third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
9.6 The resilience of ICS<br />
<strong>Security</strong> of ICS has not had the same attention in recent years as<br />
security in standard IT and is therefore still in its infancy. The ICS<br />
world has its own culture with an often conservative technical set up,<br />
where attention on security is not self-evident. [227] This also includes<br />
human and organisational factors such as insufficient awareness, the<br />
lack of ownership and insufficient direction in terms of security<br />
requirements being given to parties that may be brought in.<br />
However the problem of resilience does not just concern existing<br />
systems. <strong>Security</strong> risks as an integrated element of lifecycle<br />
management also need to be considered when developing new<br />
ICSs. When designing, implementing and managing ICSs, no direct<br />
account is taken of security risks because there is a lack of security<br />
by design. For example, the user’s identity (authentication) and<br />
what this user has access to (authorisation) are not always checked,<br />
because these are not standard functions in ICSs. It is therefore easy<br />
to manipulate controls.<br />
Because ICSs have a long lifecycle (approximately 10-30 years),<br />
legacy system components and operating systems are often still in<br />
use. The problem with this is that at a certain point support from<br />
the manufacturer will be withdrawn. While specific ICS elements<br />
have long-term support, this is often not the case for generic IT<br />
tools. Take for example Windows XP, which is still often used in<br />
ICSs. On 8 April 2014, Microsoft will end support for this operating<br />
system, which means new security leaks will no longer be plugged.<br />
Not always harmful<br />
<strong>Cyber</strong> incidents can happen at various places in ICSs. This also<br />
influences the type and scope of the impact. Manipulating one<br />
element will have consequences beyond manipulating the<br />
various functions of a system. In addition, ‘supporting<br />
measures’ are often put in place to discover manipulation (at<br />
an early stage) and limit its effects. If only the control of a<br />
machine is manipulated, this will not necessarily result in harm.<br />
If the alert function works properly, the operator will be<br />
informed in good time and can intervene. However in addition<br />
to the control, the alarm and visualisation functions may be<br />
tampered with. Imagine a chemical factory where tanks with a<br />
capacity of 100 litres are filled with chemical substances. Filling<br />
normally stops when they are three quarters full. The system is<br />
now manipulated in such a way that filling does not stop, no<br />
alarm is triggered and neither can this be seen on the visualisation<br />
screen. Filling of the tank continues but on the monitor in<br />
the control room there is nothing wrong. The tank overflows<br />
and the room becomes filled with chemical vapours. If<br />
unsuspecting personnel now enter the room, there could be<br />
serious consequences for their health.<br />
ICS providers sometimes give no guarantee that the system will<br />
work correctly following migration to a new operating system, asset<br />
owners are reticent to roll our patches under the motto ‘if it ain’t<br />
broke don’t fix it’. In addition, it is not always possible and/or is very<br />
costly to halt processes to patch the control computers. Finally,<br />
providers do not always see the need to bring out patches for older<br />
components which means vulnerabilities are not resolved.<br />
9.7 In conclusion<br />
CSAN-2 has established that the threats for ICSs have become more<br />
real compared with the period before then. Although no high-profile<br />
incidents came to light during the current reporting period, we<br />
cannot claim that the security status of ICSs has improved. Although<br />
there are certainly some organisations and providers that are<br />
heading in the right direction, the overall picture remains gloomy,<br />
particularly among the end-users and providers of smaller applications.<br />
The situation has remained the same or even worsened, this is<br />
just not immediately apparent. Vulnerabilities continue to increase,<br />
actors are becoming more interested but awareness appears not to<br />
growing in line with this. Measures need to be taken because digital<br />
incidents in vital sectors can have a major impact. «<br />
227 The <strong>NCSC</strong> has published the factsheet ‘Check list security of ICS/SCADA systems’ with<br />
15 points for securing ICSs and preventing incidents: https://www.ncsc.nl/dienstverlening/<br />
expertise-advies/kennisdeling/factsheets/checklist-beveiliging-van-ics-scada-systemen.html<br />
98