Today’s industry depends on automated control systems to maximize efficiency and enable flexible production. However, modern cyber attackers understand this dependence and have evolved many techniques to compromise and damage Industrial Control Systems (ICS).

This blog will explore how ICS fits into the cybersecurity landscape. We will learn about the threats ICS systems face, discuss best practices to mitigate cyber threats, and ensure smooth industrial operations.

ICS and OT: Definition

Industrial Control Systems (ICS) and Operational Technology (OT) are critical concepts in modern industry. However, the two approaches are slightly different, and understanding these variations is important when protecting ICS deployments.

Operational technology is a subset of industrial technology that monitors machinery and networks across enterprises. OT checks that production or logistics facilities are running smoothly and safely, including physical efficiency, environmental conditions, and cybersecurity factors.

Industrial Control Systems are a subset of OT that manage processes within industrial settings (including cybersecurity). Components of ICS include:

• Supervisory Control and Data Acquisition (SCADA): Collects data from industrial sensors and delivers this information to centralized security centers.
• Distributed Control Systems (DCS): DCS handles complex industrial settings. For example, companies may integrate monitoring across chemical processing plants or oil refineries. Systems employ distributed sensors to improve efficiency and resiliency.
• Programmable Logic Controllers (PLCs): PLCs govern automated industrial processes. They allow technicians to automate production and monitoring functions, including threat data collection, alerts, and incident responses.

Why is cybersecurity important for ICS?

Industrial control systems are fundamental to modern industry. They control production lines that manufacture essential consumer goods, manage power plants and refineries, and help maintain and extend critical infrastructure.

However, the expansion of ICS systems has brought new cybersecurity risks. Cybercriminals now seek to damage vital industries via targeted cyber-attacks, often focusing on ICS technology to achieve maximum impact. As a result, Industrial Control Systems cybersecurity is becoming critically important.

Think about the risks of not securing the ICS network infrastructure. Cyber threats could damage machinery and compromise the physical safety of employees. For instance, in the 2010s, a malware agent called TRITON hit industrial safety systems across the Middle East.

Even worse, attackers could harm entire populations. One attack documented by Verizon targeted water company logic controllers, aiming to contaminate water supplies with harmful chemicals. The attack failed but remains possible.

In most cases, attackers harm companies financially, not physically. ICS attacks often damage productivity by taking plants and equipment offline. For instance, a 2019 attack against Norsk Hydro facilities eventually cost the company over $50 million.

Given these numbers and the consequences of attacks, securing ICS systems should be a cybersecurity priority for all industrial organizations.

Understanding ICS security risks

Industrial cybersecurity starts with awareness of the risks faced by Industrial Control Systems. As ICS/OT becomes more aligned with IT, manufacturers face many critical risks, many of which are evolving and becoming more severe.

Common ICS vulnerabilities include:

• Use of legacy systems: Industrial organizations are often slow to update software, which lags behind other technology. Unpatched operating systems and firmware invite bad actors to exploit weak spots. This problem is doubled if vendors no longer support legacy systems. In that situation, companies have no one to advise them or supply updates.
• Default settings: Companies often install industrial equipment or IoT devices without changing the default settings. Attackers can quickly access ICS systems via default passwords, compromising an entire industrial environment.
• Lack of encryption: ICS systems rely on commands to operate switches and manage processes. However, cyber attackers accessing this traffic can hijack industrial systems and control production equipment. Encryption solves this problem by making commands unintelligible to outsiders.
• Risks related to remote access: Vendors and IT staff may access critical systems remotely to manage settings and monitor performance. This represents a vulnerability if companies fail to verify connections via robust access control measures.

Who exploits ICS vulnerabilities? Understanding the threat landscape

Many threat actors exploit these common ICS vulnerabilities. For example, companies without robust access controls, segmentation, and authentication are easy targets for insider threats. Insiders can obtain credentials and mount attacks or supply information to malicious outsiders.

However, many attacks originate overseas. So-called nation-state attacks involve state-backed cybercriminals. The US-created Stuxnet worm, which targeted Iranian nuclear facilities, is a great example, but nation-state attacks also emerged from Russia, China, North Korea, and Israel.

Then there are shady criminal collectives. In 2024, ransomware groups hitting ICS targets surged by 60%, and attacks rose by 87%. Industrial targets are attractive because companies can’t afford to lose production time. For instance, Colonial Pipeline paid ransomware attackers $4.4 million in 2021, and smaller payments happen daily.

Finally, third-party accounts can expose companies to supply chain risks without proper vetting and security assessments. If a vendor suffers a cyber-attack, the effects can cascade to factories that use their products.

What happens when ICS attacks occur?

Whatever threat actor is involved, ICS attacks can be devastating. The most obvious consequences are financial. As noted above, attackers may demand huge ransomware payments to unlock systems. However, ICS attack risks extend beyond ransom payments.

On a practical level, ICS attacks disrupt industrial production as SCADA manipulation causes production lines to behave erratically and halt. DDoS attacks overload and damage machinery, potentially raising fire risks.

Critical infrastructure networks become unreliable and require detailed assessment, which can be a headache for utilities like electricity or water providers. These problems are more severe if attackers disrupt monitoring technology by delivering false readings.

Safety systems may break down or produce false alarms. Physical failure can harm employees, customers, and the environment. When that happens, regulatory compliance violations are almost guaranteed, and reputational harm is never far behind.

ICS security best practices

Cyber threats against critical systems are becoming more sophisticated and damaging. Attackers tailor their methods to specific companies and locations. They research legacy systems, industrial architecture, and security measures to detect seemingly minor vulnerabilities.

In this context, all industrial organizations should strengthen their ICS cybersecurity posture. Let’s explore some best practices to achieve this goal.

Network segmentation

Segmenting ICS environments is an essential part of cybersecurity for Industrial Control Systems. This is because network segmentation divides industrial networks into areas with access permissions assigned to specific teams and employees. Security teams can monitor ICS devices and spot suspicious activity, ensuring only authorized users can access configurations or data flows.

Network segmentation can also help restrict the blast radius of successful attacks. It can, for example, prevent malicious malware from spreading in the network. This is especially helpful in mitigating denial-of-service attacks that flood industrial networks with traffic.

Ideally, companies should use cloud firewalls to implement network segmentation. Cloud firewalls enforce access controls to your ICS devices. You can facilitate smooth access for employees with a legitimate reason to change ICS settings and exclude everyone else.

Training employees

Cutting-edge security tools are useless if employees fail to follow security policies. For instance, companies must educate employees about the importance of MFA and password security. Enforce device security policies, allowing only approved work devices to connect to the ICS network.

Additionally, connect phishing risks with ICS attacks. Employees should know how to identify phishing emails and avoid malicious software infections.

Regularly patch and update software

As we discussed earlier, legacy systems are common failure points in cybersecurity for Industrial Control Systems. Companies let control software become obsolete. Businesses must provide regular patches to mitigate exploits and stay ahead of malicious actors.

Multi-factor authentication (MFA)

Robust access controls prevent unauthorized access, even if attackers obtain user names and passwords. Multi-factor authentication (MFA) requires unique one-time credentials in addition to passwords. This helps block untrusted users at the network edge.

MFA is even more effective with strengthened password security. ICS users should regularly change their passwords and use strong, unique passwords (with no reference to personal information).

Password managers can help by providing a simple interface for credentials management. Integrate tools like NordPass with your ICS security measures to enforce password policies consistently and minimize credential theft risks.

Secure Remote Access

ICS is usually a remote technology. Engineers rarely control equipment on-site and depend on connections between external networks and ICS devices. This opens the door to hijacking and credential theft attacks. Virtual Private Networks (VPNs)help solve this problem.

VPNs help secure company data by creating an encrypted connection for employees to access the network remotely. Business VPN ensures that remote access to critical systems is protected, reducing the risk of cyber-attacks.

Harness the latest threat intelligence

Many ICS attacks originate from organized criminal collectives and nation-states. This level of organization makes attacks more powerful, but has a positive side: targets can research active threats and apply proactive security measures.

Leverage threat detection and intelligence to outpace ICS attackers. Solutions like NordStellar actively monitor current threats and detect leaked credentials on the Dark Web. With this knowledge, security teams can detect critical threats and remedy exploits before attacks occur.

What are the differences between ICS and SCADA systems?

Before we finish, it’s important to clarify how ICS and SCADA systems differ. As mentioned earlier, Supervisory Control and Data Acquisition is a monitoring system that collects data from industrial sensors.

SCADA is most commonly associated with distributed industrial settings. For example, oil pipelines need thousands of SCADA sensors to monitor structural integrity, check employee safety, and spot potential leaks.

ICS is an umbrella term referring to systems that monitor and control industrial environments. SCADA is an element of most ICS deployments, but there is more to ICS than data gathering. ICS is a control model. ICS devices analyze and use data to manage industrial processes.

How can NordLayer help secure ICS systems?

ICS cybersecurity is critically important in the modern economy. Power suppliers, manufacturers, logistics companies, and all industrial organizations face severe and growing cybersecurity risks. Expert assistance is often essential, which is where NordLayer can help.

NordLayer’s cybersecurity for manufacturing solutions help mitigate ICS risks and prevent damaging cyber-attacks.

Our access control solutions regulate access to ICS assets, blocking unauthorized actors and allowing seamless employee access. The cloud firewall allows granular network segmentation, shrinking the attack surface. Threat detection tools monitor your network, while our VPN enables safe remote access to all ICS devices.

Advanced security tools make it possible to secure all types of industrial environments. To learn more, contact the NordLayer team today.