Cybersecurity advice for the Industrial Internet of Things
There has been much written about the Internet of Things (IoT) and smart manufacturing initiatives like Industrie 4.0, that promise huge potential benefits for manufacturers. In particular organizations are recognizing that information created by connecting intelligent things and industrial control systems (ICS) to the enterprise business systems is achieving greater visibility into their operations, all helping to make significant operational improvements. However, achieving this requires seamless and secure flow of information from the machines and equipment, to the lines, to the people, to the plants, and to the enterprise levels.
This network convergence, or connected enterprise, comes with some challenges. User’s face an unclear demarcation of network ownership, and cultural difference exist between operations technology (OT) and information technology (IT) professionals who are deploying both enterprise and industrial assets. And probably the most important aspect is that it exposes the connected industrial assets to additional security threats that they typically didn’t have to think about before.
While some OT people might say, "No hacker cares about our control systems," they would be mistaken. A survey done by SANS Institute that highlighted a 22% increase in ICS security breaches from 2013 to 2014. These breaches aren’t making the national news, but they nonetheless suggest evidence that we cannot ignore security in industrial operations anymore. For many ICSs, it’s not a matter of if a breach will take place, but when.
What can be done to counteract this potential threat? First, security should not be implemented as an afterthought or bolt-on component, but rather as a comprehensive strategy and framework designed and implemented as a natural extension to deployment of industrial control systems and to any smart manufacturing initiative an organization may be driving towards. It is also not the responsibility of any one person or group, but rather has to be thought of as a holistic approach, supported by all key stakeholders.
There are six important aspects of a security strategy:
- Educate employees and build their security competency
- Define a strong set of rules the system will adhere too based on a risk analysis
- Design systems against the defined rules
- Verify designs and test to industry standards
- Maintain systems by regular assessments and update
- Respond to incidents and provide awareness to the key stakeholders.
A cybersecurity framework should incorporate a comprehensive strategy covering physical, network, application, user, data, end point and device hardening and procedures and policies. The platform should handle user and device authentication, broker communication between devices, systems, people, and things, and handle data transfer, data storage, and business logic, as necessary, for the end user application.
The framework should address authentication, authorization, and accounting of who is interacting and what they are doing. The framework should be capable of delegating the authentication of the credentials to a directory service system, like Microsoft Active Directory, allowing the system to manage password policies such as password expiration, account lockout, password history, and password strength.
The framework should have a role-based access control model that allows administration of authorization to a very granular level, providing access that is relative to the user’s role and nothing more.
In addition, many comprehensive smart manufacturing solutions will include applications accessed by users of various roles from multiple companies and organizations within those companies. The security framework therefore needs to be comprehensive, multi-tenant, matrixed, and adhere to the guidelines established by industry standards.
Strategies for defending ICSs
The DHS paper "Seven Strategies to Defend ICSs" offers tips that can be implemented today to counter common exploitable weaknesses in "as-built" control systems.
- Implement application whitelisting: AWL can detect and prevent attempted execution of malware uploaded by threat actors. Databases and human-machine interface (HMI) computers make ideal candidates to AWL.
- Ensure proper configuration/patch management: Threat actors target unpatched systems, and a program centered on trusted patches can help control.
- Reduce the attack surface area: ICS networks should be isolated from untrusted networks, like the Internet, lock down unused ports, and turn off unused services.
- Build a defendable environment: Limit or isolate damage from network breaches by segmenting networks into logical zones. If a breach occurs in one segment it is contained in that segment and does not penetrate into other areas.
- Manage authentication: Implement multi-factor authentication if possible, and limit privileges to only those needed by the user.
- Implement secure remote access: Limit access, where applicable implement monitoring only access (data diode) and don’t allow double standards, use the same remote access paths for vendors as if they were employee connections, and use two-factor authentication when possible.
- Monitor and respond: Actively monitor for breaches and threats by watching IP traffic and have a plan for when any questionable activity is detected.
Build a cybersecurity framework
Created through collaboration between industry and government, the NIST Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The framework consists of five core functions:
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. This includes, risk assessment, risk management strategy and asset management. By understanding the business context and the resources required to support the efforts will allow organizations to focus and prioritize its efforts.
Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This includes functions such as: assess control, awareness and training, data security, information protection, process and procedures and protective technology. It also means supporting the ability to limit or contain any potential security event.
Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. This function is to ensure timely discovery of security events and include: anomalies and events, security continuous monitoring, and detection processes.
Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Once the event has been detected, the potential impact needs to be contained. These functions include response planning, communications, analysis, mitigation, and improvements.
Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The final functions are for the timely recover to get back to normal operations and to reduce the impact the security event has had on operations.
Taking the initiative
It’s clear that manufacturing and industrial operations cannot afford to ignore the paradigm shifts brought about by new technologies, like the IIoT. Securing ICS against the modern threats will require a well-planned and well-implemented strategy to defend your operations, a plan that needs to have multiple stakeholders and be supported at the highest levels of an organization. Having a network with a hardened perimeter is no longer enough. Without a sound security strategy and execution plan, devices, machines, equipment and networks can be exploited by threat actors, both internal and external.
There are no guarantees, but by proper planning, deployment, and maintenance companies can minimize the impact any breach or event has on operations.
Mike Hannah is the market development lead for Rockwell Automation’s connected enterprise and smart manufacturing initiative. Hannah is also a MESA International smart manufacturing working group member. This article originally appeared on MESA International’s blog. MESA International is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See additional stories from MESA International linked below.