ICS: Protecting Critical Infrastructure Systems

Evolution of ICS and emerging challenges

This article explores the challenges and evolution in ICS security, highlighting the shift from isolated systems to interconnected networks vulnerable to sophisticated cyber threats. It underscores the necessity of robust cybersecurity measures, discusses the impact of major cyber incidents, and introduces strategic frameworks and controls aimed at enhancing the resilience of these essential systems.

Securing and supporting Industrial Control Systems (ICS) has been a challenge for a long time and for many organizations. In the early days of ICS technology, components like Programmable Logic Controllers (PLC), sensors, and devices were blissfully unaware of IT infrastructure and ran on proprietary networks and “busses” like Profibus or Modbus or Genius Bus or DeviceNet and ControlNet (FactoryTalk) from suppliers like Siemens, GE, Rockwell and others. Much of the logic was contained in the PLC and early terminal type factory management systems like Dextralog emerged in the 1970s.

In the 1980s, the explosion of the PC and MicroServer market was a tipping point. It led to a major change in ICS with a move to PC-based Human Machine Interfaces (HMIs), and server-based Supervisory Control and Data Acquisition (SCADA) systems, and subsequently Manufacturing Execution Systems (MES) which became part of the 4^th industrial revolution.

The PLC of course got more CPU, and ethernet gateways were added to the bus technology, nevertheless the humble PLC still just followed its basic instruction set without transaction authentication (not to be confused with local PLC login). We unknowingly walked ourselves into a perfect storm, not unlike the epidemics humankind saw as man colonized the world, so what were physical and logical natural borders or breakpoints for IT and OT in the early days, now no longer protected us. Remember also the OT lifecycle was more than twenty years, IT is five to seven years at most, so change was inevitable.

Technological shifts and security implications

Operational Technology was being controlled by IT Technology, and upstream ERP systems drove factory planning and recipe information, and financial controllers, markets, operations, and a myriad of others wanted to visualize and consume data from these OT systems. Along came wireless handheld devices like Radio Data Terminals, and even industrial tablets, so the OT environment had become mobile as well.

While all of this was happening, manufacturers of these automation systems were extremely slow to certify their product on newer technologies as open source and commercial operating systems rapidly advanced on both full and delta release cycles. Users or consumers of the technology found themselves dealing with conflicting objectives; their systems were validated by regulators and licensed, thus making any change nearly impossible without re-validation. Manufacturers simply failed to keep up and certify their products on delta or new releases of the platform families they supported. Not surprisingly IT and OT support staff had to manage this dilemma, which pretty much meant that vulnerabilities went unpatched, and more and more relied on the fragile control of “air gaps,” ie., the physical separation, between the Enterprise and OT. It was idealistic but, in truth, a fallacy. The challenges were not just product integrity and critical control points, but safety systems as well. The first and most famous state-sponsored attack, Stuxnet, destroyed numerous centrifuges in Iran's Natanz uranium enrichment facility by causing them to burn themselves out by defeating centrifuge maximum RPM thresholds.

While turnstiles and swipe cards initially served as effective physical barriers to secure sensitive areas, the rapid evolution of technology has complicated their efficacy. The sophistication of integrated systems, especially with the rise of the Internet of Things (IoT), now generates vast quantities of real-time data. This complexity, paired with the logistical and financial impracticalities of on-site support—where waiting for an engineer to travel internationally for diagnostics and repairs is no longer viable—has pushed many organizations to adopt more agile, cloud-based solutions. Additionally, as Enterprise Resource Planning (ERP) systems migrated to the cloud and mobile devices began delivering personalized, real-time data, traditional physical security measures became inadequate. These developments led to a natural but critical shift in how organizations approach the security of their operational technologies.

As industrial systems became increasingly digitized, the traditional physical separation between Information Technology (IT) and Operational Technology (OT) networks—known as the air gap—transformed into a virtual concept. Advanced network technologies such as Virtual Local Area Networks (VLANs), Virtual Routing and Forwarding (VRF), and firewalls were implemented to create segmented and controlled network access. Additionally, Privilege Access Management tools utilizing jump box technology, alongside APIs, middleware, and message brokers like MQ, were integrated to enhance security protocols. However, these measures also coincided with increased risks from insiders equipped with portable devices like smartphones, tablets, and wearables featuring connectivity options such as Wi-Fi, Bluetooth, and NFC—all requiring USB connections for charging. This blend of convenience and connectivity presented new vulnerabilities, complicating the security landscape significantly.