Hold on – – – hasn’t CISA since its birth and DHS before that recommended securing ICS? No, not really. The recommendations have been keep the attackers out, perform cyber hygiene, and detect attacks, but they have rarely recommended the monitoring and controlling of the physical process be secured.

The best example of this is the recent INCONTROLLER / PIPEDREAM malware and CISA’s related Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. The pull quote:

“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”

This is because the PLC’s, controllers and other Level 1 devices, as well as the ICS protocols, are insecure by design. Access to OT equals compromise with the limitation being the attacker’s engineering and automation skills, and I/O and physical process implementation, not an adversary’s security or hacking skills. 

This has been known for 20+ years, and was vividly demonstrated 10 years ago in Project Basecamp. The community and society has been lucky that we haven’t often seen this intentional and continuing design decision exploited by an extensible attack platform.

What has been missing for 20 years is the entity with the biggest megaphone, the US Government now in the form of CISA, saying that we need basic source and data authentication and authorization in Level 1 devices and ICS protocols. The CISA Alert fails to say this. Instead they suggest some useful, and some less useful, cyber hygiene tasks to 1) reduce the likelihood of an attacker getting that initial access into the OT environment, and 2) increase the chances of the attack being detected after compromise.

Again the Alert never addresses the core weakness that the attacker ICS target is lacking the most basic security controls. You don’t need to hack it. Just send it legitimate, documented commands. Read the manual is PLC and process hacking.

The missing bullet in the CISA Alert’s Mitigations is:

  • Develop and deploy a strategy to upgrade to secure ICS protocols and upgrade insecure legacy PLCs, controllers and other Level 1 devices.

One could be sympathetic that perhaps a strategy that may take 1-3 years of focused attention is actionable enough to be included in an Alert mitigation. That Alert recommendations should focus on immediate actions. If this is the case we should see this fundamental security problem prominently addressed in other CISA and US Government documents. Let’s look.

CISA Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives

Yes, it is mentioned in this document. Given this is the preeminent document according to CISA Director Jen Easterly, this is a positive sign. Specifically it’s addressed in the System and Data Integrity, Availability, and Confidentiality section with this bulleted text:

Ensure that data in transit is protected against unauthorized access or manipulation.

Sample Evidence of Implementation: Organization requires all control system data transmissions employ end-to-end encryption using transport layer security (TLS) to protect data in transit; legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement.

I put the key part at the end in bold. This is the first time I’ve seen the US Government recommend that asset owners upgrade or replace Level 1 to get past insecure by design. Hooray! Now it is one of many objectives and buried a bit deep. And there is serious debate on whether wrap-it-in-TLS is really the best way to meet the integrity, rather than confidentiality, needs in ICS. Whether it is wise or not, Modbus Secure, CIP Secure and other ICS protocol efforts show that the wrap-it-in-TLS approach is carrying the day.

An opportunity was missed with INCONTROLLER / PIPEDREAM to highlight “legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement.” It would have been great to hear on 60 Minutes that every CEO with a control system should be asking their CISO or VP Operations what is our plan to upgrade our ICS components that lack basic security? 

This also makes me wish I pushed Director Easterly harder on the metrics question on the S4x22 Main Stage.

Without CISA highlighting and pushing this issue, that we actually have to secure the ICS, then this will be an easy goal to set aside. It has been for two decades already. Even though it makes many of the other security goals inside the OT network of little value. To use CISA’s own words, “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”

CISA Securing Industrial Control Systems

Maybe … There is a bullet/goal that new OT products are secure by design. Later in the text the SCADA Apologist appears “traditional ICS can have 30-year lifecycles …” It’s a very broad, vision type document that could be read any way you like. It does not throw down the gauntlet saying legacy equipment needs to be upgraded or replaced.

CISA Recommended Cybersecurity Practices for Industrial Control Systems

No … not mentioned in the two-page infographic

No … Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. They highlight the PLC security deficiency on Page 26, and they don’t recommend it be addressed.

If you are an optimist, you can feel good about “legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement” in the Performance Goals. Someone with authority finally said it, rather than falling back on how this is hard and will take decades. If this had been said and meant two decades ago we could say we are securing ICS.

If you are a pessimist, it is one goal amongst many and hasn’t been highlighted. Cyber hygiene, especially patching, and monitoring are where the mindshare and communication effort is happening. INCONTROLLER/PIPEDREAM provided a powerful opportunity to push the point that we actually need to secure the communications and devices that monitor and control these critical infrastructure. For whatever reason CISA was silent on how this demonstrates the need to “upgrade or replace” insecure by design systems.

For better or worse, CISA has the biggest megaphone in the US and arguably the world. CISA not pushing that the root cause of the ICS security problem finally be addressed, 20 years late, means that only the enlightened few will pursue securing ICS in the near future.