Home / COMMENT / Comment: Cyber security culture in an ICS/SCADA environment

Comment: Cyber security culture in an ICS/SCADA environment

by Indrajit Sen on Sep 8, 2017

Andrey Suvorov is the head of Critical Infrastructure Protection Business Development at Kaspersky Lab.
Andrey Suvorov is the head of Critical Infrastructure Protection Business Development at Kaspersky Lab.

Unlike traditional IT network security, which has seen many improvements over the past decade, Industrial Control Systems (ICS) and their SCADA components have never been considered a potential cyber security risk.

Many organisations believed that cyber security was a ‘nice to have’ in such environments, but not that important. As such, traditional process safety or industrial system availability were considered to be an independent topic and not in any way connected with cyber security.

If we look at SCADA software, network communication, proprietary network protocols, hardware device designs and implementation, in all cases security is not a priority. Attacks such as network identity spoofing, exploitation of excessive access rights, use of a single authorization account for accessing various systems, and other traditional hacking methods, are still common place in the ICS environment. This is despite such problems being solved for corporate IT a long time ago, thanks to the likes of Microsoft SDL secure lifecycle, which has contributed significantly to the mitigation of cyber security threats in traditional networks. However, this strategy is still not part of the design cycle of most ICS systems, SCADA software and PLC vendors.

When it comes to traditional compliance approaches to mitigate possible cyber security risks, most international and local Government standards talk about actions and measurements that can prevent critical incidents. However, this can only be considered a minimum bar for cyber security efforts, due to the sophistication of modern cyber security attacks. Cybercriminals are constantly improving their knowledge of ICS systems vulnerabilities, attack methods and using advanced social engineering to exploit Internet users. As such, we believe that organizations should adopt another approach in addition to ensuring compliance with standards. Having a “self-regulation” policy means that everyone is responsible for the consequences of their actions and clearly understands the boundaries of what is acceptable.

Problem space

According to US ICS CERT reports (1), about 55% of cyber security incidents in ICS involve Advanced Persistent Threats (APTs) and 40% of all incidents in an ICS environment start from improper human actions which are typically the result of a spear-phishing attack. Our own experience of undertaking security audits and penetration tests tells us that the human factor is probably a much bigger problem for insecure-by-design ICS networks. Many attacks are simply down to users not understanding the concept of cyber security, due to a lack of training and general cyber security awareness.

 According to US ICS CERT, the number of cyberattacks against ICS environments is continuing to grow. The most affected industries are:

 #1 - “Oil and Gas”

#2 – Power generation and distribution

#3 – Critical manufacturing.

The number of vulnerabilities reported and confirmed by the US ICS CERT team is growing. That means that malware in an ICS zone may take easy advantage and cause irreparable damage.

(article continues on next page...)


Please click here to comment on this article


Name *
Email *
Subject: *
Comments: *


ArabianOilandGas Awards
Utilities middle east
Construction Week Online Middle East
Hotelier Middle East
Arabian Supply Chain Middle East