Fundamental security features and risk analysis for industrial assets
Industrial control systems (ICSs) are used across a wide range of industries, from manufacturing and fabrication, electricity generation and transmission, to oil refining and water treatment. Recently, many of these traditionally proprietary control systems—distributed control systems, programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA) applications—are adding new and more open technologies such as Ethernet and transmission control protocol/Internet protocol (TCP/IP). With the growing interest in the Industrial Internet of Things (IIoT) and the business advantages of obtaining system data, industrial control systems increasingly are being connected to information technology (IT) networks.
To realize the potential of the IIoT, the IT and industrial control (also called operational technology (OT)) groups within organizations are moving toward a common set of communication languages, protocols, and programming standards. These standards are based on the open architecture of the Internet.
A huge question in the minds of most industrial control engineers, however, is the security danger of open architectures. As existing and future OT assets are connected to the IIoT, it is imperative that security threats are considered while connecting industrial assets to the Internet.
Industrial asset risk analysis
A basic equation for determining risk is:
A threat is any potential occurrence that could cause an undesirable or unwanted outcome—such as destruction, damage, or loss—for an organization or an industrial asset. Threats may originate from people, other organizations, hardware, networks, or even nature.
A vulnerability is a weakness in an asset or the absence of a countermeasure to prevent an attempt to exploit data. Vulnerabilities can include a bug in software or firmware code, a loophole in procedure, a failure of human oversight, or hardware design flaws. A threat event occurs when a vulnerability is exploited by a threat origin.
To analyze the risk of industrial assets being exploited, understanding industrial asset valuation is important. The value of an industrial asset is its monetary and non-monetary cost, including public confidence and knowledge equity (the value of the knowledge the asset contains). Bottom line, it’s the level of damage that can be caused if the industrial asset is exploited.
Most industrial systems are designed for minimal human interaction. In theory, the static design of modern industrial equipment implies that these systems are fairly resistant to threat events.
But if a basic risk assessment is performed on industrial assets that includes the threat level and an asset valuation, any vulnerabilities dramatically increase risk if security is compromised. For example, it may be nearly impossible to hack into a nuclear power plant (low threat) but the consequences (asset valuation) of a nuclear power plant being hacked could be disastrous on multiple levels (high risk).
Risk mitigation for industrial assets
Risk to industrial assets can be mitigated through safeguards or countermeasures. For example, a simple physical safeguard or countermeasure would be protecting industrial assets behind locked doors to which only authenticated, verified, and auditable operators have access.
Industrial asset safeguards and countermeasures come in many forms, including updating controller firmware, fixing software bugs, changing system configuration, and modifying network infrastructure design and layouts-for example, segmenting, firewalling, implementing virtual local area networks (VLANs), and so on.
Most existing industrial assets were not designed to be connected to the Internet. However, as they are connected to IT networks to build the IIoT, these assets become increasingly vulnerable to the same threats and exploits that the IT sector has been dealing with for decades. Unfortunately most industrial assets shipping today were not designed with cybersecurity in mind.
Because the IT sector has dealt with cybersecurity for so long, it’s imperative that manufacturers learn from them and apply information security technologies and methodologies to industrial assets as part of their development cycle. Given the long expected lifecycle of industrial assets—20 or 30 years in some cases—it’s vital that cybersecurity be designed into industrial assets from the ground up to be protected against any current and future threats.
When new automation and process control technology is acquired, whether it is hardware or software, it is vital to mitigate risk by making risk assessment and cybersecurity high priorities. If industrial asset safeguards and countermeasures are not evaluated during vendor evaluation and qualification, there will be consequences in the form of addressing potential threats and exploits throughout the life of the asset.
Securing industrial assets’ data
In the early days of the Internet, communication sent across the Web was often transmitted in human-readable plain text. This made it easy for malicious hackers to intercept network traffic and extract sensitive information such as bank account numbers, passwords, and so on. Eventually, system developers and operators in the IT sector transitioned to data transmission using cryptography.
The terms "cryptography" and "encryption" are often used interchangeably, but they are different. Cryptography is the science of secret communication or data transmission. Encryption is a component of that science. For data to be securely transmitted between industrial assets, that data must be transmitted using encryption with a cipher that is difficult to crack.
Encryption uses a process or algorithm (a cipher) to make information hidden or secret. And to make that process useful, a code or key is needed to decrypt information and make it accessible. Essentially encryption ciphers convert human-readable data into erroneous data that can only be converted back using the correct key or code.
The most prevalent forms of encryption in the information technology sector today are secure sockets layer (SSL) and transportation layer security (TLS). TLS is essentially a newer version of SSL. TLS is used to encapsulate traffic over hypertext transfer protocol (HTTP) and simple mail transfer protocol (SMTP), the protocols used for Web browsing and sending e-mail, respectively.
When you consider industrial asset acquisitions, make sure data security has been accounted for and that the asset supports the latest form of SSL or TLS encryption for data transfer and communication.
Port and service configuration capabilities for industrial assets
As Internet communication capabilities are added to industrial assets, it’s important to limit Internet communication services to only those the application requires. For example, if the industrial asset has the simple network management protocol (SNMP) enabled, but operators don’t need that protocol, disable it and shut down the TCP or user datagram protocol (UDP) port the protocol uses.
You can take security a step further by disabling protocols like Internet control message protocol (ICMP), the protocol used to ping or identify nodes on a network. If an attacker is unable to ping a system to discover it, the attack is slowed down, and it is less likely that a vulnerability will be exploited. The same holds true for services running on the industrial asset. If the application does not require the protocol or service, lock the industrial asset down by disabling unnecessary network services. During vendor evaluation and qualification, make sure all available ports, services, and protocols can be enabled or disabled depending on what your application requires.
Controlling network access
When communicating on a network, modern information technology systems can be configured to allow access only from specific or ranges of IP addresses. Some systems take this a step further by allowing connections only from specific IP addresses on specific ports or using specific protocols.
When evaluating new industrial assets, verify that the system has some method of locking down connectivity to it based on source IP address and/or TCP or UDP port number.
In network security, there needs to be a careful balance between security and availability. The objective in employing cybersecurity practices is not to make information completely inaccessible but instead to mitigate risk, reduce threats, and decrease the opportunity attackers have to execute exploits on industrial assets. Two other methods that can be used to mitigate risk are authentication and keeping a log of users who access the asset.
Industrial assets must include some form of user and access authentication. Not only should a user attempting to access the asset be prompted for a password or passphrase that is authenticated by the industrial asset itself, but that authentication should also be run against a central authentication server. Two of the most common authentication servers available today are Active Directory from Microsoft, which uses a form of lightweight directory access protocol (LDAP), commonly used in Unix environments, and SecurID/Radius servers.
In cases where a very high level of user authentication is required, usernames and passwords are not enough. Instead, implement a three-factor authentication mechanism. Three-factor authentication is based on:
- Something the user has, such as a SecurID token that automatically generates an access code to be authenticated against; for example, a Radius server
- Something the user knows, such as a password or passphrase
- Something the user is, such as a fingerprint or retinal scan.
In addition to authentication, a log of user activity is valuable. Logging mitigates risk because users know their actions are tracked, and it helps determine the extent of damage if a security breach does occur. If a breach takes place, forensic information security professionals will use the log data to help determine the exposure level and what risk the asset or organization is facing as a result of the breach. During vendor evaluation and qualification, make sure the industrial asset being evaluated has authentication built in, preferably with some type of user logging.
There are many other best practices to use industrial assets securely, in addition to more features to include in product design, but it’s important to have a solid foundation to determine a vendor’s level of due diligence related to cybersecurity. It’s also a good starting point for developing an evaluation matrix for future industrial asset investments.
Matt Newton is the director of technical marketing at Opto 22. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
- How to mitigate risk
- How to secure industrial assets
- Determining risk for cyber threats.
What is the most efficient way to protect industrial assets against cyber threats?
See related cybersecurity stories below.