In a previous article we outlined the risks to industrial control systems presented by cyber security breaches. In particular, we focused on some examples of cyber security breaches and an appraisal of the principal targets. We concluded by reviewing the efforts of international standards bodies to assist the industry in combating the risks.
A constant drumbeat is driving the connectivity of everything worth being connected into an ever growing, interwoven fabric. With each new connection, cyber risks expand.
The digital data moved within these complex systems may facilitate transactions that function as the financial life-blood of an organisation, or the data might prove elemental to the operation of critical processes, machinery or infrastructures that serve both the company and those dependent on it. For these reasons, cyber security is not optional, but rather is an essential tenet of every networked system.
Fundamentally there are four ways to manage risk:
Risk Avoidance – Project X is risky…let’s not do Project X, in our context this means foregoing the benefits of a connected enterprise. Consequently this limits the competitiveness of any organisation.
Risk Acceptance – ie the Risk Tautology (it is what it is). In this scenario we accept that we may have cyber security issues and have to accept the consequences should they occur, financial or otherwise.
Risk Transference – ie insurance. This can be considered to reduce the financial impact but won’t help if the plant won’t run for a period of time due to cyber security issues.
Risk Mitigation – address it head on. So we know the risk is there and we adopt a proactive strategy to minimise the risk or eliminate it from our enterprise. This approach allows us to gain the maximum benefit from the connected enterprise.
Today, despite heightened awareness, many companies fail to take the necessary steps to minimise their security risks. In an effort to accelerate commissioning time, many companies do not even take advantage of the built-in security features that many automation products have. Engineers and IT professionals can protect intellectual property and operational integrity by following these design and product-selection best practices.
Play your part
Collaboration is the first step toward a more secure future. If policies are impractical or too restrictive, operators might override them and the associated technical controls. Collaborating in the organisation’s security policy development makes employees much more likely to abide by it. A number of procedural and technological steps also must be completed to create a secure environment. A good security program is 20 percent technology, 80 percent process and procedure.
By reviewing their security operating protocol, manufacturers can identify and prioritise vulnerabilities and develop a comprehensive strategy to help minimise risks. While the security solutions will vary based on the type, severity and impact of the vulnerabilities, asset owners should apply a ‘defence-in-depth’ strategy.
Protecting industrial assets requires a defence-in-depth security approach that addresses both internal and external security threats. A defence-in-depth security architecture is based on the idea that any one point of protection may, and probably will, be defeated. This approach uses multiple layers of defence (physical, electronic and procedural) at separate instances by applying the appropriate controls that address different types of risks.
For example, multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. This approach provides the following outcomes:
- System security is designed into the infrastructure and becomes a set of layers within the overall network security.
- Attackers are faced with a difficult task to successfully break through or bypass each security layer without being detected.
- A weakness or flaw in one layer can be protected by strength, capabilities or new variables introduced through other security layers.
Defence-in-depth security is a five-layer approach focusing on physical, network, computer, application and device security.
Physical security - This covers guards, gates and other physical security mechanisms. It should also include approaches to prevent unauthorised connection or disconnection of Ethernet cabling, RJ45 connectors, for example.
Network Security - This is the infrastructure framework, and it should be equipped with various hardware elements, such as firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as managed switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic.
Vendors such as Rockwell Automation recommend establishing an ‘Industrial Demilitarised Zone’ (IDMZ), which is a barrier between the Industrial and Enterprise Zones that still allows data and services to be shared securely (see Figure 1). All network traffic from either the Enterprise or Industrial Zones terminates in the IDMZ.
Within this layer, asset owners should follow the ‘Principle of Least Route’. Stemming from the IT Principle of Least Privilege, this concept was designed to guide customers in giving access only to the information and resources necessary for each operator’s specific job. This limits the paths into a security system, making it harder to penetrate.
Computer hardening - Well-known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of computer hardening include the use of:
- Antivirus software.
- Application whitelisting.
- Host intrusion-detection systems (HIDSs) and other endpoint security solutions.
- Removal of unused applications, protocols and services.
- Closing unnecessary ports.
- Disable Software Automatic Updating Services on PCs
Computers on the plant floor, such as a human-machine interface (HMI) or industrial computers, are susceptible to malware cyber risks including viruses and Trojans. Software patching practices can work in concert with these hardening techniques to help further address computer risks. Follow these guidelines to help reduce risk:
- Inventory target computers for applications and software versions and revisions.
- Subscribe to and monitor vendor patch qualification services for patch compatibility.
- Obtain product patches and software upgrades directly from the vendor and scheduling the application of these patches, whilst planning for contingency.
Application Security - This refers to the process of infusing industrial control system (ICS) applications with the concept of security. It includes following best practices such as using a Role-Based Access Control system to leverage the Principle of Least Use or Privilege to lock down access to critical process functions, force username/password logins and combinations. These more granular items for ICS applications enhance the overall security posture for an environment, allowing for complex variable reduction. The result is a more stable, more secure system.
Device Hardening - This involves changing the default configuration of an embedded device out-of-the-box to make it more secure. These embedded devices include, among others: programmable automation controllers (PACs), routers, managed switches, firewalls and other embedded devices. Their default security will differ based on class and type of device, which subsequently changes the amount of work required to harden a particular device.
Defence-in-depth strategy for hardware
When it comes to selecting the right products and services, some asset owners ask their automation supplier if a product is compliant with a particular standard. While security standards are important, most apply to a system, not products. Products may, or may not, need to comply with individual standards requirements, but rarely with the entire specification.
It’s important to focus on the system and apply the defence-in-depth strategy to the products you select. This starts by enabling anti-tamper capabilities often built into products. This includes setting the controller key switch for physical security, using CPU locks to help prevent unauthorised access, leveraging read/write tags, and making sure the main controller Function Blocks aren’t user accessible. In some controllers, the definition of an Add-On Instruction (AOI) can also be locked down.
It’s also important to validate firmware authenticity through firmware digital signatures. Additional controls can include enabling infrastructure and application security features; leveraging the Microsoft Active Directory; limiting computer access to software applications, networks, and configuration and data in automation devices by relying on the proper firewall settings; and intrusion detection protection. Layer 3 Access Control Lists (ACLs) and software solutions such as FactoryTalk* Security from Rockwell Automation can be used to control user access.
Conclusion
The stark reality in our contemporary digital, connected world is that there can be no absolute security. However, this by no means suggests that a connected enterprise cannot achieve its goals securely. Networks are designed by well-intentioned people with a goal of facilitating communications and protecting what needs to be protected.
Although absolute security is not achievable; companies can utilise best practices and recommendations to actively manage security risks today and in the future.
For more practical security advice and information, click here.
Mark Daniels is with Rockwell Automation in the UK
*FactoryTalk is a trademark of Rockwell Automation, Inc.