Building castles for our control systems
By Kade Miller*, National BDM, Networking and Cyber Security, Control Logic
Thursday, 01 April, 2021
Picture yourself as the operator of an industrial control system (ICS). Your job is to keep that system running because when it stops the company fails to produce its product, resulting in lost sales, revenue, market share and competitive edge. Because of the critical nature of the system, you decided to implement 24/7 visibility via remote access through the internet. You admit that you’re not a security expert, however you have some IT skills, implemented strong passwords and locked down the PLC configuration workstation. When you ask your qualified systems integrator, they say your security is basically the same as everyone else’s which gives you some level of confidence.
Then one morning you receive a call from site: the whole plant has stopped, the PLCs have gone crazy and the integrity of your whole plant, including physical production equipment, has been compromised.
The above is purely a thought exercise but cyber-attacks affecting the availability of control systems happen every day. Stuxnet and NotPetya are well known examples of this, which not only shut down control systems, but in some cases caused physical damage within production facilities.
With the introduction of Industry 4.0, businesses are able to benefit from preventative maintenance, analytics, machine learning and IoT, all of which require our ICS networks to share more data and become more interconnected. Adding to this, 2020 saw a huge growth of remote access solutions being implemented due to COVID-19 ‘working from home’ requirements. The sad reality is that by enabling this connectivity we become more exposed and create new entry-points for cyber-attack.
The problem is getting worse, but who is accountable when a problem occurs such as in our scenario above: the control systems vendor, the operational technology (OT) team, the IT team or perhaps a dedicated security team?
The control systems vendor should be responsible for ensuring cybersecurity of their systems, and if a problem is found they should rectify these as soon as possible, right? Reading the news, it seems this is not the case. In February 2021, a critical vulnerability (CVE-2021-22681) was published for a very popular industrial control system range. This vulnerability was given a criticality score of 10/10 because it is relatively easy to exploit, allows hackers to remotely bypass authentication and take full control of PLCs, which could potentially cause physical damage to production lines. One may expect the vulnerability to be patched by the manufacturer, however in this case the manufacturer decided not to issue a patch and thus it may be unfixable. Worse is the fact that the manufacturer kept this vulnerability a secret since 2019, when it was first reported to them by a reputable security agency. Evidently this manufacturer did not protect its customers nor take accountability, instead they put the onus onto their customers to adopt a defence-in-depth network design strategy.
But what exactly is a defence-in-depth strategy? Simply put this means implementing multiple layers of protection to secure network infrastructure. Protection in this case may include firewalls, security appliances, intrusion detection systems, multi-factor authentication, encryption and physical security. Some like to call this the “castle approach” because of the parallels with medieval times when invaders were presented with natural features, drawbridges, outer walls, inner walls, a township and a keep before reaching their target. In short, we want to create zones and manage the security between zones, such that an attacker would need to penetrate several stages to gain access to a critical asset. Gone are the days of implementing a single monolithic firewall to protect the boundary of the ICS: this presents a single point of failure and does not mitigate against the risk of misconfiguration. Above all, the system needs to be designed in a way that is manageable and useable by the appropriate stakeholders.
This means it comes down to the OT or IT team, but who knows best?
When describing cybersecurity concepts for IT systems, a model called the ‘CIA Triad’ is often used. CIA (not to be confused with the US Central Intelligence Agency) stands for confidentiality, integrity and availability, and the acronym is presented in this order to imply an order of priority when securing IT systems. In a corporate world, stakeholders want to protect the confidentiality of their strategic assets such as its staff, customers, investors and intellectual property, even if this is at the cost of some downtime. In contrast, for an industrial control system engineer the paradigm reverses from CIA to AIC, where availability and (data) integrity takes priority over confidentiality. This is because KPIs are based on the output of a system that is heavily reliant on critical timing and thus every second of uptime counts.
Whilst an IT engineer typically knows more about security than an OT engineer, the OT engineer has more experience managing the nuances of control systems to keep them running. It is therefore essential that both parties agree with any implementation of a defence-in-depth strategy, especially for those components that impact their respective environments. Should the company have an overarching cybersecurity team then it’s up to them to understand both IT and OT requirements and get buy-in from each team, otherwise they are at risk of non-compliance, policy circumvention and strategy failure.
It is positive that companies like Trend Micro are raising awareness of industrial cybersecurity through their Zero Day Initiative (ZDI) and renowned Pwn2Own hacking contests, which focused on industrial control systems and SCADA products for the first time in 2020. The more researchers find and evaluate zero day vulnerabilities, the more they get reported to the manufacturers so they can be fixed, and the fewer vulnerabilities can float around in the wild. For us in the OT space this means the future is bright as long as we design our systems like castles and vendors keep hackers honest by patching their hardware and software.
Anticipating maintenance problems with predictive analytics
By utilising predictive analytics, process manufacturers can predict failures, enhance...
Air-gapped networks give a false sense of security
So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...
Maximising automation flexibility: the ISV-driven approach
Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...