ICS-CERT Annual Assessment Report FY 2016, "For the third consecutive year, ICS-CERT assessment teams found weaknesses related to boundary protection to be the most prevalent."

The table below shows us the most recurring weaknesses in terms of ICS security.


Now that we know what the six most commons breaches in ICS security are, it's important to learn how you can handle them in order to protect your system. So, let's dive in.


1. Boundary Protection: As Internet Risks Increase, You Need a Remote Access Security Solution

Almost every day you hear about a new computer virus or web browser security hole.

Now these dangers aren't just for ordinary PCs, but also for any ICS network equipment that supports a web interface.

Network experts - and regulatory bodies - are growing concerned that fundamental network equipment might be vulnerable to Internet-based attacks. New best-practice standards recommend that network equipment should be secured from open Internet access.

The good news is, if you have a T/Mon master station in your SCADA system, you are already significantly protected. T/Mon features secure Web access over HTTPS, multiple NICs with zero routing between them, and other security features.

If you usually connect to your T/Mon from the public Internet, or if you need to meet corporate security procedures, it's recommended to use the HTTPS Software Module.

Power-utility telecom departments in particular should consider emerging security standards, because it may bring them in advance compliance with future security standards from the North American Electric Reliability Council (NERC).

NERC is developing a new reliability standard called Cyber Security Standard CIP-002-1. This new standard recommends a number of security procedures for computer-controlled systems, including restriction of unnecessary network services, securing dial-up modem connections, anti-virus software, and formal policies for administering user access and passwords.

According to NERC representatives, Cyber Security Standard CIP-002-01 applies only to systems that control electrical generation and transmission, but in the future, similar standards will likely apply to telecom equipment as well.

How Does T/Mon HTTPS Work?

The HTTPS Software Module supports Hypertext Transfer Protocol over TLS.

Enter "https" to log in using a secure HTTPS connection. The lock icon indicates that this is a secure, encrypted connection.

When a Remote Access user connects to the T/Mon using HTTPS, the T/Mon Web Server establishes a secure connection to the user's Web Browser. Data passing through the secure connection is encrypted, protecting the data from eavesdropping and "man in the middle" attacks.

To connect to T/Mon over HTTPS, the user simply types https://, followed by the IP address of the T/Mon system, into the address bar of their web browser..

When connected, the web browser window will display a lock icon to indicate a secure encrypted connection. The user may then log on and use the T/Mon system normally, with high security.


2. Least Functionality: Secure your Network by Avoiding Building More Capability than What You Need

SCADA systems are capable of providing you with a wide variety of functions. Some of these functions, normally provided by default, may not be necessary for your monitoring needs. Extraneous features, such as 3rd-party modules or "bells & whistles" potentially compromise your network without any added value.

When you have unused or unnecessary features, it increases the danger of unauthorized connection on your devices, unauthorized transfer of information, and unauthorized tunneling.

For this reason, it's important to restrict your SCADA system functionalities to a bare minimum of must-have features you can't function without.

Review the functions and features provided by your SCADA system to determine which capabilities are candidates for elimination.


3. Identification and Authentication: Don't Leave your Network Vulnerable

Securing your SCADA & ICS systems from unauthorized users can be difficult. Even so, you can't afford to leave your network vulnerable.

You need an RTU platform that has a lot of power to provide you with advanced security measures. Although there are many different remotes and build options in the market, you need one that includes SNMPv3 encryption as a standard feature.

Individual remote devices like the NetGuardian 832A G5 are used to convert data to encrypted SNMPv3 at each individual site. This decentralizes your points of failure and allows for conversion before unencrypted data leaves each building.

The SNMPv3 protocol features several enhancements over earlier versions, but security is the most significant in the majority of SNMP applications.

SNMPv3 messages may be protected in 2 ways, including encryption to protect the contents of any intercepted traps. SNMPv3 encrypts messages using CBC-DES encryption, a part of the Universal Security Model (USM).

The EngineID in SNMPv3 uniquely identifies each SNMP entity. Conflicts can occur if two SNMP entities have duplicate EngineIDs. The EngineID is used to generate the key for authenticated messages.

Here are the 2 types of security available in SNMPv3:

  1. Authentication

    Authentication is used to ensure that traps are read by only the intended recipient. As messages are created, they are given a special key that is based on the EngineID of the entity. The key is shared with the intended recipient and used to receive the message.

  2. Privacy

    The other of the two SNMPv3 security types, Privacy encrypts the payload of the SNMP message to ensure that it can't be read by unauthorized users. Any intercepted traps will be filled with garbled characters and will be unreadable. Privacy is especially useful in applications where SNMP messages must be routed over the internet.

The NetGuardian G5 is a good example of RTU that can report alarms in SNMP v1, v2c, or v3. This allows you to report alarms, no matter what SNMP version you are using (of course, in this context, we highly value the security of SNMPv3).

The NetGuardian G5's ability to provide security is enhanced by its support of up to four v3 user profiles. Each user is assigned a unique set of security parameters, including authentication and/or privileged access.

Authentication can be based on the MD5 or SHA algorithm. With either option, messages may be encrypted using DES 56-bit encryption based on the CBS-DES standard, allowing for maximum security and flexibility.

This is key for companies that require high levels of security, authorization, and access control.

You also have the ability to choose which SNMP versions are permitted to talk with your NetGuardian. By allowing v3 access only, you require all users and SNMP managers to use v3's enhanced security. In cases where security is less of a concern, you might choose to allow all SNMP versions.


4. Physical Access Control: You Need to Monitor the Whole Facility, Not Just Your Equipment

Is your expensive equipment kept in nondescript equipment huts or at remote unmanned sites? These sites are at great risk for vandalism and theft, simply because of their remote location, lack of visible human presence, and minimal security deterrents.

That's exactly why you need to monitor your facilities closely. Monitoring the factors that you can't control will keep you a step ahead of potential threats to your network, safeguarding your system and protecting your investment.

Site security is an especially important consideration. Regulating and controlling personnel access is vital to protecting and maintaining expensive gear. Increased site security acts as an obstacle to vandalism and theft due to your ability to monitor facility access.

This added security can give you peace of mind that only authorized personnel access your facilities.

To get the best security of remote entries, you need a keyless access control, such as the Building Access System (BAS).

The BAS consists of an Entry Control Unit device, keypads, and card readers.

BAS is a comprehensive building management system that integrates into an existing alarm management platform. With this system in place, a log of all site access, including the time of day and location that access was granted, is maintained. Also, alarms such as intrusions and excessive access attempts are reported to T/Mon on a per-door basis.

The Building Access System gives network alarm managers the ability to control and regulate door entry access. With a built in fault tolerance system this security management system can efficiently control your sites.

You'll have complete visibility of all your sites simultaneously, as well as have some record of who was in your building. This provides valuable security to your sites and deters theft, break-ins and vandalism. These are unfortunate realities especially for remote sites and you can't afford to leave your facilities vulnerable.


5. Audit Review, Analysis and Reporting: Trending Lets You See Things Hiding in Plain Sight

Sometimes it's impossible to find security breaches without gluing yourself to your screen 24x7. Unless, of course, your RTU supports analog trending and graphing.

Trending is a massive help for multiple reasons - it ultimately makes the invisible become painfully obvious.

The NetGuardian 480 G4 web interface features analog graphing. It takes the data points from its internal log to do trending and analysis. You can also output the raw data to a CSV file.

Some monitoring devices have analog trending capabilities built into their web interface. If you have this feature, then you're ahead of the game. The next step is utilizing it to understand your analogs and overall network health.

Looking at raw analog trend data is a good first step, but it's still easy to miss something.

Using graphs to visually represent analog data can make trends and potential problems stand out like a sore thumb.

Once you have a graph, some devices also allow you to export history as CSV. You can use Excel to create reports, or import the data into SQL server for further analysis or raw queries with the tool of your choice.

URL-based CSV retrieval allows you to write a recurring cron job to extract a CSV on a regular basis, daily for example, so you're always collecting and logging events as well as storing them in your company's central server (SQL for instance).

GET parameters can be used with the history.csv or the eventlog.csv request to filter the returned data. When no GET parameters are supplied, all data will be returned in CSV format.


6. Authenticator Management: NetGuardian RADIUS Make It Easy to Integrate Your Remotes into Your Overall Enterprise Management

The communication between the NOC and remote access points are a vital piece of the puzzle in a SCADA system.

Without the ability for a technician to access the database of alarms and activities, or for the administrator to edit permissions and usage restrictions, you may as well be attempting to fly blind. While allowing wide open access from across the network is out of question, many people have tried to implement various security measures to verify the user attempting to gain access.

One of these methods is through the utilization of RADIUS.

Having an RTU with RADIUS compatibility provides an easy way to control and monitor extensive access to your critical network equipment.

RADIUS - Remote Authentication Dial In User Service - is an industry-standard way to manage logins to many different types of equipment in one central location. Using the client/server format, RADIUS passes user information to designated servers and acts on the response that is returned.

The basic architecture is very simple: many RADIUS devices connect to a central RADIUS server. The tasks of the server include receiving client requests to connect, authentication of the user, and the return of configuration information necessary for the client to deliver services to the user.

Every time a device receives a login attempt (usually a username and password), it requests an authentication from the central RADIUS server. If the username and password combination is found in the server's database, an affirmative "access granted" reply is sent back to the device, allowing the user to connect.

Also included in the reply are the user's individual access rights, so different users can be granted different privilege levels.

If the user's login attempt is not found, a rejection is returned instead.

A user login consists of several steps:

  1. Query (Access-Request)

  2. Response (Access-Accept/Reject/Challenge and corresponding parameters)

  3. Reply (Client acts upon information received by server)

Another built-in feature of RADIUS authentication methods is the ability to account for all attempts at access, authorization, and user activities while utilizing one of the many client devices.

NetGuardian remotes have a long history of protecting access to your alarms. For many years, they've required a username and password for remote access. And now, with the ability to pass login attempts to your RADIUS server, you gain several additional advantages, such as:

  1. Virtually Unlimited Users

    With RADIUS, the number of user logins you can support is huge. It's almost impossible that you would ever run out.

  2. Centralized Management

    You'll also be able to manage your logins from your central RADIUS server. You'll never have to worry about updating any single remote. If an employee leaves your company, you can revoke their access rights very easily.

  3. Integration with Enterprise Management

    When your alarm remotes use the same RADIUS authentication method as your other important gear, you significantly reduce the complexity of managing your equipment. It's always easier to manage a single umbrella than it is to keep track of multiple unrelated systems.


It's Time to Re-Evaluate Your General ICS Security Practices

It's vital that you take some time to re-evaluate your general security practices surrounding the remote monitoring of your automation system.

We offer several technologies that are favored by security-focused companies and government agencies, including:

If you're a looking for a secure RTU, consider the NetGuardian 832A with hardware acceleration support SNMPv3 to send encrypted traps to your master so unintended recipients can't simply look at the messages. This series also features other security functionalities, such as HTTPS for secure web viewing of the alarm data. All NetGuardian 832/864 G2-G5 series support "IP table" whitelists to only allow specific IP connectivity.

If you're looking for a secure master station, our T/Mon also has the option to support HTTPs web viewing, and - like the NetGuardian line - it has passwords that control the level of access individual users have to the system.

So, give us a call and talk to our experts - we can help you start enhancing your ICS security today.

Get a Custom Application Diagram of Your Perfect-Fit Monitoring System

There is no other network on the planet that is exactly like yours. For that reason, you need to build a monitoring system that's the right fit for you.

"Buying more than you need" and "buying less than you need" are real risks. You also have to think about training, tech support, and upgrade availability.

Send me a quick online message about what you're trying to accomplish. I'll work with you to build custom PDF application diagram that a perfect fit for your network.

Don't make a bad decision

Your network isn't off-the-shelf.

Your monitoring system shouldn't be, either.

Customized monitoring application drawing

We'll walk you through this with a customized monitoring diagram.

Just tell us what you're trying to accomplish with remote monitoring.

Get Your Custom Diagram Now
Return to DPS Telecom

DPS logo