In the halcyon pre-internet days, industrial control systems (ICSs) were considered air gapped, safe from disruption and essentially impervious to outside attack. The Industrial Internet of Things (IIoT) has changed the game dramatically. ICSs are now connected to networks and devices, which improves workflow, but also opens them up to new vulnerabilities.
According to Kaspersky, the percentage of ICS computers on which malicious objects were blocked increased in the second half of 2020. The percentage of ICS computers attacked in the engineering and ICS integration sector grew by nearly 8 percent and in the building automation and oil and gas sectors by nearly 7 percent and 6.2 percent, respectively.
Just how vulnerable are ICSs in the modern environment? Look no further than the attacks on SolarWinds, the Oldsmar water treatment facility and the Colonial Pipeline. One effective way to measure vulnerabilities is the common vulnerability scoring system, or CVSS, which ascribes severity scores to vulnerabilities, allowing defenders to prioritize their response and better allocate resources.
But there is a problem with the CVSS. It was designed primarily for information technology (IT) responders, and many on the operational technology (OT) side question its effectiveness in measuring ICS vulnerabilities. According to Ron Brash, director of cybersecurity insights at Verve Industrial Protection, the CVSS is a good place to start for OT professionals, but it doesn’t go far enough. A new CVSS that takes ICSs into account might not be enough either.
“It’s an honorary system, which does not oblige vendors, or even people that write code, to actually properly report their vulnerabilities,” Brash said. “Nor does it necessarily require them to provide you patches for updating and so on and so on. The real problem, though, with the old system, and it will still be true to a new system, is related to both the scoring and matching what it affects.”
So many products are interconnected now. Just because your plant floor uses Siemens products doesn’t mean it uses only Siemens products.
“Let’s take, for example, a router, a network piece of equipment,” Brash said. “Now those systems might be running Linux, but they might also be rebadged as a Siemens brand, and it’s actually an Aruba switch. The vulnerability, however, comes out for Linux, and that product is a Siemens and identifies itself as a Siemens product. You can’t match the two. So even if you did know there was a vulnerability … you can’t match it.”
“We’re all supposed to be engineers and be able to solve problems with the tools we have and the tools we can go find. We’re creative … That’s where we need to go, with or without government oversight.”
Even if they do match, you still need an asset inventory to know which products in the field are affected. That’s why the Biden Administration’s executive order pushed to have software bills of materials, but you still need to match the software bill of materials to your asset list.
On the plant floor, there can be thousands of devices, and they’re all running constantly. That can make patching and prioritizing the remediation of problems complex.
“Just because you have a piece of software doesn’t mean you’re vulnerable,” Brash said. “You need to match the asset inventory to your vulnerability management and go full circle again with the remediation parts of it, too. It’s great to know what’s inside something, just like on a box Cheetos, but you need to also know what’s inside of it to know what ingredients inside those Cheetos are bad for you, how much you can consume, or should you be replacing your box of Cheetos with something more healthy. So there’s a bunch of pieces that you still would need to piece out.
“And the scoring system, yes, it will help on the prioritization part, but that’s just assuming you know where things are, and also that you can even match the vulnerabilities to the things inside of it. So there’s a whole world there that’s going to be a challenge, and we’re looking at 40-50 years of old software that the vendors don’t even know what’s inside of it.”
One of the main goals of the CVSS on the OT side is threat prioritization. The higher the score, the bigger the threat. Given the sheer number of devices — and likely vulnerabilities — on the plant floor, that should allow OT workers to build out remediation campaigns so they don’t end up with a case of paralysis.
“That’s what the new CVSS scoring system is trying to do. It’s trying to standardize a bunch of things for industrial,” Brash said. “We don’t work on the CIA triad: the confidentiality, integrity and availability triad. Arguably, we do kind of work on the I and the A, but we work on SRP: safety, reliability and productivity. If your vulnerabilities affect one of those things — especially safety or keeping the plant up and running, which affects productivity — I’m probably going to be making some choice decisions about which vulnerabilities I’m going to look at and remediate.”
As the pace of cyberattacks on U.S. critical infrastructure has quickened, the government has stepped in to help secure American assets and strengthen cybersecurity practice. One of the obvious issues with government mandates is the companies being hit, like global meat processor JBS and Colonial Pipeline, are not part of the government. They are private industry. It’s difficult to compel private industry to get up to the standards the government is recommending.
Brash pointed to the pipeline and energy industries, which are already highly regulated. That oversight did raise the bar to a certain level, which is a good thing. There’s also the question of externalities, however, the outside vendors that feed into something like the Colonial Pipeline. That can be anything from software programs to credit card systems used for payment to storage devices. This all widens your security scope and makes things much more complicated to manage.
“This legislation will probably have a lot of, let’s say, scope creep and go into other areas that previously weren’t having it. I think that’s where we’re going to go,” Brash said. “Will that solve it? No. Will that new vulnerability scoring system solve all the problems? No, but it’s a tool to help you, and, at the end of the day, you have to pull all those pieces together. We’re all supposed to be engineers and be able to solve problems with the tools we have and the tools we can go find. We’re creative, apparently. So that’s where we need to be, and that’s where we need to go, with or without government oversight.”
In Part 1 of our interview with Verve’s Ron Brash, he discussed why ransomware has been so prevalent of late and some of the impediments to securing OT systems. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.