5 Big Risks for Industrial Control Systems (ICS) in 2020

manage the risks for Industrial Control Systems
manage the risks for Industrial Control Systems

2019 is coming to an end, and with it so is the decade when America started taking cybersecurity seriously. In the past decade, we have seen the rise of cloud-based infrastructure, government legislation like FedRAMP, and – most importantly – a dramatic increase in the number of cyber threats facing both commercial and governmental organizations.

Before 2010 when the Stuxnet attack crippled one-fifth of nuclear enrichment centrifuges in Iran, comprehensive cybersecurity programs for industrial systems and operational technology (OT) were practically non-existent. Since then, the IT/OT convergence has brought about a slew of malware attacks specifically targeting Industrial Control Systems (ICS) and programmable logic controllers (PLCs), from BlackEnergy in 2014 to Industroyer in 2016.

A Chance for Improvement

According to major players in the malware detection industry, over 40% of ICS systems across utilities and manufacturing were targeted or outright attacked during the first quarter of 2018. On the one hand, this is a scary moment in history: for the first time, terrorists can wage war on another country’s critical infrastructure. On the other hand, industry professionals are waking up to the need for robust security in the face of increased risk.

In the best-case scenario, America and other developed countries will emerge from the 2020s with stronger infrastructure and a renewed focus on cybersecurity. Along the way, they will have to take a critical look at the greatest risks for ICS systems today.

In this article, we’ll give you a head start: here’s our list of the top 5 threats that ICS professionals need to worry about during the new year.

Top 5 Risks to ICS in 2020

It’s commonly believed that OT security risks stem from developing technology. However, this is not entirely true: some ICS risks stem from systemic flaws in an organization’s structure, supply chain and talent pool. In this list, we’ll give equal priority to all of them.

1. False Promises

Automation has long been the dream of cybersecurity, and in his talk at the ICS Cybersecurity Conference last month, Mark Carrigan pointed out that unscrupulous vendors have been promising a level of automation they just can’t deliver. Organizations who are looking for off-the-shelf solutions to OT security must beware: targeted attacks are masterminded by humans, and it takes human intelligence to identify and beat them.

More generally – as Steven Booth of FireEye maintains – bad vendors can be a liability to security, even when their products work as advertised: “we have seen a number of situations in the past few years where software components in automatic updates were corrupted or poisoned with malicious code,” said Booth.

This is a trend which security practitioners in every field need to be aware of. Next year, the Department of Defense (DoD) will require vendors to pass a certification program before working with government partners. Until then, organizations must stay vigilant in vetting their supply chain.

2. The Industrial Internet of Things (IIoT)

IIoT has been a mixed basket for organizations: on the one hand, it extends the functionality of networks and helps to generate data that drives operational efficiencies – consequently many operations managers love IIoT devices.

However, these devices can also create points of entry for attackers, especially because IIoT vendors are rushing their products to market, utilizing components from less-than-reputable sources, and skipping basic security controls along the way. Many products lack two-factor authentication (2FA) and secure update mechanisms— or in some cases, they don’t allow customers to change default accounts and passwords from default settings.

The National Institute of Standards and Technology (NIST) is currently working to develop mandatory standards for IIoT, in response to lax security in Distributed Energy Resources (DERs) which threaten the power grid. In the meantime, organizations should adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.

3. Insider Threats

In response to ICS risks, some organizations have rejected the IT/OT convergence altogether, isolating their OT from any contact with networks. While this so-called “air gap” method of defense kept OT on the periphery of cybersecurity for years, it is no defense against the biggest threat to ICS security of all: people.

Only 3% of attacks on critical infrastructure begin and end with technical exploits and vulnerabilities. Ninety-seven percent rely on social engineering techniques which trick an organization’s personnel into divulging passwords and access information. Insiders can also compromise a system through careless Internet activity and negligence of security protocol.

Going forward, organizations should invest more resources in training their personnel. Knowing cyber hygiene techniques, developing security situational awareness, and understanding the tactics of hackers can often prevent a major security breach.

4. Hackers Are Improving

According to Thomas Pope from Dragos, modern hackers have begun to converge on a common set of threats, techniques and procedures (TTPs). On the one hand, this is good news for security professionals, since it means attacks will be easier to detect. On the other hand, an over-reliance on commodity IT solutions and open design protocols put organizations at significant risk.

According to CyberX, 82% of industrial sites depended on remote management protocols like RDP and SSH in 2017. Not only are hackers familiar with these access protocols and their vulnerabilities, but they are even familiar with proprietary ICS systems.

Every year, attackers become stronger thanks to the resources available to them: increased digital literacy, the widespread availability of pentesting toolkits and darknet markets where SCADA/ICS protocols and exploits are sold cheap. Organizations should acknowledge this fact by designing industrial infrastructure with greater attention to segmentation and detection of indicators of compromise.

5. Talent Gap

When it comes to talent, the entire security industry is in a rough spot. According to some estimates, there will be 3.5 million unfilled security positions by 2021, thanks to the rise of cybercrime and a lack of educated professionals.

The situation is even worse for OT security: according to Robert M. Lee of Dragos, there are fewer than 1,000 ICS professionals in the entire world. In the coming decade, industrial organizations would do well to make sure their personnel have the education they need for success and promote the cybersecurity career path to inbound university students.

The Need for Expertise

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of OT security today.


The 2020’s are an opportunity for renewed focus on cybersecurity. Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.

Key Takeaways from ICS Cybersecurity Conference

Securicon attended the 2019 ICS Cybersecurity Conference in Atlanta on October 21-24. It was a four-day whirlwind of speakers working at the cutting edge of OT security who provided a crash course on the state of the industry, and areas for improvement in 2020.

If you couldn’t make it to this incredible event, don’t worry, we’ve compiled our top four takeaways from the conference just for you.

1. OT cybersecurity can’t be automated

We all know that malware attacks against ICS systems have been rising for the past decade. According to Mark Carrigan from PAS Global, there’s good news: security officers are taking notice, and 84% of businesses have invested in solutions to address the IT/OT convergence.

Here’s the bad news: the demand for solutions has generated an influx of vendors who lull their clients into a false sense of security by making promises they can’t deliver. When it comes to threat detection, nothing beats human expertise, and over-dependence on automation allows targeted attacks to slip beneath the radar.

2. IoT is the next big threat for ICS

Distributed Energy Resources (DERs) are helping power companies to better manage the grid: unfortunately, they also create points of entry for attackers. In response, Jim McCarthy from the National Institute of Standards and Technology (NIST) spoke about ongoing efforts to regulate the Industrial Internet of Things (IIoT).

Lionel Jacobs from Palo Alto Networks argues that organizations should adopt a zero-trust policy towards IoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers. The dangers of IoT may be unavoidable, but with careful governance policies, they can also be managed.

3. Insider threats: still a problem

Conventional wisdom suggests that isolating control systems from network access is the best way to protect them. But – says Chad Lloyd from Schneider Electric – “air gaps” can produce a false sense of security, because they are still vulnerable to human failure inside organizations.

97% of attacks on critical infrastructure do not depend on clever exploits or vulnerabilities, but on social engineering attacks which trick personnel into divulging passwords and access information. It’s clear that more investment is needed to train personnel in cyber hygiene and prevent insider threats.

4.  Threat hunting is best way to strengthen networks

Thomas Pope from Dragos delivered an insightful presentation, showing that modern hackers increasingly rely on the same tactics, techniques and procedures (TTPs) that pen testers and threat hunters have been using for years.

For this reason, threat hunting remains one of the most powerful ways to prevent attacks before they occur. To prove the point, Illan Barda from Radiflow showed eye-opening results from red-teaming on a water treatment facility.

Adopting a Threat-Based Mindset

All our takeaways from the ICS Cybersecurity Conference emphasize one theme: OT-dependent organizations will have to adopt a threat-based mindset to fight the next generation of attacks on ICS and critical infrastructure.

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of cybersecurity today.


Securicon’s threat management solutions are based on industry standards for safety and professionalism. With years of experience in ICS cybersecurity, we are here to protect your organization. Contact us for more information.

Threat Prevention with the MITRE ATT&CK Matrix

At Securicon, we take an OT-centered approach to asset owners. With the aid of the MITRE ATT&CK Framework (ATT&CK), we design tailor-made scenarios to test OT defenses and detection. By outlining methods for infiltrating a network, maintaining persistence and exfiltrating data, ATT&CK is a tool that can assist asset owners in building a cybersecurity program for industrial control systems (ICS).

Why Should Asset Owners Care?

Today, asset owners have begun to monitor information technology (IT) and operational technology (OT) events with a single security operation center (SOC). This allows them to receive security alerts from the enterprise level of the Purdue Model down to the process control layer from one location. With so much information, the ATT&CK Matrix helps us to identify what asset owners should be watching for in their environments.

Our Approach

Overview

At Securicon, we approach the ATT&CK framework as a punch list of events that asset owners should monitor carefully. We utilize these methods in our ICS threat simulation (Threat Prevention Team) to test the asset owners’ defensive analysts (Blue Team). Through these methods, we are able to identify the respective strengths and weaknesses of their security program. In the following sections, we will outline the steps a typical adversarial simulation.

Scoping & Initial Engagement

Securicon and trusted individuals working for the asset owner monitor the Threat Prevention Team’s activities to determine mission success. We start by developing scenarios of initial access for the asset owner to approve; a common arrangement includes a combination of vulnerability exploitation and social engineering used to gain unauthorized network access.

During the scoping process, asset owners are given the opportunity to select events from the ATT&CK framework for Securicon’s Threat Prevention Team to simulate. Otherwise, the Threat Prevention Team acts on its own discretion and expertise to accomplish the simulation’s objective.

During the Engagement

After scoping and initial contact are concluded, the Blue Team receives regular updates allowing them to observe simulation progress. Securicon uses numerous methods to move laterally through the asset owner’s network until we reach the OT layer. Using internal reconnaissance, exploitation and post-exploitation techniques, the Threat Prevention Team will continue until its mission is completed.

Post-Engagement

After the mission is complete, the Threat Prevention Team compiles their findings into a report for the asset owner’s trusted individuals. Additionally, asset owners will often request a presentation for their executive team. Using the ATT&CK Framework for reference, the Threat Prevention Team will explain their progression through the asset owner’s network with maps and other visual aids.

As OT malware like Triton/Trisis, Industroyer, BlackEnergy, and Stuxnet continue to propagate, asset owners need to be prepared for threat events. Asset owners in the process of building an ICS Security Program should utilize adversarial threat simulation services to discover security gaps.

While malware rarely conforms to the MITRE ATT&CK Framework point-by-point, Securicon’s senior consultants are prepared for any eventuality. We combine individual research and experience to assess defenses rigorously, leaving no stone unturned. Real life scenarios like Triton/Trisis can be perfectly simulated using custom-built ICS modules to imitate valid communication within the OT network.


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

Ingredients for an ICS Lab: How to Build an ICS Lab from Scratch Part 1

Knowing about OT is a big part of my job these days: while my background includes traditional IT experience from consulting audit firms, I built up an ICS skillset while working with an ICS Network Security Monitoring (NSM) vendor.

Now I help asset owners to defend their systems against intruders, and as part of my ongoing practice, I’ve built Capture the Flags (CTFs) for various conferences. But there’s always more to learn; in particular, I want to understand ICS protocols and the uniqueness of the ICS assets to better assist in protecting asset owners.

To that end, I’ve decided to build an ICS Lab that will give me hands-on freedom to experiment and run tests.

Approach

There are two approaches to building this ICS lab which I intend to focus on. The first is the most simple and economical: using a Raspberry Pi, we can simulate the ICS environment with several virtual machines (VMs). While this would be great for some low-level dabbling, I’m interested in something more substantial.

The second approach is to go full ICS: purchase and assemble real ICS Program Logical Controllers (PLCs), Human Machine Interfaces (HMIs), Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs). Needless to say, this produces the full effect of building a real, working ICS environment.

The second approach offers another big advantage over the first in the form of data. Only so much asset inventory information can be displayed using a simulated ICS environment. This limits user experience, thereby increasing the learning curve once they transition to a realistic ICS environment.

IT & OT Environment

While an ICS environment is good for demonstrating the effect of attacks on the Purdue Layer 2 network, we also want to simulate other Purdue Levels. The Purdue Model – for those who don’t know – is a way to visualize how IT and OT networks intertwine; therefore, we must obtain firewalls, switches, and other IT infrastructure to continue building our lab.[

For starters, I’m selecting an ESXi server on the network to house the email server, intranet, and other business applications including IT defensive software. There will also be engineering workstations on the ESXi server assigned to the ICS vLAN.

The ultimate purpose of building all of this is to have multiple attack scenarios and simulations so that my team and I can better learn the risks our clients will face, and how to defend them.

Lastly! Documentation

When building these labs and CTFs, I’ve found that I often forget to document my work after it has been completed. I suggest documenting your work as you progress. I’m generally a busy person and there are entire weeks when I cannot work on this lab.

Without documentation about what I’ve been doing and where I left off, it’s hard to understand my progress or resume building. Documentation also allows us to store a baseline for our network. Once the attack and defensive simulations are complete, the lab can be reverted to its last known stable state.  Combine Level 5 and Level 4. Call it Level 4 and the name is Enterprise Security Zone


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!