Michael Hoyt is Director of Cyber Security at Life Cycle Engineering (LCE), leading cyber solutions for DoD and commercial clients.
As technology spreads deeper into almost every facet of business, the government, our military and our personal lives, we are seeing a transition of systems from analog to digital. Unlike analog, digital systems are integrated into networks, which opens up the target surface of systems and introduces the risk of cyber threats. In particular, this is true for industrial control systems (ICS), which are being converted to digital platforms without a layered-security approach to safeguard the systems. ICSs have a number of security risks that are often overlooked, including:
Hardware-based: The proprietary nature and lack of upgrade support of the hardware exposes systems to increased security risks. Executing hardware upgrades requires total replacement of systems from the same vendor, which is costly and often postponed or not executed at all.
Weak authentication/encryption: Hardware-based systems were not designed to support advanced encryption standards or complex authentication. Many hardware-based systems do not even have an authentication mechanism or, if they do, it consists of just a few numbers typed into a keypad or easily decipherable passcodes. Encryption in hardware systems is rarely strong due to the processing power that is required to support encryption.
Unsupported software/firmware: Due to the use of closed architectures and software, any modifications to the ICS requires using the vendor and may be limited if the software/firmware is no longer supported by the vendor.
Slow response time to patching/updating: Vendors often provide customers with approved/tested patches or updates to address identified vulnerabilities months after the security risk is identified.
Poor physical security: Many ICSs have a small form factor design, meaning that they are physically small in size and have very little computing power. This means that they can be easily stolen and then reconfigured. In addition, with the distributed nature of some ICSs, physical security that prevents theft can prove to be difficult to ensure without extensive costs.
Wireless Connectivity: Many ICS products are located in remote locations where network connectivity is only possible through wireless and/or cellular networks. These ICSs come preconfigured with standard configurations for encryption such as the encryption key and network/cellular passwords, which introduce a risk to the infrastructure if compromised.
No Antivirus or malware protection: The nature of ICS requires real-time, low-latency operating systems/environment. This requirement does not allow for traditional antiviruses or malware protection commonly seen in standard IT systems. The inability to add this protection to an ICS leaves systems prone to virus and/or malware infections, which can lead to loss of information, degradation in service and physical destruction.