Back to Home

“Do not fit, it will kill!” Or the whole truth about the safety of automated process control systems / Rostelecom Solar Blog

asu tp · asutp · industry · soc · solar jsoc · monitoring center · cybersecurity · cyber attacks

"Do not fit, kill!" Or the whole truth about the safety of ICS

    Most of our customers are industrial and manufacturing companies. No matter how large and significant the front office and corporate network of such companies may be, their main business is production itself, as well as the tasks and processes associated with it. And often, when solving problems of monitoring and responding to cyber attacks with customers, we start with the corporate network and perimeter, and as a result we come to closed networks and segments of production and technological networks.

    We decided to collect our experience in protecting industrial control systems and talk about the most common problems and popular security myths in this area.


    ACS TP is a complex of hardware and software designed to automate the management of technological equipment in industrial enterprises.

    ASU TP, as a rule, has a multi-level structure:

    • Operator / dispatch control level (upper level).
    • Automatic control level (medium level).
    • Actuator input / output level (lower / field level).

    The number of ACS TP levels, as well as its composition at each level, certainly depends on its purpose and the target functions performed. Moreover, at each level of the automated control system according to functional, territorial or other characteristics, other additional segments can be distinguished. Nevertheless, at the current stage, we restrict ourselves to the general representation below.



    Problem 1: the myth of the "air gap"


    Many industrial control systems were built for a long time. At that time, it was believed that technological networks and systems were completely isolated from the outside world, and therefore, ensuring information security in this area was not recognized as relevant or, at best, was not a priority. However, now the line between technological and corporate networks is increasingly blurred, and, in addition, Ethernet / IP and, in general, corporate network technologies are increasingly being used in technological networks.

    These processes are determined by the needs of the business and, as a consequence of the need for network connectivity, we usually observe one of the following scenarios at the Customer:

    1. The customer has implemented a project for pairing and segmenting corporate and technological networks, which provides an integrated approach to providing information security with connected segments. At the moment, the rarest option, but we have met it with several customers.
    2. The customer’s corporate and technological networks are connected according to one of the schemes that are accessible and seemingly fairly secure to IT, IS and ICS services. It can be like connectivity using a firewall, using a router with ACL (Access Control List), and other options up to AWP / access servers with multiple network cards (by the way, one of the very common cases). These schemes are often overlaid with a large number of accesses, including accesses from outside the corporate network - for ATMs installed on the territory of production, remote work of vendors of industrial control systems and other contracting organizations involved. As a result, in fact, these schemes over time begin to transform into the following option:
    3. Just ICS in a common network. It seems unbelievable, but unfortunately this option is also widespread.

    In addition, the effect of the development and mass availability of modern technologies (mobile devices and mobile Internet, USB modems, etc.), which employees actively use for their own purposes, also affects. Starting from operators who want to have Internet access at the workplace, and ending with IT administrators who want to save time traveling to the final facility, located, for example, 20 km from the office.

    The results of the A&C Pententest of company A (excerpt from the report)
    During the work, the auditor gained access to the remote workstation of the user's workstation with the IP address 172.28.XX.YY, on which the following were discovered:

    • The saved settings of VPN connections to segments of the technological infrastructure considered to be isolated (see. Fig.).

    • A file that contained the details of access to the nodes of the technological infrastructure, including the details of access and control of the SCADA systems used by various manufacturers. The file was accessible in the shared network directory to all users of the corporate network without authentication (see. Fig.).


    The use of VPN connections with the saved details allowed the auditor to directly access the network equipment of the technological infrastructure, as well as the equipment at the end sites, using the management interfaces of the corresponding SCADA systems, from the identified workstation.

    We supplement the picture with the above-mentioned problems of using local USB modems. Phones like USB modems. Home routers, home storage servers and other “features” of modern life. And even if the corporate and technological networks are connected in the best way - the first of the scenarios, unfortunately, in fact this does not mean that the situation is really what it should be, and in specific places there is no, for example, own Internet connection or uncontrolled access to corporate network and back.

    As a result, we get a bleak picture of the possibility of an easy penetration of an attacker or malware with communication with C&C inside the ICS. In general terms , it can be formulated as follows: everything that threatens the corporate network actually threatens the technology segments. This in no way means that the technology of protecting the corporate network needs to be transferred to the technological infrastructure and industrial control systems, but you must be aware that the information security risks in the technology segments are no less than those in the corporate ones.

    Problem 2: IS in ICS and IS hygiene


    Technological networks and segments at the same time are significantly different from corporate networks and systems. So, unlike a typical IT system, a typical process control system:

    • It is a real-time system in which response time is critical, and delays and data loss are unacceptable.
    • Along with widespread OS and protocols, specialized and specially developed (proprietary) ones are widely used in it.
    • The life cycle is 10-15-20 years, and for some objects - up to 30 years.
    • Components can be isolated, geographically remote, and physically difficult to access.
    • Rebooting into an automatic process control system may be unacceptable, including it is often impossible to install any updates, etc.

    As a result, at the customer’s final facilities we often observe a situation when some kind of our own development is used (neither the manufacturer nor the support is already left), with a general shift account, the password from which cannot be changed and which coincides with the login (similar to famous admin / admin). If a password can be set at all, after all, we recall that many industrial control systems are more than 10-15 years old.

    The results of the PentA process control system company B (excerpt from the report)
    A study of the technological network diagrams identified by the auditor and methods for pairing them with user segments showed that nodes with IP addresses 10.65.XX.YY, 10.65.XX.ZZ serve as a router between the user and technological networks. Access to these devices is possible via the SSH protocol using the details of the root user account with an easily selected root password. Hosts with the above IP addresses after gaining access to them were identified and turned out to be PSI system controllers (see. Fig.).



    Work on these SSH service devices with the ability to transfer graphic sessions and support for SSH tunnels allowed the auditor to organize traffic tunneling and conduct selective scanning of technological network nodes through the PSI system controllers, a subsequent attack on the password protection subsystem of the technological network and gain access to devices isolated from the user segment.

    In particular, the auditor obtained access to a technological network based on MIKRONIKA equipment, for which Telnet protocol access was used using the details of the root account that does not have a password for remote privileged access to devices (see figure).



    Also, while technological systems for the most part circulate information on technological processes and on control actions, the emphasis is usually on its accessibility and integrity, while the issue of ensuring confidentiality, as a rule, is paid less attention. And this is one of the additional reasons that explain the “delay” in the movement towards ensuring information security in the field of industrial control systems.

    So, we have a virtually insecure system running on outdated and unsupported software with a whole fan of vulnerabilities. Installing updates on such a system is, in most cases, impossible - due to their absence, inability to install, inability to reboot, and other numerous reasons). The conclusion follows:problems and vulnerabilities in technological networks and systems are even higher than in an average corporate network.

    In this case, even in the case of using systems and software supported by the manufacturer, from the production side there is usually a steady resistance to any updates aimed at eliminating security problems. And almost always this rejection extends to any security measures imposed (by the way, it may well be justified if blocking mechanisms are somehow declared and implemented in such means, even if they are not supposed to be used during implementation and future operation).

    It is important to note that customers are aware of most of these problems, including possible actions by local employees. IS risks associated with them are covered by very strict organizational measures and physical security measures: prohibition of carrying into the territory and use of various devices and external media, physical limitation of the possibility of using equipment ports, etc. measures). However, these measures are not able to fully provide reliable protection for process control systems.

    Summarizing the situations and problems described above, the following main points can be noted: regarding the current situation with information security in automated process control systems:

    1. It’s possible to “break everything” in industrial control systems even without complex attacks on systems, protocols and controllers.
    2. The initial risks of information security in a technological network are not only no less, but also significantly higher than in a corporate one.
    3. These risks require their own set of actions and measures, at least taking into account:
      • tremendous criticality and continuity of business processes;
      • the impossibility of updating;
      • the practical inapplicability or inapplicability of traditional information security systems and, in particular, blocking mechanisms.

    But no matter how many limiting factors, it is still necessary to protect ACS TP. In the second part of the article, we will talk about how, given these problems, to carry out full-fledged monitoring and response to cyber attacks. Again, with live examples and cases from customers. Do not miss!

    Read Next