ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets.  For anything other than very small systems, the obvious choice is to implement systems to automate these procedures.  So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc.  These servers are being installed “in the name of” improving cybersecurity but are they really?  These are generally IT-driven projects, so, in most cases these servers are being installed on the business network in the plant or in a corporate data center and “pin-holes” are opened in the firewall to allow these servers to communicate directly to control system servers and devices.  Sometimes, they are installed in the de-militarized zone (DMZ) between the plant business network and the process control network (PCN), which is much better, but still requires additional openings in the firewall between the DMZ and the PCN. 

You may be asking, “Why is this a problem?”  In the process of performing cybersecurity risk assessments or Cyber PHA’s on our clients’ systems, we have discovered that these servers present a very high risk to the organization.  The reason is that they often provide centralized services to hundreds or thousands of control system devices so if they were to be compromised the effects could be far reaching.  In some architectures we have seen, compromise of these servers could instantaneously shutdown every single control system in a corporation, worldwide!  The reason is that these servers, by design, are trusted by the control system devices, which means they have access to them through the firewall and service accounts or other credentials that authorize them to read and write data to these devices.  The irony is that by installing these servers we have made it easier for hackers or malware authors to attack our control systems.  It isn’t hard to imagine the damage that could be caused if one of these servers were to be compromised by a hacker or by specially crafted malware that took advantage of the server’s authorization to write data to control system devices.

So does this mean we have to go back to “sneaker net” to manually install anti-virus signatures, patches, make backups, etc. on our control systems which not only is labor intensive but carries its own risks in terms of human error and potential spread of viruses on the portable media?  No.  What it does mean is that companies need to recognize the risk and apply proper the appropriate cybersecurity countermeasures to protect these servers and the conduits that allow them to communicate with control system devices.  All too often people think that the physical and environmental protection of being in a data center or the cyber protection of being behind a firewall is sufficient.  Based on the cyber risk assessments we have performed I can assure you it is not. 

Please contact us if you’d like our help in performing a Cyber PHA on your system or help in properly protecting your critical servers that provide services to your control systems.