Digitisation is embracing every area of the economy and society. Sooner or later, almost every company will have to deal with topics like OT (Operational Technology), IIoT and Industry 4.0. But as well as offering immense potential, they also involve major risks. Unfortunately, vulnerabilities in devices are omnipresent and the numbers of malware and exploits are constantly on the increase. But despite this, ICS infrastructures are still among the most neglected areas of cyber security. What are needed are holistic approaches such as the IEC 62443 standard to establish cyber security in the networked ICS and IACS world.
Manufacturing and process automation systems ‒ referred to as "Industrial Control Systems" (ICS) or "Industrial Automation & Control Systems" (IACS) ‒ are used in almost every infrastructure that handles physical processes. This ranges from power generation and distribution, gas and water supply to factory automation, traffic control technology, vehicle control technology, modern building management, etc. However, with ICS, now business areas that were previously independent of each other are also networked together. In the past, production environments (Operational Technology; OT) were usually planned and built as offline, stand-alone solutions. Many of these isolated solutions are now being "modernised" and geared towards digital communication. It is rare that the issue of security is taken sufficiently into consideration. This is not only down to the benefits of digital integration, but also to concerns about competitiveness and existing investment in production facilities. This is understandable, but may have catastrophic consequences...
We are all aware that no digital system is absolutely secure ‒ especially machines and controls that have not been developed to communicate with systems outside the actual operational area. As a result, ICS are increasingly exposed to the same cyberattacks as conventional IT. Companies with ICS infrastructures need to urgently address this issue, as incidents are becoming more and more frequent and vulnerabilities have been uncovered. The risk and potential for damage ‒ both from non-targeted malware and from targeted, professional, complex and expensive attacks against ICS infrastructures ‒need to be understood. This applies equally to infrastructures that are directly connected to the internet and to those that may be subject to indirect cyber-attacks. In spite of this, basic security principles, which have been considered to be best practice in traditional IT for years, often do not find their way into OT systems.
Threats to ICS infrastructures
Risks arise from threats that can cause damage due to vulnerabilities ‒ both to your ICS infrastructure and (consequently) to your business. At the beginning of the year (version 1.3, January 2019), the BSI published a list of the most critical and most common threats to ICS:
- Introduction of malware via removable data storage media and external hardware
- Infection with malware via internet and Intranet
- Human error and sabotage
- Compromising of extranet and cloud components
- Social engineering and phishing
- (D)DoS attacks
- Control components connected to the internet
- Break-in via remote maintenance access
- Technical misconduct and force majeure
- Compromising smartphones within the production environment
Based on most of these cyberattacks, attackers can gradually proliferate throughout the company with successive attacks. These include reading access data to extend rights, unauthorised access to other internal systems (not just in the OT), intervention and manipulation of fieldbus communication or manipulation of network components ‒ be it between network zones or at the periphery. What makes it more difficult is that organisational shortcomings, ignorance and human error often make attacks easier, as well increasing the risk of subsequent attacks. These factors also make it difficult to detect attacks, and to rectify and recover systems following a successful attack. The possible consequences of such damage are varied and should be considered as extremely critical. Among other things:
- Loss of ICS availability / loss of production
- Data outflow / loss of expertise (intellectual property)
- Causing physical damage to equipment
- Triggering of safety procedures or degradation of safety systems
- Reduction in product quality
Trust is crucial in the OT world
Nevertheless, security and safety are often still regarded as being separate worlds, which leads to them being given unequal weight. Clear guidelines apply to safety and complex assessments have to be carried out, whereas the issue of security is neglected. But with ICS or IIoT (Industrial internet of Things), production environments are evolving into an open "OT world" (Operational Technology), one where critical systems are no longer. Thus, the success of Industry 4.0 is highly dependent on security. Another important aspect here is the confidence of your customers and partners, who, unlike the way things were in the past, have become closer in this respect. It is not possible to have long-term business relationships without trust, which is why security and data protection issues need to be resolved.
IEC 62443 ‒ as an ICS infrastructure operator, you should be familiar with this standard
IEC 62443 covers the cyber security of IACS (Industrial Automation & Control Systems). This term stands for all components, such as systems, components and processes, which are required for an automated production plant to operate safely. In addition to the components already mentioned, it also includes software components, applications and organisational parts. Thus, the ISA/IEC 62443 standard is a holistic approach to industrial security in production and automation. All ISA-62443 standards and technical reports are divided into four categories:
- General: The basic terms, concepts and models are described here.
- Policies and procedures: Describes technical specifications for control system IT security as well as a system for managing industrial cyber security. There is a close correlation here with the ISO 27000 series. If you are using an information security management system (ISMS) in accordance with ISO 27001, there are many synergies with IEC 62443-2. Again, the basic objective is to constantly improve security by assessing the risks and specifications for processes and organisation.
- Systems: Various specifications for security-related functions of control and automation systems are described here. The focus is primarily on manufacturing and process automation. It also includes issues such as the control and monitoring of continuous or discreet manufacturing processes.
- Components: This section describes the product development process requirements for automation solution components.
IEC 62443 is based on the “defence-in-depth" approach. This principle, which is widespread in the armed forces, is intended to ensure that an attacker ‒ or in our case an incident that has been triggered in a different way ‒ is not able to spread freely and cause damage by leveraging a single action. Implementing a well thought-out security concept requires improvements being made to the security functions of all systems, products and solutions involved, but also it also needs guidelines and processes; finally the operations staff have to be borne in mind appropriately, so that different layers of protection can be put in place. If one layer is bypassed, the next can still provide protection. This is particularly useful for industrial networks, for example, because as a result of missing updates, the systems and components involved are often the latest version.
IACS security ‒ interplay between three parties
In addition, the standard identifies three entities that have an impact on industrial operating processes. These are equipment and machine manufacturers, systems integrators and plant operators. These entities take on different roles. But the standard also deals with cooperation between the entities themselves. Thus the IEC 62443 provides a holistic approach for greater security, at the same time as taking the different actors into consideration. Based on IEC 62443, companies can check for potential weaknesses in their control and instrumentation systems and develop suitable preventive measures.
IEC 62443 differentiates between levels of security and maturity
However, IEC 62443 explicitly addresses the fact that the IACS security is more than just a technical precaution. We are all too well aware that technical precautions can be circumvented by employees or in operating processes and hence become invalidated. This is why the standard distinguishes between the functional/technical "security levels" and the "maturity level" of the organisational processes and employees. Using the security levels, systems, networks and components can be evaluated in terms of their IT security. By contrast, maturity levels deal with procedural compliance with organisational guidelines. The combination of the two approaches results in a comprehensive security concept that offers far more potential for protection than the purely technical approach.
Security with system, responsibility and expertise
As you can see, this is one more reason why cyber security should be at the top of everyone's agenda. Anyone who deals with ICS infrastructures or industry 4.0 must also deal with the issue of security. International standards provide recognised templates for establishing, implementing, reviewing and continuously improving on the basis of an information security management system (ISMS). These include, for example, the previously mentioned IEC 62443 standard, the ISO/IEC 270xx series family or NIST's Cyber Security Framework ‒ also known as the minimum ICT standard. If an ISMS is to be established in connection with Industry 4.0, a holistic approach is needed that encompasses the traditional IT landscape, development and production IT (OT).
Inter-company understanding of security
For security and sustainable risk management, it is essential for a company to know what are its critical assets that are worth protecting. This includes, for example, plant and machines, production processes and procedures and data relating to production parameters, formulations and process knowledge. These critical, sensitive assets need to be documented appropriately and updated at regular intervals, the aim being to identify the possible threats and interconnections for the individual assets. The need for protection and the measures to be taken are determined on the basis of the probability of them occurring and the extent of the potential damage caused. With IIoT and Industry 4.0, this demands an understanding of a cross-company approach and a unified way of classifying data. This is the only way to guarantee security and eliminate misunderstandings well beyond the confines of the company.
Segment, identify and authenticate
Technologically speaking, one of the keys to effective cyber security lies in appropriate authentication, architecture and zoning for industry 4.0 networks. The segmentation in production IT often describes a vertical separation. System subnets, on the other hand, can also be separated horizontally. Zones with a similar need for protection must be identified and separated from each other using technical means. The aim is to establish different lines of defence (or defence-in-depth). Data and equipment can be protected thanks to segmentation of environments, data streams and operating processes, and zone transitions can be monitored at the same time.
Secure identities are at the starting point of the chain of trust in automated communication. Every communication partner involved in the value creation network needs an individual (secure) identity that provides unique identification and, where appropriate, authentication. In IT today, identity management is already common practice. This identity management needs to be extended to production and must be guaranteed beyond company boundaries. This is the only way to ensure security in the highly networked ICS system landscape. In both segmentation and identity management, it is important to be oriented towards and adapt to proven best-practice methods.
Suppliers and partners in the value chain
As with traditional IT landscapes, all supplier and partner systems in the value chain also need to be inventoried and documented for ICS infrastructures. On this basis, rules can then be put in place for the introduction of software updates or new software and hardware components. The manufacturer is then responsible for developing, selling and maintaining the components. The integrator is responsible for the design and commissioning of the automation solution. The operator is responsible for the operation and maintenance of the automation solution as well as the dismantling of the plant at the end of its life cycle. The fact that industrial facilities frequently have a long service life and due to the problem with patch situations, a higher degree of security is required when planning and implementing an ICS infrastructure. This is because existing plants may only be retrofitted when modifications or extensions are being made.
To this end, we recommend setting clear security standards for all suppliers and partners in the value chain and putting in place targeted supplier risk management. This is because security gaps in the value chain can quickly become a security risk for all the parties concerned. At the same time, unused hardware and software services and functions should be deactivated, thus strengthening the system. As part of this process, suppliers should provide the appropriate documentation for the components supplied and the security mechanisms implemented. Components and infrastructures should be tested and, for example, checked by penetration tests, both prior to the commissioning of new systems and during their operation.
ICS & IACS Security is an optimisation process
ICS security is not a one-off activity, because the risk situation is subject to constant change. Companies need to continuously monitor the current threat situation and optimise and improve their security measures by taking new threats and vulnerabilities into account ‒ exactly as the IEC 62443 standard stipulates. This means that risk assessments, organisational audits, system security testing, penetration tests and vulnerability scans are important aspects of security governance. In parallel, ICS infrastructure operators should always be able to detect security incidents, react to them in a targeted way and keep their impact to a minimum (the keyword here is cyber resilience). Maintaining uptime is the top priority in the production environment.
So maybe you think OT security isn't an issue you'll be dealing with at some point in the future ‒ not until an incident occurs. Anyone who deals with industry 4.0 also inevitably has to deal with cyber security. This is the only way to build trust with all parties involved across company boundaries.