Industrial control systems (ICS) such as programmable logic controllers, distributed controls systems, SCADA systems, and operational technology systems extensively rely on a network of manufacturers and suppliers for integration and maintenance of various software and hardware components. This introduces major risks for ICS acquirers of these products and services because malware and vulnerabilities can be leveraged to compromise the ICS environment. Threat actors are increasingly resorting to supply chain attacks to break into critical industrial sectors such as manufacturing, defense, energy, transportation, healthcare, food and agriculture

Five Reasons Why ICS Manufacturers Put Industrial Environments at Risk

One of the primary steps in building a risk mitigation strategy is having complete visibility and understanding of the main sources or root causes of risk. Let’s explore the top risks that are introduced in ICS environments through ICS device manufacturers:

1. Limited Pool of Manufacturers

For specialized ICS devices, there are a limited number of manufacturers; in some cases, only one that produces the required hardware. This lack of choice narrows the decision-making process, and this could mean that an acquirer is forced to select a manufacturer even when they do not conform to the acquirer’s security policies or standards.

2. Chain of Implementation Partners

Some manufacturers outsource to implementation partners, an external party that installs and sets up ICS devices on behalf of the manufacturer. Since these partners are not a direct supplier to the acquirer (and it is highly unlikely that an agreement between the implementation partner and the acquirer exists), it adds another dimension or layer of risk (i.e., fourth party) which the end user or the acquirer does not have control over.

3. Remote Access Widens the Attack Surface

Manufacturers are often requesting remote access (such as on-demand virtual private network or a persistent direct connection) to the ICS devices they have supplied. Remote access has several advantages obviously; suppliers can react, investigate, or address problems swiftly and can monitor devices for potential faults and updates. On the flip side, threat actors can leverage this access to deploy a remote access trojan or a backdoor into operations.  

4. IIoT Becoming a Potent Attack Vector

The convergence of ICS and IT environments has led to the introduction of IIoT (industrial internet of things) devices into ICS environments. Most IIoT devices are exposed to the internet and this opens an additional route for attackers to breach. IIoT hardware is usually cheaper than mainstream ICS devices, which means that the manufacturer can cut corners or spend little money on cybersecurity. Moreover, a sizable number of these devices have weak passwords, which makes them easy targets for persistent attackers.

5. Outdated Contracts and Legacy Hardware

The threat landscape for ICS has changed. Manufacturer contracts that were written prior to the convergence of IT and ICS environments are today unfit for purpose. This puts organizations in an uncomfortable position as existing contracts may not cover the extent of the risks these newly connected devices expose. Further, many of these contracts are not likely to be changed until the ICS device itself is replaced.

How Can Organizations Mitigate Risks Originating From ICS Manufacturers and Suppliers?

Having a safe and secure operating environment is a key priority for most industries and since manufacturers and supply chain partners can affect this goal, it is important that acquirers invest in creating a secure architecture that is supported by robust processes and procedures. Below are some best practices that can get organizations started:

1. Enhance Manufacturer Selection Process

Including security requirements in the criteria for manufacturer selection can result in better and more informed decisions being made when deciding which manufacturer to purchase from. The information security team can work with ICS engineers to understand which requirements can be enhanced with security criteria; this can then be passed onto the supplier management team, with the appropriate training, to include in their standard processes. It is also advisable that organizations request manufacturers to provide a complete list of the software and libraries installed on an ICS device (known as a software bill of materials or SBOM) as well as the list of components supplied by OEMs (original equipment manufacturers). This enables ICS engineers and information security teams to assess the risks associated with each element that makes up the ICS device.

2. Manage The Risks Out

By replacing insecure ICS devices with newer, more secure versions, acquirers can manage the risk out of their ICS environments. While this may not address the overarching issue quickly and can be an expensive approach if devices are not due for imminent replacement, it will still address the problem of insecure devices. By following the correct procurement processes and having ICS engineers and the information security team review the manufacturer and their security stance, the acquirer will invariably obtain and implement devices with improved security controls.

3. Update Legacy Contracts

If replacing legacy ICS devices is not feasible then it could be more practical to update the contract, and any support and maintenance agreements with the manufacturer. Adding security clauses into the contract will create peace of mind that there is support available for legacy devices which could reside in the ICS environment for many years – perhaps decades. A contractual obligation placed on a manufacturer to support the acquirer will provide the necessary clarity for stakeholders, ensuring they have confidence in the organization meeting the security levels they require.

4. Create a Safe Environment

Acquirers need to implement suitable controls and processes to achieve the objectives of safety, reliability, and performance, as well as maintain the confidentiality, integrity, and availability of their systems. It is also vital for them to safeguard their infrastructure against any risks arising from third-party interactions. Recommended controls include implementing granular network segmentation, creating a zero-trust environment, installing unilateral devices (that only allow one-way communication), and bastion hosts, deploying digital twins.

It is estimated that by 2027, cyber-attacks will shut down 15,000 industrial sites. Organizations must therefore challenge their manufacturers to create more secure and safe ICS environments and devices because protecting the environment involves taking the relationship way beyond just agreeing to a contract.

About the Author

Steve Durbin is Chief Executive of the Information Security Forum, an independent, not-for-profit association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at www.securityforum.org.

Email: steve.durbin@securityforum.org

Linkedin: https://www.linkedin.com/in/stevedurbin/

FB: https://www.facebook.com/InformationSecForum

X @securityforum