Industry information security, the next forefront?
With the gradual improvement of enterprises’ understanding of information security for industrial control systems and a continuous increase in technical investment in the security field, the industrial information security market in China will see accelerated growth in the future. Standards, regulations, and government actions are encouraging greater attention to cyber security.
Recently, a new regulation requiring commercial banks to purchase "safe and controllable" IT equipment raised concerns from many foreign IT enterprises. Foreign media has reported that this "IT Limited Purchasing Order," which was jointly drafted by the Ministry of Industry and Information Technology and the China Banking Regulatory Commission (CBRC), would be implemented in April at the earliest. The new regulation would require IT equipment suppliers of banks to conduct research and development (R&D) work in China and provide CBRC with source codes. Although this message was not officially verified, it seemed to signal that information security would be raised to an increasingly important level in industries related to the national economy and people’s livelihoods.
This trend can be observed from the government procurement lists in the past two years. It is indicated in the recently issued Circular on Printing and Issuing 2015 Government Procurement Work Highlights, which indicates that the quantity of foreign technological products in the central government procurement list of the has been reduced by one-third compared with the previous two years. Among more than 2,000 commodities whose quantities have increased most are local brands. Famous technological companies excluded from this list include Cisco, Apple, McAfee (part of Intel), and Citrix. A chain of events triggered by "Prism Gate" has pushed the Chinese government to accelerate the layout in the information security field. Whether the adjustment of policy can become a real opportunity for local enterprises depends on product quality.
Advanced Internet capabilities
In this era of "Internet +," which involves cloud computing, the Internet of Things (IoT), Big Data, and Smart Factory, the increasingly huge data and information flow bring us convenience but also risk of security breaches. Everything is likely to become a target for hackers, such as theft of personal bank accounts and intrusion into nuclear power plant information and systems of steel works.
According to the monitoring report from the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a total of 245 security events were reported in fiscal year 2014, and the energy industry (32%) and manufacturing industry (27%) were severely afflicted areas. About 55% of attacks involved an advanced persistent threat (APT). Different from other types of attacks, APT features high latency, good organization, and persistence, and is a tremendous threat to information security of industrial control systems. APT has appeared in major malicious network attacks in recent year, for example, the notorious Stuxnet, Havex, and BlackEnergy.
Cyber security attack on German steel
In 2014, a steel and iron enterprise in Germany suffered an APT attack. The virus intruded the industrial control system of the steel works, resulting in the suspension of operation of the entire production line and major damage to the steel works’ physical facilities, including the steel furnace.
With the quick development of Internet technology and the continuous deepening of integration between industrialization and manufacturing information technology, industrial control systems increasingly have adopted generic software and hardware systems and communication protocols. The application of industrial Ethernet and wireless network enables each hierarchy of an enterprise to realize information sharing and real-time communication, and improve efficiency.
Lack of understanding about risk
Nevertheless, "The open system undoubtedly exposes the issue of information security. The biggest hidden danger of industrial control at present is that many industries and enterprises still fail to realize that industrial control security is very vulnerable," said Li Xinshe, deputy director of the No. 1 Electronics Department of Ministry of Industry and Information Technology, at the China Industrial Informatization and Information Security Development VIP Forum held in August 2014.
Facing the increasingly critical information security issue of industrial control systems, the Chinese government made many moves in 2014. In February 2014, China established a "Central Network Security and Informatization Leading Group" led by President Xi Jinping to raise network security to the national strategic level. In November, the Ministry of Industry and Information Technology released 18 communication industry network and information security standards. Soon after, in December, the Standardization Administration of the People’s Republic of China Technical Committee (SAC/TC124) formally released Industrial Control System Security, which is the first national formal standard in the automation field. This standard comprises two parts, GB/T 30976.1-2014-Industrial Control System Security-Part 1: assessment specification and GB/T 30976.1-2014-Industrial Control System Security-Part 2: acceptance specification. Although this is only a recommended standard at present, the release of this standard has filled the gap that China had for basis of systems and product assessment and acceptance in the industrial control field, as well as laid a firm foundation for the independent industrial control system information security industry and standards system in China.
The goal proposed by China in its "12th Five-Year" Development Planning of Information Security Industry is that the scale of the information security industry in 2015 will exceed $10.81 billion, as of April 20, and maintain an annual growth rate of 30% or greater. Although China’s industrial control security market is just developing and its share of the entire information security market is not very big, it is important that enterprises focusing on industrial control security, such as NSFOCUS, ForceControl-Huacon, and Moses, have emerged along with local leading enterprises such as SUPCON and Hollysys.
– Aileen Jin, editor-in-chief, Control Engineering China. Edited by Joy Chang, digital project manager, Control Engineering, firstname.lastname@example.org.
This was translated and edited for Control Engineering from Control Engineering China.
See other international coverage.