Keeping OT environments cybersecure
What can engineers do to protect their processes and plants from cyberattack? Consider these best practices from cybersecurity and manufacturing experts.
The convergence of information technology (IT) and operational technology (OT), the wider connectivity of OT with external networks, and the growing number of Industrial IoT (IIoT) devices, is helping to boost the efficiency of industrial processes. It is widely acknowledged, however, that this convergence trend also comes with cybersecurity dangers.
Kirill Naboyshchikov, business development manager, Kaspersky Industrial CyberSecurity at Kaspersky, pointed out that, according to recent statistics, nearly 57% of UK manufacturers faced a cyberattack in 2020. Last year, Kaspersky ICS CERT identified a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018.
“Incidents on industrial organizations organically attract attention from the cybersecurity community as they are sophisticated and focused on sectors that are of critical value. Official organizations and initiatives such as European Commission’s Cybersecurity Strategy (ENISA) highlight the importance of having a dedicated approach to addressing cybersecurity risks – targeted attacks, espionage campaigns or sabotage,” said Naboyshchikov. “As a result, cybersecurity has become a critical factor for the whole enterprise – right up to board level.
“Enterprises need to keep their industrial processes stable, prevent intrusions and stay compliant to policies and requirements. Relevant cybersecurity practices should allow them to control OT environment, adopt new engineering best practices and digitalisation projects, but must also protect old equipment and systems that may still be in use.”
These practices mean considering security aspects at the very beginning of any project. It is also important to have access to the most relevant threat intelligence, vulnerability assessment and mitigation, updating incident response programs to cover specific ICS actions and using dedicated cybersecurity solutions.
Kaspersky recommends implementing these technical measures:
- Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
- Restrict network traffic on ports and protocols used on edge routers and inside the organization’s OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
- Deploy dedicated endpoint protection solution on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyber attacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.
A changing cybersecurity landscape
“Due to the pandemic, we find ourselves within a cybersecurity landscape where nothing’s changed, yet everything’s changed,” said Robert Putman, global manager for cybersecurity systems at ABB Process Automation. “You could be forgiven for concluding that the increased adoption of remote technologies during the global pandemic would have increased the risk exposure for industry. However, this has not been the case for well architected, well managed operations.”
When it comes to cybersecurity, and the effort needed to operate effectively in the pandemic environment, it is very easy for engineers to push concerns aside to focus on the daily challenges of running and maintaining a plant. It can be viewed as a problem for another day or seen as a low-likelihood risk. Conversely, plant managers may feel paralyzed at the perceived scale, complexity and financial requirements assumed to be needed in order to successfully tackle cyber security concerns.
According to Putman, there is some good news and some bad news for engineers concerned about protecting their processes and plants from cyber attacks. “The bad news is that cyber security needs to make its way higher up the to-do list. There have been a number of high-profile cyber breaches over the past 12 months, and exposure to cyber risk has the potential for far more significant real-world consequences beyond a data or information leak. The good news is that it is possible to effectively and substantially improve cybersecurity by establishing basic security controls, at scale, across a plant’s systems.”
Putman advises the introduction of strategies to reduce the attack surface area for would-be adversaries – essentially closing as many doors as possible on two fronts. “We invest a lot to make systems simpler for colleagues to use – but we must also make them harder for would-be attackers to penetrate. Firstly, engineers need to take steps to make systems unappealing – introducing software and solutions that obfuscate and frustrate the efforts of a potential human attacker; so that they are thwarted to the point of giving up, or are forced to move on to a different target.
“Secondly, it is critical to ensure systems are also inaccessible to the exploits that ransomware/malware depend upon. The application of basic security controls at scale can mitigate the unintended infection of malware and its propensity to move horizontally, causing further damage.” This can be achieved without huge financial outlay, says Putman. He highlights five key steps that plant engineers should take at the earliest opportunity:
- Establish a plant-wide anti-virus (AV) regime – this may include combination of signature-based AV and Application White Listing. Signature based AV is the traditional McAfee and Symantec where security researchers develop criteria used by the anti-virus applications to identify the presence of malicious software.
- Deliver a watertight back-up and recovery to quickly restore a compromised host from a known good image.
- Ensure all software update patches are downloaded, validated, and installed consistently and at appropriate intervals to mitigate disruption of operations.
- System hardening and configuration. From individual hosts to network segmentation, assure your architecture is what it should be to minimize exposure.
- Maintain a reference architecture, audit adherence to the design, and make updates to the design as new best practices and/or threats require.
Stefan Woronka, director industrial security services at Siemens, says that with ISA 99/IEC 62443, the ISA and its members have created a well-accepted and broadly used standard that vendors, operators and integrators can use and adapt to their environment. “For operators that would like to start the endeavor, Siemens recommends conducting an IEC 62443 Assessment to determine the gaps of two important aspects: How well are the processes (the IT Security Management System) established? And what are the gaps between the standard and the industrial automation and control systems as configured and operated that require attention?”
Based on the results of the IEC 62443 assessment operators can determine the necessary measures to improve their cybersecurity. Next to technical measures – such as the application of a defense-in-depth concept with a zones and conduits model – the setup of an IT security management system (ISMS) needs to be considered. “The ISMS will define responsibilities and additional organizational measures – such as policies and procedures. Also, it will help raise awareness among employees, engineers as well as operational staff,” said Woronka. “This measure must be considered as a regular activity in the same way as safety training.”
The technical measures of a defense-in-depth concept range from the implementation of zoning firewalls to the use of endpoint protection solutions such as whitelisting and antivirus. As a prerequisite the operator should seek guidance from the vendor of its industrial automation and control system, in case the measures the operator seeks to implement require approval or might cause any compatibility issues with the automation hardware and software.
“With this, the first steps towards a functioning security architecture are taken,” said Woronka. “But it is not the time to rest, as the attacker never sleeps! Operators need to consider continuous measures for implementation. The most basic one and at the same time a complex one is the setup of a proper management for vulnerabilities.”
This requires four major steps:
- The identification of all relevant assets including firmware and software patch level.
- The identification of existing vulnerabilities of these assets.
- The plan to mitigate these.
- And, finally the patching itself.
“One additional measure to consider, is the implementation of a monitoring solution, that will baseline and monitor the industrial automation and control system for anomalies and changes,” Woronka said.
Be aware of cybersecurity attack consequences
The first step to protect processes and plants is to be aware of the consequences of cyber attacks, according to Massimiliano Latini, ICS cybersecurity & special projects director at H-ON Consulting.
While the IT world is already aware of security issues, OT security has opened up a world that was previously hidden and unknown. “OT networks are much more accessible than traditional IT systems and consequently much more attractive to cybercrimes, where hackers can easily breach those most vulnerable parts of industrial automation control systems,” said Latini. He believes that the most dangerous effects of a cyber attack are related to business continuity, due to the possible shutdown of the plant assaulted, and also to safety and environment issues, in other words, injury or accidents involving people and hazardous environmental emissions.
“Above all other things, engineers can protect their processes by tidying up their data infrastructure,” said Latini. He advises that the first measure that companies should implement – in compliance with the international standard IEC 62443, which is the most important reference for industrial cybersecurity – is organizing the network into zones with a clear separation between IT and OT, and where the segmentation of the OT network is rigorously managed in case of remote access as well.
“I strongly recommend the use of firewalls designed specifically to manage issues related to industrial infrastructures is strongly recommended,” he said. “The selection of high-quality tools is also crucial to counter attack the hackers. This obviously depends on the type of infrastructure and the problems that need to be managed. The most effort must be employed in investigating what are the most adequate firewalls and Layer 3 switches for segmenting the network in accordance with the IEC 62443. And finally, a software for monitoring the network can be also very useful for identifying what vulnerabilities are affecting a system.”
Know your cybersecurity system
Edward Kessler, technical executive at EEMUA, believes that the most important consideration, when looking at securing process and plant cybersecurity, is to know what you have and what it is connected to – in terms of both networking and control – and to educate yourself on industry best-practice.
It is important to have a good idea of the roadmap for developing a cybersecurity strategy, and while there is a huge body of information available – in the form of standards which are still being developed – in many cases there is too much information for a busy engineer to take on.
“There are a number of places that easily digestible best-practice information can be found,” said Kessler. “You could look at EEMUA guidance and in the UK there is also HSE guidance. This will help engineers to better understand their equipment, what each element is dependent on, what the dataflows are and what the basic network map is.”
Kessler points out many organizations will already have a fixed asset register, but this is not likely to contain the information that is most useful from a cybersecurity perspective. “It is important to examine in detail what the connections are. Just saying it is an Ethernet or RS232 connection, for example, may not be what is significant when it comes to cybersecurity. You also need to look at dataflows and what is dependent upon what – for example, you might think that you are just sending control information to a device. But you may have a logging function on it which is dependent on GPS, so you need to know where this comes from too. All of these elements need to be brought into the mix because they may be significant from a cybersecurity point of view.”
Kessler concludes by warning that the cybersecurity risk in the OT environment is growing because the only real interest of many attackers is to make money, so attacks are likely to be be random – but opportunistic – targeted at the most easy to access systems. Those organizations that practice good cyber security hygiene will stand a better chance of deterring attackers. It is important to stay one step ahead of the attackers, so cybersecurity needs to be a continuous process and when it comes to cybersecurity prevention is definitely better than the cure.
Suzanne Gill is editor, Control Engineering Europe. This article originally appeared on Control Engineering Europe’s website. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media, email@example.com