The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently put out an industrial control systems (ICS) advisory alerting operators of seven security flaws in Dataprobe’s iBoot-PDU power distribution unit product. As described at the Hacker News, iBoot-PDU “provides users with real-time monitoring capabilities and sophisticated alerting mechanisms via a web interface so as to control the power supply to devices and other equipment in an OT environment.” If this product that is mostly used within industrial settings were to be compromised, critical services like electrical power to the device could be disrupted. In other circumstances, the management page could be infiltrated meaning that sensitive data would be at risk.
ICS is at Risk
While the example presented above is just one case, it reflects the growing pressure to shore up ICS cybersecurity, including the devices that increasingly support the functioning of ICS in today’s environment. Further fueling the need for action is the argument that Operation Technology (OT) is more vulnerable to cyberattacks than Information Technology (IT), which is the more traditional avenue considered when discussing cybersecurity. In fact, Vergle Gipson, senior advisor at Idaho National Laboratory, stated this during his testimony this month before the House Subcommittee on Cybersecurity, Infrastructure Protection and Innovation.
Because OT and ICS are connected, it matters that a large portion of industrial control systems have not received a design update within the last 20 years or so. Essentially, many have not been developed with cybersecurity in mind, as Gipson explained. This, in turn, has set them behind IT, which has received countless upgrades and patches. On the other hand, OT is typically addressed only when there is a major incident.
Taking on ICS Risk Management
However, the perspective around managing risk that threatens ICS is changing. The Biden administration has put an emphasis on protecting critical infrastructure areas such as energy, water and transportation. As a part of this overall mission, the CISA recently announced that it will “spend the next three years measuring the success of the government’s effort to protect both publicly and privately controlled critical infrastructure from cyberattacks,” according to Nextgov. Within this undertaking, they will issue performance goals, which are expected to be published around October.
This will not be an easy task, though, as measuring progress has repeatedly shown up as a point of debate. But CISA Director Jen Easterly noted that, this is a significant part of the protective strategy that must evolve. She said, “As we know, it’s easy to count measures of performance. It’s much more difficult to measure effectiveness and outcomes. But we think that’s incredibly important given our mission, which is to lead the national effort to understand, manage and reduce risk to the critical infrastructure Americans rely on every hour of every day.”
Amid these efforts to meet the challenge of securing critical infrastructure and ICS, there is one important point that must be made, and we close out with here. We need to make sure that those developing the strategies actually understand the elements of ICS. Joe Weiss puts it best. As he wrote for Control Global, “There is an old saying about not forcing a square peg into a round hole. The square peg is IT and Operational Technology (OT) network security. The round hole is the insecure Industrial Control System (ICS) field device.” While intertwined to one another, protecting OT does not necessarily always translate to ICS. In order to really handle ICS insecurities, we should be amplifying how to define it and its unique components.
- “Critical Remote Hack Flaws Found in Dataprobe’s Power Distribution Units” – Ravie Lakshmanan, The Hacker News
- “Industrial control systems face more cyber risks than IT, expert testifies” – David Jones, Cybersecurity Dive
- “CISA Plans to Measure the Effect of Coming Standards on Industry’s Cybersecurity” – Mariam Baksh, Nextgov
- “Many OT cyber security experts don’t understand the systems they are trying to secure – the square peg in the round hole” – Joe Weiss, Control Global