"Do not fit, kill!" Or the whole truth about the safety of ICS
We decided to collect our experience in protecting industrial control systems and talk about the most common problems and popular security myths in this area.

ACS TP is a complex of hardware and software designed to automate the management of technological equipment in industrial enterprises.
ASU TP, as a rule, has a multi-level structure:
- Operator / dispatch control level (upper level).
- Automatic control level (medium level).
- Actuator input / output level (lower / field level).
The number of ACS TP levels, as well as its composition at each level, certainly depends on its purpose and the target functions performed. Moreover, at each level of the automated control system according to functional, territorial or other characteristics, other additional segments can be distinguished. Nevertheless, at the current stage, we restrict ourselves to the general representation below.

Problem 1: the myth of the "air gap"
Many industrial control systems were built for a long time. At that time, it was believed that technological networks and systems were completely isolated from the outside world, and therefore, ensuring information security in this area was not recognized as relevant or, at best, was not a priority. However, now the line between technological and corporate networks is increasingly blurred, and, in addition, Ethernet / IP and, in general, corporate network technologies are increasingly being used in technological networks.
These processes are determined by the needs of the business and, as a consequence of the need for network connectivity, we usually observe one of the following scenarios at the Customer:
- The customer has implemented a project for pairing and segmenting corporate and technological networks, which provides an integrated approach to providing information security with connected segments. At the moment, the rarest option, but we have met it with several customers.
- The customer’s corporate and technological networks are connected according to one of the schemes that are accessible and seemingly fairly secure to IT, IS and ICS services. It can be like connectivity using a firewall, using a router with ACL (Access Control List), and other options up to AWP / access servers with multiple network cards (by the way, one of the very common cases). These schemes are often overlaid with a large number of accesses, including accesses from outside the corporate network - for ATMs installed on the territory of production, remote work of vendors of industrial control systems and other contracting organizations involved. As a result, in fact, these schemes over time begin to transform into the following option:
- Just ICS in a common network. It seems unbelievable, but unfortunately this option is also widespread.
In addition, the effect of the development and mass availability of modern technologies (mobile devices and mobile Internet, USB modems, etc.), which employees actively use for their own purposes, also affects. Starting from operators who want to have Internet access at the workplace, and ending with IT administrators who want to save time traveling to the final facility, located, for example, 20 km from the office.
- The saved settings of VPN connections to segments of the technological infrastructure considered to be isolated (see. Fig.).

- A file that contained the details of access to the nodes of the technological infrastructure, including the details of access and control of the SCADA systems used by various manufacturers. The file was accessible in the shared network directory to all users of the corporate network without authentication (see. Fig.).

The use of VPN connections with the saved details allowed the auditor to directly access the network equipment of the technological infrastructure, as well as the equipment at the end sites, using the management interfaces of the corresponding SCADA systems, from the identified workstation.
We supplement the picture with the above-mentioned problems of using local USB modems. Phones like USB modems. Home routers, home storage servers and other “features” of modern life. And even if the corporate and technological networks are connected in the best way - the first of the scenarios, unfortunately, in fact this does not mean that the situation is really what it should be, and in specific places there is no, for example, own Internet connection or uncontrolled access to corporate network and back.
As a result, we get a bleak picture of the possibility of an easy penetration of an attacker or malware with communication with C&C inside the ICS. In general terms , it can be formulated as follows: everything that threatens the corporate network actually threatens the technology segments. This in no way means that the technology of protecting the corporate network needs to be transferred to the technological infrastructure and industrial control systems, but you must be aware that the information security risks in the technology segments are no less than those in the corporate ones.
Problem 2: IS in ICS and IS hygiene
Technological networks and segments at the same time are significantly different from corporate networks and systems. So, unlike a typical IT system, a typical process control system:
- It is a real-time system in which response time is critical, and delays and data loss are unacceptable.
- Along with widespread OS and protocols, specialized and specially developed (proprietary) ones are widely used in it.
- The life cycle is 10-15-20 years, and for some objects - up to 30 years.
- Components can be isolated, geographically remote, and physically difficult to access.
- Rebooting into an automatic process control system may be unacceptable, including it is often impossible to install any updates, etc.
As a result, at the customer’s final facilities we often observe a situation when some kind of our own development is used (neither the manufacturer nor the support is already left), with a general shift account, the password from which cannot be changed and which coincides with the login (similar to famous admin / admin). If a password can be set at all, after all, we recall that many industrial control systems are more than 10-15 years old.

Work on these SSH service devices with the ability to transfer graphic sessions and support for SSH tunnels allowed the auditor to organize traffic tunneling and conduct selective scanning of technological network nodes through the PSI system controllers, a subsequent attack on the password protection subsystem of the technological network and gain access to devices isolated from the user segment.
In particular, the auditor obtained access to a technological network based on MIKRONIKA equipment, for which Telnet protocol access was used using the details of the root account that does not have a password for remote privileged access to devices (see figure).

Also, while technological systems for the most part circulate information on technological processes and on control actions, the emphasis is usually on its accessibility and integrity, while the issue of ensuring confidentiality, as a rule, is paid less attention. And this is one of the additional reasons that explain the “delay” in the movement towards ensuring information security in the field of industrial control systems.
So, we have a virtually insecure system running on outdated and unsupported software with a whole fan of vulnerabilities. Installing updates on such a system is, in most cases, impossible - due to their absence, inability to install, inability to reboot, and other numerous reasons). The conclusion follows:problems and vulnerabilities in technological networks and systems are even higher than in an average corporate network.
In this case, even in the case of using systems and software supported by the manufacturer, from the production side there is usually a steady resistance to any updates aimed at eliminating security problems. And almost always this rejection extends to any security measures imposed (by the way, it may well be justified if blocking mechanisms are somehow declared and implemented in such means, even if they are not supposed to be used during implementation and future operation).
It is important to note that customers are aware of most of these problems, including possible actions by local employees. IS risks associated with them are covered by very strict organizational measures and physical security measures: prohibition of carrying into the territory and use of various devices and external media, physical limitation of the possibility of using equipment ports, etc. measures). However, these measures are not able to fully provide reliable protection for process control systems.
Summarizing the situations and problems described above, the following main points can be noted: regarding the current situation with information security in automated process control systems:
- It’s possible to “break everything” in industrial control systems even without complex attacks on systems, protocols and controllers.
- The initial risks of information security in a technological network are not only no less, but also significantly higher than in a corporate one.
- These risks require their own set of actions and measures, at least taking into account:
- tremendous criticality and continuity of business processes;
- the impossibility of updating;
- the practical inapplicability or inapplicability of traditional information security systems and, in particular, blocking mechanisms.
But no matter how many limiting factors, it is still necessary to protect ACS TP. In the second part of the article, we will talk about how, given these problems, to carry out full-fledged monitoring and response to cyber attacks. Again, with live examples and cases from customers. Do not miss!