As industrial organisations strive to achieve greater visibility within their operations, the need to establish a seamless flow of information by connecting control systems to the enterprise has become a requirement of modern industrial networks. In recent years the industrial automation world has had to learn to deal with being a specific target of cyber-attacks, as the use of Ethernet has proliferated throughout control system architectures.
Developing an effective and fully connected enterprise requires a comprehensive approach to industrial cyber security that extends beyond the control system. It is therefore critical to understand the potential risks and start building security into your industrial automation control systems.
Furthermore, to be effective this approach needs to include the people, processes and technology within that enterprise.
The past few years have provided insight and learning into the typical ways in which industrial cyber security attacks manifest themselves. The classic IT based cyber-attacks of denial of service, viruses and malware are well understood and most IT departments have adopted a strong methodology to mitigate the risks of such attacks.
In the event of a successful attack in the IT world shutting down the email service to address a security breach is a challenging but viable option. In the industrial manufacturing world it is not feasible to shut down a process or continuous production plant in a similar way. Clearly the risk evaluation and mitigation approach needs to be very different in this case.
What threats are out there?
Of course we are now aware of some infamous malware threats that have impacted the industrial world. Recognition of such threats came to a head in 2010 with the discovery of Stuxnet, a 500-kilobyte computer worm that is reported to have infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant.
This worm was a particularly clever piece of code, propagated often by USB memory sticks and replicating itself across Microsoft Windows machines and associated networks. The payload was ultimately modifying code running in a programmable controller, potentially putting people and processes at risk.
According to McAfee and CSIS ‘In the Dark: Crucial Industries Confront Cyberattacks 2011’, 50 percent of electric companies have subsequently found Stuxnet in their organisations, such was the proliferation.
Hot on the heels of Stuxnet, was the discovery in 2011 of Duqu, named after the prefix ~DQ, given to the names of the files that it created.
Duqu appeared to be designed to seek out information rather than cause malicious damage. It had a focus on tracking keyboard input and system information. Some observers believe that this is likely to be for the purposes of targeting industrial control systems in a future APT (Advanced Persistent Threat)
Quantifying the threat
Although events like Stuxnet and Duqu hit the headlines, the reality is that more security issues emanate through less sinister means. The employees, contractors and supply chain of a typically facility actually pose a far more likely threat to ongoing operations. Usually this takes the form of unintended action, possibly enabled by poor processes or ineffective training.
So what are we are trying to protect? The list is wide ranging: from a company’s reputation to the pure cost of lost production. However, we can prioritise the list to three key areas:
Intellectual Property – For many producers the very product that they make and how it is made hold the key value of the business. For example, over the past three years the Iconic Ford F-150 pickup truck has been cloned at least twice by Chinese auto manufacturers.
In at least one instance a former Ford employee passed on detailed design information that he was able to load on to a laptop computer. Whilst that level of data is not likely to be readily accessible in the manufacturing environment, other critical data regarding recipe handling or product composition will be.
Production Cost - For others, the cost of production is crucial, so protecting against denial of service attacks and other events that potentially disrupt the manufacturing infrastructure become the focus. An hour of lost production can range from £10,000 to £500,000 and beyond, depending on the industry.
Safety - The safety of a process and the people operating it are critical. With malware as targeted as Stuxnet in existence, applying due diligence to prevent proliferation and to minimise the impact of such attacks is a clear priority.
Industrial cyber-attacks: the trends
There are many surveys that analyse the trend in cyber-attacks and each tells their own story. Clearly, industrial security is a hot topic for industrial automation and many companies have, and continue to address the threats that exist.
Some commentators would point to the number of successful cyber-attacks actually reducing. For example, in the 2014 Department of Business Innovation and Skills , Information Security Breach survey, the number of large organisations reporting an external attack saw a drop from 66 percent to 55 percent.
Is this symptomatic of the industry waking up to the threat or are we just waiting for the next new thing in sophisticated malware? One could argue it’s rather similar to waiting for the next strain of bird flu.
The same study, however, reveals that the cost impact of these attacks is actually going up. In other words if you do suffer a security breach it’s going to be comparatively more costly to deal with. The report suggests a typical average of £850k per incident in a large organisation.
Which sectors are most at risk?
Whilst all industry sectors are at risk, some areas draw more attention than others. In particular, the national infrastructure is always a focus. Clearly, this arena provides a ready-made shop window for threat actors such as hackers and terrorists. As the DHS/ICS-CERT Mid-Year Report 2012 points out, there were more than 200 reportable security incidents in the USA critical infrastructure sector between October 2012 and May 2013.
The UK's national infrastructure is defined by the government as: “those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends”.
The national infrastructure in the UK is broadly categorised into nine sectors; however, from an industrial automation perspective, the key areas are energy, food, transportation and water.
The CPNI – Centre (for the) Protection of National Infrastructure - provide guidelines, support and assistance to promote appropriate risk mitigation in these key areas.
The criticality of national infrastructure has driven CPNI in the UK and the Department of Homeland Security in the USA to be at the forefront of developing recommendations and providing guidelines, support and assistance to promote appropriate risk mitigation in these key areas.
What international standards are relevant?
The emergence of the connected enterprise and the adoption of Ethernet on the factory floor have created nebulous borders between IT domain and the control system environment. Therefore it has been challenging for the international standards committees to keep pace, certainly with respect to a uniformly adopted standard for the control system world.
Under the umbrella of IEC 62443, the ISA and IEC have produced some security standards for the control systems world. In particular, a relatively newly published standard in the series, ISA-62443-3-3-2013, addresses industrial automation control systems cyber security issues.
Conclusions
The connected enterprise is here to stay. The business benefits, in most cases, outweigh the security risks. Access to actionable information from the plant floor provides efficiency and competitive advantage for those adopting this technology.
Yes, there are risks, but also a rapid rise in the awareness and knowledge of how to combat them.
In the next article in this series we’ll take a more in-depth look at some of these mitigation techniques.
Mark Daniels is with Rockwell Automation in the UK