Protect your Industrial Control Systems' Safety Instrumented Systems

Published on 25 Mar 2022

Updated on 25 Mar 2022

SingCERT has received information of an ongoing campaign by threat actors targeting Industrial Control Systems (ICS) systems. This is the same campaign as reported by the United States Federal Bureau of Investigation (FBI). The threat actors would typically target the Safety Instrumented Systems (SIS) of an industrial process, which is used to initiate safe shutdown procedures in the event of an emergency. In the case whereby the SIS fails to initiate its shutdown procedures, potential consequences include damage to a facility, system downtime or even loss of life.

 

This advisory provides some background information about ICS and SIS, as well as recommended measures that operators and owners of ICS systems can take to secure their SIS.

 

What are Industrial Control Systems (ICS)

ICS is a collective term used to describe several types of control systems and associated instrumentation used to control industrial processes such as manufacturing, product handling, production, and distribution. It may also include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, distributed control systems (DCS), and smaller control systems using programmable logic controllers (PLC) to control localised processes. Such systems are extensively used in industries such as chemical processing, power generation and distribution, oil and gas processing, and telecommunications. 

 

What are Safety Instrumented Systems (SIS) and its Importance

SIS are composed of sensors, logic solvers, and final control elements (e.g. valves, relays, actuators) typically present in critical process systems within industrial processes. The purpose of SIS is to ensure that critical/dangerous industrial processes are operating within safe limits and to isolate or shutdown any process(es) which breach the aforementioned limits. Examples of SIS include Emergency Shutdown Systems, Emergency Venting systems, Safety Shutdown Systems and High-integrity Pressure Protection systems.

 

Threats to SIS

In recent years, there has been an observable increase in attacks involving ICS systems globally. Such attacks may take the form of malicious software specifically designed to target systems/components of ICS. Examples of such malware include TRITON, Industroyer and Havex. As SIS are essentially fail-safe systems, threat actors will typically need to disable them to attain total control of any process system. 

 

A notable example of an attack on an ICS system is the 2017 TRITON malware attack in Saudi Arabia, where a critical infrastructure’s Schneider Electric Triconex SIS was compromised by the malware, causing the safety controllers to enter ‘fail safe’ mode and shut down the industrial process. As a result, operations in nuclear, oil and gas plants were disrupted. Schneider Electric has addressed the vulnerability (with the Tricon model 3008 v10.0-10.4) when version 11.3 of the Tricon controller was released in June 2018. However, older versions of the controller remain in use and are vulnerability to a similar attack. Operators and owners of the affected product are reminded to upgrade to the latest patched version as soon as possible to secure their SIS if a vulnerable version is still being used. 

 

An ICS may be vulnerable due to the following factors:

  • Lack of network segmentation (between corporate network and ICS network)
  • Inadequate security policies for the ICS
  • Unsecured remote access to ICS systems/components
  • Use of legacy systems/devices running outdated hardware and software
  • Lack of ICS specific configuration change management (i.e. leading to misconfigured ICS systems)
  • Lack of security awareness amongst employees with access to ICS systems

 

As such, it is important for operators and owners of ICS systems to take proactive steps to strengthen their systems, maintain business continuity plans to minimise essential service interruptions (or safety breaches) and pre-emptively evaluate potential continuity and capability gaps. Operators and owners of ICS systems should maintain the integrity of their SIS to ensure that their industrial processes are operating within safe (or defined) limits.

 

Recommendations to Secure SIS

Owners and operators of ICS systems are advised to consider the following measures to secure their SIS:

  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised. Perimeter security between network segments should also be implemented using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches
  • Ensure cybersecurity features in the software/products are enabled based on the manufacturers' security recommendations
  • Upgrade and patch all systems to the latest versions as soon as possible. Any end-of-life software and hardware devices should also be replaced
  • Deploy SIS on isolated networks to make it more difficult for an attacker to infiltrate the network through lateral movement
  • Implement access control and application whitelisting on server or workstation endpoints that can reach the SIS
  • Ensure SIS devices are not left in "program mode" and configure an alarm to sound whenever it is 
  • Regularly monitor network traffic and logs to detect any anomalous activity
  • Disable unused network and physical ports to prevent unauthorised connection to any network nodes, PLCs or other devices
  • Scan removable devices such as USB, drives and CDs before use in SIS workstations
  • Leverage hardware features that provide physical controls of the ability to program safety controllers, which usually take the form of switches controlled by a physical key
  • Ensure robust physical security is in place to prevent unauthorized personnel from accessing controlled spaces that house ICS equipment, including SIS
  • Audit physical keys and implement change management procedures for changes to key position
  • Use a unidirectional gateway (i.e. data diode) instead of bidirectional network connections for applications that require data provided by the SIS

 

Report any Cybersecurity Incident to SingCERT

If your organisation is a victim of any cybersecurity incident (involving ICS systems or otherwise), report the incident at https://go.gov.sg/singcert-incident-reporting-form

 

References:

https://www.mandiant.com/resources/attackers-deploy-new-ics-attack-framework-triton

https://www.csa.gov.sg/news/publications/ot-cybersecurity-masterplan

https://www.cisa.gov/uscert/ncas/alerts/aa22-083a

https://www.cisa.gov/uscert/ics/advisories/ICSA-18-107-02