The Threat to ICS in Context

Industrial control systems (ICS) are the key infrastructure targets for nation-state attackers and fringe bad actors seeking to compromise or destroy public utilities and manufacturing industry operations. In some cases simple tools such as ransomware are deployed against this industrial infrastructure, but most executives will tell you that it is the more sinister threat against the core infrastructure, where the payment of ransom is not even an option, that causes the most concern.

Unlike banks, financial institutions, healthcare, and many other industries the primary target in manufacturing and utilities may not be customer information or intellectual property. In some cases the primary target is the complete or severe compromise of your ICS infrastructure. In these instances this ICS infrastructure may be used to target personnel and property beyond the bounds of the ICS systems and the processes they control.

The best example of a highly targeted ICS attacks was the targeted attack used in the infamous StuxNet attack. In Stuxnet, the intelligence agencies of complicit nations targeted the centrifuges used by the Iranians to refine weapons grade uranium. Malware infected memory sticks, were targeted and socially engineered for distribution to the engineers, service personnel, and maintenance personnel that had access, even indirectly, to the classified Iranian facilities. Once the software was introduced, it sought out specific ICS components by manufacturer and model, and then injected code that modified operations.

The overall damage to the Iranian facility was catastrophic. Can you visualize hundreds of centrifuges spinning out of control, with the resultant rupture or spill from the tubes holding the radioactive material. Imagine the most dangerous plutonium isotopes being flung in all directions from hundreds of devices. How long would such a radioactive clean-up take? A true disaster of biblical proportions for the Iranians, and all cleverly engineered by a single cyber attack.

Stepping back, imagine the horror and loss of life introduced by the chemical leak industrial disaster in Bhopal India years ago. Now imagine a motivated political actor, terrorist, or malevolent nation-state that seeks to create an engineered disaster to harm people, and destroy infrastructure on a broad scale.

The Three Great Myths

Myth #1 – Industrial control systems components and the cybersecurity controls that protect them can be updated and deployed like any other network. The electrical and mechanical engineers that design, deploy, and operate these systems will tell you that industrial control systems are not remotely like other networks. It is a fact that most of the best operated ICS systems in the world have more vulnerabilities and more components in need of update than in other industries. This is done by design and is intentional and necessary.

It takes months and often years for ICS lines to reach maturity such that the quality of production is high, and the frequency of adjustments and downtime failure is low. Most ICS executives know that there is more risk to the business in touching anything that affects the stability of the manufacturing or control processes. Stability and reliability of the physical plant operations is top-of-mind for them. For this reason most ICS system managers are very slow to introduce new product and software updates to embedded systems and processors. ICS system managers are also very concerned about the danger of constant systems update and cybersecurity control software update to the overall stability of ICS operations. Stability is key to reduction of risk and this risk is perceived as greater than that of cybersecurity threats.

Finally, it is to be expected that ICS systems will always have a large number of open vulnerabilities and older unpatched software versions. The strategy to protect this infrastructure must take this into account and not expect change in behavior by ICS management and team personnel.

Myth #2 – Industrial control systems can be protected by the use of an air-gap and isolation. It is almost impossible to isolate systems using an air-gap. Even the most sensitive “completely isolated” nuclear plant process control operations have been documented as compromised by a virus or off-the-shelf malware on occasion.

How? Trusted vendor personnel, maintenance technicians, or senior managers that show up on-site and plug-in laptops are often the source of compromise. Despite operating procedures to the contrary, most executives in the major industrial and manufacturing facilities can link directly to ICS networks and connect to these restricted networks from their laptops.

I personally witnessed the head of a major plant for a global soft drink producer tell us how his network was totally isolated, and then watched him plug in his laptop, which was still on the corporate network, to show us operating statistics. More frightening … don’t forget the example of Stuxnet cited earlier. If a Stuxnet can be engineered, so can attack on your chemical processing facility.

Myth #3 – The standard corporate network cybersecurity software controls will protect my ICS networks. Nothing could be further from the truth. ICS networks are replete with a very high concentration of internet of things (IoT) devices, and specialized boards and modules which contain embedded processors and customized operations systems. Most of this will not be visible to standard cybersecurity security controls. If you cannot see the devices, and have no real visibility, how can you tell if they are compromised? The large number of IoT devices alone render high vulnerability to ICS networks.

ICS networks also often control some number of out-of-date Windows and Linux operating systems, and a bunch of other specialized operating systems and controllers. These out-of-date operating systems, and the hardware components and embedded processors that go with them, are out of synchronization with the latest corporate network cybersecurity controls.

Often the mismatch in revision levels make it impossible to for the security controls to work correctly, and leave many open vulnerabilities open to network intruders.

Deception Technology was Designed for ICS Networks

Deception technology was designed to intercept the movement of cyberattackers and their tools within the widest variability of network components, IoT devices, servers, embedded processors, and specialized operating systems. Deception technology is deployed amongst and between all of these components using a virtual mix of decoys. As attackers utilize command and control, or more likely, in ICS networks their autonomous malware navigates for automated propagation, it is highly certain that they will touch at least one of the decoys. Immediately the attackers are detected and a high confidence alert is issued.

For these reasons deception technology has the highest efficacy and efficiency of operations in networks with the most challenging mix of technologies. Not only in ICS, but large volumes of embedded processors and IoT are often found in healthcare network and medical devices where deception technology brings the same accuracy, speed of detection, and visibility to otherwise hidden attacks.

Deception technology can detect malicious activity very quickly within ICS networks – more quickly than other technologies. Deception technology is decisive and accurate. Deception technology can alert on both known, and unknown ICS attacks to provide confident and rapid detection. Deception provides the missing visibility to all network movement and rapidly identifies both malicious and anomalous behavior.

Not all malicious behavior within ICS networks stands out as anomalous. Not all anomalous behavior within ICS networks is necessarily malicious. Deception technology focuses attention on those instances of behavior that are clearly in violation of process and immediately identifies these threats present within your ICS network, and the IOT devices, embedded processors, and specialized devices they contain at virtually 100% certainty.

Nat Natraj
Co-Founder & President, Acalvio

Deception technology at its very core is highly flexible. This is important to map to the complex and heavily customized deployments found within ICS networks. Deception decoys are easy to configure and distributed. Deception technology will find cyberattacks ongoing even in multiple locations, and then generate the alerts so that they can be promptly shut down.

Acalvio ShadowPlex Deception Technology – Made for ICS Protection

Acalvio ShadowPlex was made for the detection of ICS targeted threats. Acalvio’s ShadowPlex Acalvio ShadowPlex technology is not conditional, nor probabilistic. The detection is absolute and 100% certain. Deception technology provides virtually flawless detection to ensure that threats are rapidly identified, and then rapidly shut down. Speed and accuracy combine to meet and defeat ransomware threats.

Acalvio deception technology is optimized and well architected to protect industrial control system infrastructure against many of the most sophisticated threats. If you want to know more about how Acalvio ShadowPlex can protect your manufacturing and process control infrastructure, please review our resource page here: or contact us for a free trial.

We’d be pleased to introduce you to our latest technology and share confidential information about customers that have used Acalvio ShadowPlex to protect the most sensitive and vulnerable industrial control systems.