Security for Industrial Control Systems (ICS)

Industrial control systems are critical to the functioning of essential sectors like power, manufacturing, and utilities — which means security is a top priority. However, the increasing sophistication of cyber threats has exposed these systems to greater risk.

Indeed, the disclosure of high-severity vulnerabilities among popular vendors of industrial control systems and equipment increased by 78% between 2020-2022.

This alarming trend highlights the urgent need to strengthen defenses around ICS environments because even a single breach could lead to operational shutdowns, equipment damage, or widespread service disruptions.

In this article, we will explore common ICS systems, and strategies to secure industrial control systems.

What are industrial control systems?

Industrial control systems (ICS) are systems used to monitor, control, and automate industrial processes such as manufacturing, power generation, and chemical processing. These systems include technologies such as:

• Programmable Logic Controllers (PLCs)
• Distributed Control Systems (DCS)
• Supervisory Control and Data Acquisition (SCADA) systems

ICS is essential for maintaining the efficiency, safety, and reliability of critical infrastructure. These systems often operate in real-time environments, making cybersecurity a key concern.

What is industrial control systems security?

Industrial Control Systems (ICS) Security refers to the defense of systems that govern industrial processes. ICS security differs from traditional security as it manages the functionality and operations of critical infrastructure.

The goal of ICS Security is to make complex infrastructure robust, resilient, and dependable against security threats. The key challenge is that ICS infrastructure typically involves legacy technologies that (just) work.

Securing these systems has become an imperative mission, as more CISOs and CEOs are asking questions like:

• What is the current security risk level and potential impact on the business?
• Are our employees aware of ICS cyberthreats, and are they appropriately trained and equipped to prevent and mitigate?
• Do we have documented incident response plans that span both IT and OT groups in place?

(Related reading: business resilience vs. business continuity.)

Common ICS systems

As mentioned earlier, the most common ICS systems include Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). Let’s look briefly at how they work. 

SCADA system

A Supervisory Control and Data Acquisition (SCADA) system integrates with digital components such as Programmable Logic Controllers (PLC) that execute an on-device control logic.

For example, a robotic arm in the manufacturing line has embedded PLCs that govern its functionality. A SCADA system interfaces with the PLCs to govern the functionality of the entire manufacturing line with distributed PLCs.

The ICS may also include connected sensors, actuators, and embedded computing systems — these communicate with a backend control system for real-time control execution tasks.

(Related reading: real-time analytics.)

DCS system

A Distributed Control System (DCS) integrates with various local controllers to manage and automate continuous processes within a facility.

For example, in a chemical plant, multiple controllers are embedded across the system to regulate critical parameters like temperature, pressure, and flow. Each controller operates independently and communicates with the central DCS to ensure coordination across the entire process.

The system uses sensors and actuators to provide real-time feedback, ensuring precise control and optimization of complex industrial operations. This real-time data exchange enhances process stability and overall reliability.

(Using Splunk? Learn how to monitor common ICS protocol ports.)

The threat to industrial control systems & ICS components

The threat to industrial control systems is often not about the entire system, but instead hones in on the function of a specific component within a given system.

ICS components are often designed to perform simple but high-impact functions: like opening a switch on an electrical transmission line impacted by a fault, fast enough to contain the fault within the affected regions only.

Suppose the switch fails to function correctly — due to a security vulnerability or a cyberattack that targets the digital control systems. In that case, the fault can spread across the entire infrastructure and lead to serious or widespread impact, like nationwide blackouts. This isn’t a myth: this exact incident took place earlier this year in Ecuador, causing a nationwide blackout.

So, we understand there are threats to these systems. The other thing to know is that the threat landscape is evolving rapidly. Take a look at the following stats:

• IBM identifies the manufacturing industry as the most targeted vector, representing 23% of global cyberattacks. The average cost of cyberattacks to manufacturers exceeds $2 million.
• Less than a quarter of manufacturing companies have the necessary ICT security systems in place.
• Around 73% of all connected devices in these networks are completely unmanaged — that’s an open opportunity for threat actors.

Industrial Control Systems Security is different from traditional enterprise IT security in many ways. ICS components are often vast and distributed, as in national, critical infrastructure and large manufacturing plants. These facilities require joint ventures and partnerships among vendors that specialize in different service segments.

Cybersecurity is not an internal expert function for these vendors — instead, it is outsourced to external partners. This makes it particularly challenging for operational teams to implement a security function such as managing vulnerabilities and updating security patches.

The volume of unmanaged control devices is also vast: around 56% of all IoT data is acquired from the manufacturing, infrastructure, and retail industry verticals.

(Related reading: Information vs. Operational Technology: IT vs. OT & how security for IT and OT differs.)

Securing ICS

So, we must secure Industrial Control Systems – that is clear. But how?

Asset and state discovery

SCADA systems and sensors communicate in real-time to identify all assets, including:

• Their state of operations
• Functional behavior
• Overall health

These parameters change in real time as the usage demand and environmental factors affecting the OT evolve.

Similarly, a large number of connected devices and sensors may be deployed but not incorporated into your data acquisition pipeline. Real-time asset discovery can help address these limitations and enhance your monitoring coverage.

Anomaly detection

The goal of an ICS security system is to:

• Identify (and predict) these changes.
• Identify the health and state of OT operations.
• Implement accurate security controls in real-time.

Cyberattacks exploit vulnerabilities in ICS technologies to modify these operations — but these attacks do so in ways that they remain under the radar but can potentially inflict catastrophic damages.

The infamous Stuxnet computer virus of 2007 is a popular example of an ICS attack. An Intrusion Detection and Intrusion Prevention System (IDS/IPS) can be deployed for exhaustive real-time monitoring of remote traffic, user commands, and environment variables.

Access controls

An industry standard Identity and Access Management (IAM) strategy is to adopt the Principle of Least Privilege access: a system or a user should be granted the bare minimum access controls to perform the required task.

Inadequate security measures such as the use of basic passwords for user profiles with high-level access can cause security intrusions and escalate access rights of SCADA controls to unauthorized users.

Physical security

Since most ICS devices are managed remotely and rely on sensors distributed geographically, physical security is a key challenge. It may not be possible to enhance physical security measures overnight, but anomaly detection tools can complement the physical security efforts needed for your ICS security.

For example, if a sensor reading is off while your SCADA systems continue to function as expected, it may be the case of sensor malfunction or malicious tampering. A strategic approach to physical security driven by software tools such as IDS/IPS can enhance your ICS Security capabilities.

Splunk secures industrial control systems

As the world grows increasingly aware of what digital attacks can do, we can’t forget that digital events can have serious consequences in the real world.

Monitoring must be built-in to these industrial systems to ensure their success and reliability. Splunk provides the engine that helps in monitoring, searching, analyzing, and visualizing large amounts of energy and utility data at scale. Learn more about Operational Technology (OT) Security Add-on for Splunk.