Industrial cybersecurity: people, processes and technologies
Industrial cybersecurity is not a technological problem to be solved, but a process of continuous awareness and adaptation.
The increasing digitalisation of industrial control and automation systems is resulting in greater than ever integration (especially with IT systems) and volumes of data. The adoption of open standards has been necessary to provide the integration to make these changes possible.
Of course the dark side of this trend is increasing vulnerability to cyber attack. Greater integration and open standards make it much easier for attackers to access systems and cause havoc. Much has been published already about the increase in cyber attacks in recent years, so I will not labour that point here, but the reality today is that industrial systems face professionally implemented attacks. The changed threat situation this presents demands a fundamental rethink of information security, access protection and the whole process of establishing industrial security.
As those in the IT industry have well known for years, attackers are always upgrading their arsenal, and constant change in the threat landscape is the normal state of affairs — system security (whether it is IT or OT) is an ongoing process, and never an end goal.
It is however possible — with the right methodologies — to establish an effective defence. The first concept that must be understood is that “100% secure” is an unrealistic concept and is therefore out of the question: the art of effective cybersecurity is in understanding the possible threats and mitigating the risks they pose. Bringing risk under control in this way requires a comprehensive security plan that promotes strong cooperation between the various parties involved — whether they be internal IT and OT staff, or system integrators, machine builder or other equipment and automation vendors.
The solution to the issue of cybersecurity risk mitigation is first and foremost a ‘people and procedures problem’ before it is a technical one. Any partner or vendor that offers to help your organisation with only a technical solution should be treated with suspicion: while their solution may be good for some (or even all) technical aspects of security protection at the time it is offered, any idea that this can be the total solution over time is false. No matter how good a technical solution may be, it will not remain so over time as the threat landscape evolves, and if the people and procedures aspect is not in place, it can actually become more of a burden and a threat in itself. Why? Because it can result in complacency.
This point cannot be stressed enough: cybersecurity is not a problem that needs a solution — it is a process.
Organisational and technical measures must be coordinated holistically in a way that relies on people, processes and technologies working together.
The defence-in-depth concept
Much has been said in the literature about the concept of ‘defence in depth’ in accordance with the recommendations set out in IEC 62443, the leading standard for security in industrial automation.
The plant security, network security and system integrity elements are all key factors that need to be considered, including physical access protection and organisational measures such as procedures and processes in addition to the technology-specific technical measures.
It doesn’t matter how effective the computing, networking and device or plant level technical security is if it can be circumvented by physical intrusion. Plant physical security, while it has always been important for the safety and physical protection of the plant, should also be seen as an important aspect of cybersecurity.
Plant security measures include physical access protection, such as barriers, turnstiles, cameras and card readers. Organisational measures take the form of a physical security management process.
Physical access protection
Physical access protection involves:
- preventing unauthorised persons from entering the plant,
- the physical separation of different production areas with different access authorisations,
- physical access protection for critical automation components.
In some cases, physical access protection measures may reduce the level of complexity of technical security measures required, but only if the physically protected equipment is not also networked into the larger operational or IT system. In this case, the physical security is acting to prevent technical measures from being circumvented.
Organisational security measures must be tightly coordinated with technical measures, as the effectiveness of each depends on the effectiveness of the other.
Organisational measures include the establishment of a security management process. The first step in determining which measures are likely to be required in a given situation is to analyse the specific risks that exist and identify which cannot be tolerated — this is known as a threat-risk assessment (TRA). The significance of an identified risk in this connection depends on the damage associated with such an event occurring (depending on the specifics of the plant) as well as its probability of occurrence. Failure to conduct a proper TRA and ascertain security objectives is tantamount to ‘flying blind’ — not correctly identifying the real risks and their probabilities specific to the plant and organisation can result in the spending of money and resources on ineffective measures, not identifying the appropriate cybersecurity measures, or wasting money and resources on risks that don’t need mitigating.
The TRA helps the organisation decide where best to utilise its resources and with what priority. As the situation will inevitably change over time, the TRA must be repeated from time to time or after material changes just in case the threat situation or underlying factors have altered.
The TRA brings transparency to the security status of a plant and identifies weaknesses, thus providing a basis on which a comprehensive cybersecurity plan can be developed along with a roadmap to how the security status of a plant can be raised to a higher level.
Engaging external services
Steps such as undertaking a TRA (while similar in methodology to a plant safety assessment) are often tasks that the organisation may not have the resources to perform, at least initially. There is still a lack of skilled industrial cybersecurity staff in industry, and the organisation may not have the staff or resources to dedicate to the necessary training in the initial stages.
Many process and factory automation vendor organisations are now offering such services on a consulting basis, and there are also organisations specialising in this field. If your organisation has a good relationship with a trusted vendor, then taking advantage of their services to assist in establishing a cybersecurity plan may be the most effective way to get started.
Implementation and training
The next step is to implement the measures proposed to close the gaps identified. Resources encompassing both hardware and software solutions are available for this purpose. And in the end it must not be forgotten that security solutions can only work properly if employees have been educated and trained accordingly. Employee awareness and understanding should be promoted continuously through effective and ongoing training, much in the way that safety training is achieved.
Network security is a core element of achieving industrial cybersecurity, and involves the protection of automation networks against unauthorised access and the control of all interfaces to other networks (such as the business network and, in particular, the internet). It also involves protecting communications against interception and manipulation.
Securing interfaces to other networks
Interfaces to other networks can be monitored and protected using firewalls and, where appropriate, by setting up a demilitarised zone (DMZ). A DMZ is a network in which technical security mechanisms protect access to all data, devices, servers and services. The systems installed within the DMZ are shielded from other networks by firewalls that control access. This separation makes it possible to provide data from internal networks (for example, the automation network) on external networks without having to admit direct access to the automation network. A DMZ is typically designed so that it also does not permit access or connections to the automation network, which means that the automation network remains protected even if a hacker gains control of a computer inside the DMZ.
Network segmentation and cell protection
The segmentation of the plant network to create discrete automation cells protected by technical security mechanisms helps to minimise risk further and increase security.
Network segmentation involves protecting elements of a network, such as an IP subnet, with a security device that separates them from the rest of the network. The devices within a segmented cell are protected against unauthorised access from outside without need of any compromise in terms of real-time capability, performance or other functions.
Of course data must also move in and out of the work cells. Data transmission to and from the cells can be controlled via the firewall device protecting the cell, permitting only allowed data communication to and from nodes external to the cell, and encryption can be employed to protect against unauthorised data monitoring/collection and manipulation.
Secure remote access
It is becoming increasingly common to connect plants directly to the internet and to link up remote sites via mobile networks. This is normally done to enable remote maintenance, to use remote applications and to facilitate monitoring of machines installed at sites external to the main plant, or at multiple plants.
The problem with such remote access via public networks is that hackers can find unsecured access points easily and inexpensively using search engines, port scanners or automated scripts. It is therefore very important to ensure that communication nodes are authenticated, data transmission is encrypted and data integrity is protected, especially in the case of critical infrastructure plants.
VPNs (virtual private networks) provide the security functions required, such as authentication, encryption and integrity protection and have proven to be particularly effective in securing communications provided they are correctly set up and monitored.
Remote access management platforms
Because industrial plants are often widely distributed, sometimes even spread across different countries, public infrastructure may be the only cost-effective way to access plants and machines. Where a large number of VPN systems are required to be managed, one option is to use a secure remote management platform to manage these connections and secure, authenticate and authorise all communications.
Such platforms are commonly offered by automation vendors and also facilitate a way for the vendor to provide secure remote support and maintenance of the plant technology to better facilitate predictive maintenance services. It also enables OEMs, for example, to definitively identify a large number of similar machines in use with different customers and address them for remote maintenance.
Authorisation versus authentication
The concept of defence-in-depth also involves setting up multiple obstacles for would-be attackers to overcome. The principal concept here is the difference between authentication and authorisation: any actor that needs to act on an end object in a secure system must first be authenticated (identified) and then authorised to act on an end object in a particular way. Specifically:
- Authentication is the process of determining that the actor (person, device or process) is known to the system and permitted to access it. The actor must be uniquely identified, and there may be multiple methods of doing so. We are all familiar with this from our banking transactions: passwords, PINs and tokens for example.
Authorisation is the process whereby the authenticated user or process is associated with what objects (devices and functions) it can access and in what way. For example, being only able to access particular devices, particular tags, and only read or read and modify (write).
Managing many authorisations can be complex, and complex security management is prone to human error and security holes going undetected. It is therefore best practice is to establish a system of graded access rights or categories of rights and being able to define a role that encompasses a particular category of authorisations. Users or groups of users are then assigned these roles and thereby receive the corresponding access rights. This reduces complexity by not needing to assign rights to users specifically, and allows for easy and secure changes when staff change, for example.
The features and facilities for managing authentication, authorisation and roles should be an important consideration when evaluating control systems and security software or devices. Needless complexity (or lack of role-based management features) can in themselves raise security risk by increasing complexity.
The third pillar of a balanced security concept is system integrity. The systems whose integrity is to be protected in this context comprise control components and automation, SCADA and HMI systems. These require protection against unauthorised access and malware or have to meet special requirements in areas such as the protection of expertise.
Protection of PC-based systems in the plant network
PC systems used in the office setting are typically protected against malicious software and have any weaknesses detected in their operating system or application software rectified by the installation of updates or patches.
Equivalent protective measures are also required for industrial PCs and PC-based control systems. Protective mechanisms familiar from the office environment, such as antivirus software, can also be used in industrial settings in principle, although it is essential to ensure that they have no adverse impact on the automation task. The problem with patching and updating these systems, however, is that such procedures are often intrusive and may require reboots. Each patch should also be tested to make sure it will not affect the automation processes that run the device.
The extra work and potential downtime that may result from patching PC-bases automation equipment means that many organisations cannot keep them up to date in the same way that they can for the IT systems (which are inherently more tolerant of downtime).
One option to mitigating the risk from unpatched PC systems is whitelisting solutions. Whitelisting involves the creation of approved lists in which the user explicitly specifies those processes and programs that are permitted to run on the computer. Any attempt by a user or malware package to install a new program is then denied, preventing the associated damage.
There are also a number of integrated security mechanisms provided in the Windows operating system, such as a software firewall, which can also be configured as required.
Technology secure by design
The IEC 62443 standard states that security aspects should be considered as part of product development and production. In other words, the automation devices used in a plant should be part of a holistic security-by-design concept from creation to production to use. Assets in this context can include source code, IT processes and production machines.
It is important to be sure that your automation vendor is implementing security in their product design and support, and this is particularly important for devices that have security functions.
The digital factory is only possible with new technologies and plant design, encompassing increasing interconnection, greater volumes of data and the use of open standards. Shying away from these developments on security grounds alone is no solution, as this course would result in your organisation falling behind competitively. Defending against threats and attacks is consequently a fundamental prerequisite for the digital transformation. Companies would be well advised to conduct a careful review of their data security situation, bearing in mind that engineering and technology alone can never suffice: organisational and technical measures must be coordinated holistically in a way that relies on people, processes and technologies working together.
Industrial cybersecurity is not a technological problem to be solved, but a process of continuous...
Response times are faster when implementing predictive models in embedded systems, as data does...
Australian manufacturers face significant challenges in the years to come and need to consider...