Recently, a client reached out to us and asked how long an unsecured industrial control system (ICS) network, if connected to the Internet, would take to be attacked. Aside from generating some alarmed questions about whether this particular network existed, their question gave us pause on how we approach the network security question with our customers and ourselves.
Year over year, we stand witness to an ever-increasing number of cyber attacks, breaches and vulnerabilities. And we continually face challenging conversations with IT and operations teams on how to implement industrial cybersecurity best practices. But rarely do we talk about the fundamental reasons for implementing these practices. This gave rise to the idea for us to frame this conversation in a perspective we don’t usually see: the inherent risk of connecting to the modern Internet.
Imagine you are traveling down the interstate, moving toward your destination at 70 mph. You might find yourself surrounded by crush zones engineered to absorb energy, airbags designed to reduce impact, and traction control programmed to prevent crashes. All of these systems exist to minimize the inherent risk in traveling at highway speeds. Our technology has advanced to the point where it is routine to put ourselves in inherently risky situations where only inaction is required for a loss.
The modern Internet has become the information interstate of our society, and by extension our productivity. For many of our routine tasks, no longer are the industrial and commercial workflows separated by the platforms and ways in which we accomplish them. And as the speed of information has increased, so has the inherent risk associated with utilizing these superhighways. What used to be taken as common practice among industrial sites has now become the equivalent of driving an original 1908 Ford Model T down the interstate. The associated risk is not a question of if there will be an accident, but of when.
The Internet as we know it is an inherently risky place. Systems are automatically scanned for unpatched vulnerabilities, botnets crawl the web poking and prying every port, and state actors create exploits that opportunistically attack any target. Without implementing modern network security, we put ourselves, our people and our processes at risk. Many automation engineers will be familiar with concepts such as firewalls, network demilitarized zones (DMZs), and security through the Purdue Model. It has become our job to recognize that these safety features are no longer high-end security practices. These concepts have become what should be expected as the standard safety features of the modern ICS network.
Whether just kicking off or already battle tested on your ICS cybersecurity journey, keep a couple of things in mind. The steps that we take to protect ICS networks are no longer for those of us going above and beyond the call of duty. Network security has become the minimum expectation, and very often a requirement, of running a successful industrial company. And as you evaluate your current security stance, remember that we are always guarding against the inherent risk of connected systems.
By the way, if you were wondering how long that unsecured ICS would last on the Internet, estimates vary between 4 minutes and 16 hours.
Thomas Roth is IIoT lead at Hargrove Controls + Automation, a certified member of the Control System Integrators Association (CSIA). For more information about Hargrove Controls + Automation, visit its profile on the Industrial Automation Exchange.