Increasing unsecured CIS levels

For edges, Industrial Controls were use in isolated modes, comparable to islands with an ocean between them, where there was a lack of transport media to establish communications between them.

After the boom of the Internet, senior managers wanted to have production statistics in almost real-time, which pushed the convergence of devices like: PLCs, DCSs or SCADAs and standard IT infrastructure, in order to communicate specific data to office buildings in sometimes remote areas, where those managers where located.

Most of the mayor players at that moment, decided to produce friendlier systems that could extract specific production information and located in a Database for the data to be accessible and able to be manipulated and formatted in specific “interesting” charts. In this young scenario the number of layers was limited to Sensor networks, control network, control management and couple of layers to be able to connect to the database.

Forwarding until our time, the above doesn’t look so much of a challenge anymore, but the different layers introduced above the control management, which in small terms represents a fully-fledged IT infrastructure, with all the pros and cons included, creates a much more complex environment in which the shared space between IT and ICS will become invisible in time.

In the case the IT area is correctly controlled and security controls are in place, the communication path to the lower ICS could be safe, but in real life that is not so common.

It is more common to find partially secure IT Networks with a much unclear level of Security in the ICS levels, giving a skillful attacker potential number of vulnerabilities to exploit that could lead to the discovery of the less Secure ICS network.

The damage? As many articles refer to, could be catastrophic not because of the security case itself, but more alarming, related to the physical damage that can be triggered if e.g. a power plant is compromised, a nuclear plant loses its basic control, main generators are damaged, etc. Those real-life consequences could have a bigger impact in an already defenseless population that won’t fully understand how to react.

Protecting IT infrastructure is already a challenging task, adding the ICS Security on top of that, and the tasks become not only more difficult but it will require different teams, IT Security, IT infrastructure, ICS Security, etc. to work together, which in some cases that itself is a human vulnerability.