VI Reflections: Industrial Control Systems (ICS) Security

By dgoff

Industrial Control Systems (ICS) generally refer to systems that manage and operate infrastructure like water, power, transportation, manufacturing, and other critical services. As these systems have become increasingly digitized in recent decades, they are often referred to as cyber-physical systems. Cyber-physical systems depend on software, computers, endpoints, and networks which all need to be secured.

For a long time, critical infrastructure was decentralized, proprietary and specialized. Operating Technologies (OT) were separate from the administrative systems, physically isolated or air gapped. Such isolation tended to make the OT relatively safer. But over the years, more commercial-off-the-shelf software has been installed, more links created between the two systems, and more vulnerabilities created In IT systems, the information is the primary focus. In ICS the information is coupled with the physical process, but it’s the physical process that is the primary focus. Attacks are more prevalent that Windows and other COTS systems are being used in ICS. Attacks may deny access or service, get sensitive data, or even put false, malicious commands and code into the ICS. ICS are expected to have lifetimes on the order of twenty years. New technologies are often not compatible with such vintage systems, and interoperability across generations is important.

The ICS infrastructure usually includes a Programmable Logic Controller (PLC) used to control relatively small processes, such as one leg of an assembly line or other process with a few components, from a few up to a few hundred Input/Output (I/O) points each; Supervisory Control And Data Acquisition (SCADA) are multiple PLCs networked together for control of multiple small processes, often including small processes at remote sites; a Distributed Control System (DCS) is used for larger processes, such as a power generation process or other centralized plantwide control, using Distributed Processing Units (DPU) on a dedicated network with each DPU handling thousands of points of I/O. A DCS controls a large and complex process and lives in a hostile environment. SCADA often spreads out over greater distances and across many network types. Other components that round out a complete ICS include Human Machine Interfaces (HMI), Engineering workstations (ENG) and a history or process data archive (HIST).

Software standards generally use the Distributed Network Protocol (DNP3). DNP3 is a comprehensive effort to achieve open, standards-based interoperability between field computers: PLCs, RTUs, IEDs (Intelligent Electronic Devices) and control room computers: HMI, ENG, Servers. It is designed to be more robust, efficient, and self-compatible than older protocols such as Modbus, at the cost of somewhat higher complexity, but it does include security enhancements. The DNP Users Group includes a Cybersecurity Task Force. This protocol is, however, nearly thirty years old.

In recent years, new technologies to provide better management and cybersecurity are beginning to be deployed.  These include several flavors of Artificial Intelligence and Machine Learning. Artificial Intelligence (AI) applies advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions and take actions.  Causal artificial intelligence (Causal AI) identifies and utilizes cause-and effect relationships to go beyond correlation-based predictive models and toward AI systems that can prescribe actions more effectively and act more autonomously. It includes different techniques, such as causal graphs and simulation, that help uncover causal relationships.  Deep learning is a variant of machine learning algorithms that uses multiple layers to solve problems by extracting knowledge from raw data and transforming it.  These layers incrementally obtain higher-level features from the raw data, allowing the solution of more complex problems with higher accuracy and less manual tuning. Industrial AI* is the application of artificial intelligence in an industrial setting, focused on harnessing real-time data to feed learning processes that can predict, automate and interpret action from large and complex data sets. Generative AI (GenAI) refers to AI techniques that learn a representation of artifacts from data, and use it to generate brand-new, unique artifacts that resemble but don’t repeat the original data. These artifacts can serve benign or nefarious purposes. GenAI can produce such novel content as text, images, video, audio, structures, computer code, synthetic data, workflows, and models of physical objects. Advanced Machine Learning (ML) algorithms such as deep learning, neural networks and natural language processing are used in both unsupervised and supervised learning, that operate guided by lessons from existing information. 

There is hope that these tools can be used to develop advanced methods to prevent, detect, respond to, and mitigate cybersecurity risks in an environment that is already contaminated. FBI Director Christopher Wray on April 18, 2024 warned national security and intelligence experts, as well as students, that risks the government of China poses to U.S. national and economic security are "upon us now"—and that "U.S. critical infrastructure is a prime target." 

Some recent presentations at international conferences on ICS Security and AI include the following:

S. Bhaskar and V. M, "Review on IOMT Security through Distributed Machine Learning," 2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE), Vellore, India, 2024, pp. 1-5, doi: 10.1109/ic-ETITE58242.2024.10493213. 

M. H. Jeridi, T. Azzabi, N. B. Amor and E. Boudabous, "ML Threat Detection with KDD Cup Data," 2023 IEEE International Conference on Advanced Systems and Emergent Technologies (IC_ASET), Hammamet, Tunisia, 2023, pp. 1-5, doi: 10.1109/IC_ASET58101.2023.10151310. 

L. Rivas et al., "Assuring Safe Navigation and Network Operations of Autonomous Ships," 2024 IEEE 14th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2024, pp. 0138-0143, doi: 10.1109/CCWC60891.2024.10427933. 

K. Santhi, M. L. Shri, S. Joshi and G. Sharma, "AI in Defence and Ethical Concerns," 2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE), Vellore, India, 2024, pp. 1-7, doi: 10.1109/ic-ETITE58242.2024.10493592. 

K. Kaviya and R. Bhavani, "Ornamental Portable Battlefield Surveillance using Generative Adversarial Networks," 2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE), Vellore, India, 2024, pp. 1-6, doi: 10.1109/ic-ETITE58242.2024.10493608. 

K. I. Gubbi et al., "Securing AI Hardware: Challenges in Detecting and Mitigating Hardware Trojans in ML Accelerators," 2023 IEEE 66th International Midwest Symposium on Circuits and Systems (MWSCAS), Tempe, AZ, USA, 2023, pp. 821-825, doi: 10.1109/MWSCAS57524.2023.10406065. 

To see previous articles, please visit the VI Reflections Archive.