For edges, Industrial Controls were use in isolated modes, comparable to islands with an ocean between them, where there was a lack of transport media to establish communications between them.
After the boom of the Internet, senior managers wanted to
have production statistics in almost real-time, which pushed the convergence of
devices like: PLCs, DCSs or SCADAs and standard IT infrastructure, in order to
communicate specific data to office buildings in sometimes remote areas, where those
managers where located.
Most of the mayor players at that moment, decided to produce
friendlier systems that could extract specific production information and
located in a Database for the data to be accessible and able to be manipulated
and formatted in specific “interesting” charts. In this young scenario the
number of layers was limited to Sensor networks, control network, control management
and couple of layers to be able to connect to the database.
Forwarding until our time, the above doesn’t look so much of
a challenge anymore, but the different layers introduced above the control
management, which in small terms represents a fully-fledged IT infrastructure,
with all the pros and cons included, creates a much more complex environment in
which the shared space between IT and ICS will become invisible in time.
In the case the IT area is correctly controlled and security
controls are in place, the communication path to the lower ICS could be safe,
but in real life that is not so common.
It is more common to find partially secure IT Networks with
a much unclear level of Security in the ICS levels, giving a skillful attacker
potential number of vulnerabilities to exploit that could lead to the discovery
of the less Secure ICS network.
The damage? As many articles refer to, could be catastrophic
not because of the security case itself, but more alarming, related to the
physical damage that can be triggered if e.g. a power plant is compromised, a
nuclear plant loses its basic control, main generators are damaged, etc. Those real-life
consequences could have a bigger impact in an already defenseless population
that won’t fully understand how to react.
Protecting IT infrastructure is already a challenging task,
adding the ICS Security on top of that, and the tasks become not only more
difficult but it will require different teams, IT Security, IT infrastructure, ICS
Security, etc. to work together, which in some cases that itself is a human
vulnerability.
.jpg)
.jpg)
.jpg)
.jpg)