References to help provide a deeper insight into serial communication vulnerabilities as well as cyber threats associated with legacy Industrial Control Systems.
critical infrastructure utility

Common ICS Cybersecurity Myth #4: Serial Communication

Global Cybersecurity Alliance

Busting ICS Cybersecurity Myth #4: Serial communication (non-routable) between a control center and remote sites (such as onshore oil rigs, electricity substations, or mines) provides immunity from cyberattacks

(paragraph 2)

“To attack from the outside, it is true that attackers need access to externally routable devices and/or protocols. Recent incidents, however, have demonstrated that it is possible to compromise a serially connected remote site through other means. Attackers can find and exploit vulnerabilities via the corporate network (if the firewall is misconfigured), USB, transient systems, social engineering, third-party suppliers, or a physical security breach.”

Cybersecurity Advisory recommending “Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems.” [July 2020]

National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA)

Page 1: Paragraph 2

“Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the Internet (e.g., Shodan1 [2], Kamerka [3]), are creating a “perfect storm.”

Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector

Idaho National Laboratory

Page 13: Section 3.1

“The communication protocols used throughout ICS networks are of additional concern. Common and long-established ICS protocols such as Modbus and DNP3 used throughout the power system have little or no security measures: lacking authentication capabilities, messages may be intercepted, spoofed, or altered, potentially causing a dangerous event in an operations environment.”

Page 13: Section 3.2

“NERC created a set of cyber security reliability standards established around TCP/IP-based (“routable”) connections, which provided a degree of protection in communicating with a utility’s production control system network. However, serial-based connections, often used to communicate with a substation and/or remote devices such as programmable logic controllers (PLCs)or remote terminal units (RTUs), were a less secure regulatory “blind spot” but still common communication protocol.”

Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems

SANS Institute

Page 4: Section 1.1

“Level 1 and lower communication traffic distinguishes control systems from typical IT systems; it bridges the gap between the cyber and physical world”

Page 5: Section 1.3

“These protocols [legacy] tell a more accurate story about what plant equipment is being told to do and what it is actually doing.”

Page 24: Section 6

“If implementing serial-based traffic collectors, be sure to isolate them from the serial bus using data diodes or similar gap technologies, such as Cynalytica’s SerialGuard.”

NIST Situational Awareness for Electric Utilities NIST SP 1800-7 Practice Guide

National Institute of Standards and Technology (NIST)

Page 1: Section 1.1

“To improve overall SA, energy companies need mechanisms to capture, transmit, view, analyze, and store real-time or near-real-time data from ICS.”

Page 2: Section 1.1

“There is a definite need to improve a utility’s ability to detect cyber-related security breaches or anomalous behavior, in real or near real time. The ability to do this will result in earlier detection of cybersecurity incidents and potentially reduce the severity of the impact of these incidents within a utility’s operational infrastructure.”

Recommended Cybersecurity Practices for Industrial Control Systems

Cybersecurity & Infrastructure Security Agency (CISA) and US Department of Energy (DOE)

Page 2: Security Monitoring

  • “Measure the baseline of normal operations and network traffic for ICS.”
  • “Configure Intrusion Detection Systems (IDS) to create alarms for any ICS network traffic outside normal operations.”

Building cyber security into critical infrastructure. Protecting Industrial Control Systems in Asia Pacific

Deloitte

Page 13: Visibility

“Few critical infrastructure operators have full or even partial visibility of their OT assets, seeing them as a “black box”. As a result, they often have little insight into how their OT assets are configured or operate on a daily basis.”

“Many organisations lack effective monitoring solutions and processes. This can result in an incomplete view into the OT assets and reduced situational awareness, both of which can make organisations more vulnerable.”

Page 19: Technology – paragraph 1

“The right technology can help by providing OT teams with more visibility into operations as an enabling first step to implement further controls.”

Page 19: Technology – paragraph 2

“For an organisation to achieve operational resilience, the scope needs to be expanded to the entire internal OT landscape with adequate controls in place to protect the most critical assets and systems. However, it is also essential that new technologies do not disrupt operations, even if it means introducing fully passive, rather than active OT security controls–at least initially.”

 

Industry 4.0 and ICS Sector Report (March 2018)

European Cyber Security Organisation (ECSO) 

Page 28: Presence of legacy ICS that are more prone to cyber threats

“Control systems are considered to have a lifecycle of 20 years. In some instances, it will be many years before the control systems are replaced by more robust ICS and SCADA solutions. Hence, these legacy control systems are wide open to cyber-attacks.”

Page 29: Presence of legacy ICS that are more prone to cyber threats

“The lack of such comprehensive solutions is expected to have a significant impact on the growth patterns of ICS network security. Thus, security flaws resulting from legacy devices and software exist in many ICS environments.”