Pay attention: Industrie 4.0 and ICS cyber security
Greater attention to industrial control system (ICS) cyber security is required with greater connectivity and information flow in manufacturing and in process plants. The Internet of Things (IoT), perhaps the most popular buzzword to hit the tech mainstream since "tweeting," refers to the billions of smart connected devices that range from simple sensors to complex machines that affect business on a local, regional, and global scale, and personal behavior. So many devices are connecting, that International Data Corp. (IDC) predicts the worldwide IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020.
While most people currently associate the IoT with connected consumer devices such as fitness trackers, smart thermostats, and feature-rich light bulbs, much of the same communications capabilities in these products are being used in more specialized devices that run critical infrastructure systems such as those in the energy, water, transportation, and chemical sectors that serve the needs of citizens and countries alike. In fact, 35% of manufacturers already use devices categorized as smart sensors in their process and manufacturing operations, and an estimated 5.4 million IoT devices will be used on oil and gas extraction sites around the world by 2020. Likewise, energy companies will be installing 1 billion smart meters on homes, businesses, and factories by 2020.
Enter Industrie 4.0, the name given to what’s being called the fourth industrial revolution. Industrie 4.0 is propelling organizations and their production and service delivery capabilities far beyond steam power and the electrification of the factory. Industrie 4.0 goes beyond the digital modernization that brought networking, computing power, and automation into the production environment and onto the plant floor.
According to PricewaterhouseCoopers (PWC), the Industrie 4.0 movement is characterized by the increasing digitization and interconnection of products, value chains, and business models. It is the industrial sector’s version of IoT-aptly named the Industrial Internet of Things (IIoT). This modern technology that is blanketing industry enables even greater amounts of automation and remote management of system assets. It also is providing visibility into operations designed to help system owners and operators improve productivity and facilitate healthier returns on investment for the products and services their systems provide.
The switchover in industry to smarter devices with greater local computing power and network communications helps organizations enjoy measurable benefits including improvements to process safety, reliability, and visibility into the production process. Such benefits rely on innovation, and they are altogether missed when old systems installed years (if not decades) ago remain locked in time, not changing in a way to take advantage of more modern, progressive technologies. These systems are at greater risk for malicious attacks. So what is the solution when such vulnerabilities are matched with real-world threats?
Connectivity risks, rewards
Most manufacturing and process systems, such as an oil pipeline, power plant, water treatment facility, transportation network, and even building automation systems (BAS), are undergoing the same transformation where old, simple assets are replaced with smarter, more connected devices. With these new devices come new network infrastructures designed to create even greater connectivity and data interactions between the devices and previously disparate systems.
Usually, it’s not until an incident occurs, such as a loss of communication, failed device, product misconfiguration, or a security breach, that an industrial network is brought into focus. Events like these quickly lead to safety impacts, expensive downtime, lost production, and potentially far-reaching financial impacts. While such consequences are no secret to asset owners and operators, investments made to counteract them are often limited and often overlook a key opportunity to further reduce latent risks. One glaring omission often seen in many of the most progressive industrial control systems is the absence of a clear view and understanding of what critical network communications actually look like inside these mission-critical systems.
Many popular control system configuration and monitoring tools only provide a window to program and configure parameters and logic control, to monitor status, or provide operators with status of the process control system itself. The network and its infrastructure are largely ignored by much of this software; yet, incidentally, the network often has a great effect on overall system performance and stability. If disrupted or overwhelmed, the network’s availability, or lack thereof, can immediately impact the safety and productivity of the system.
That said, the opportunity to get out in front of many of safety and security risks is already available by way of proactive planning and the use of continuous network monitoring that features capabilities to detect and alert engineers of abnormal events so responsible action can be taken.
ICS future is here
ICSs have evolved to become connected with business information systems and often include remote management capabilities. They are no longer isolated independent systems, which were previously thought of as islands of automation. Owners and operators now access many of today’s systems from afar and can reach into individual devices that control and monitor critical operations.
This level of connectivity and accessibility goes to show that the IIoT is not a future state for industry. If anything, the IIoT is in many ways already here, and if all of the new device and system connectivity aren’t properly built and maintained, most every cyber-physical systems will be vulnerable to threats that could have grave consequences.
In response, those responsible for automation and control systems are increasingly seeking ways to reduce risks. Some are evaluating and force-fitting information technology (IT) practices and technologies into the operational technology (OT) space in hopes that doing so will improve visibility and situational awareness. Yet, many IT tools are square pegs in round holes since they don’t have context or understanding about the unique nature of industrial networks and systems. Office-grade products also do not understand the particular protocols, commands, and data flows that operate the engineered systems that produce tangible products and services.
The IIoT revolution
The IIoT and Industrie 4.0 platforms are comprised of cyber-physical systems with connected devices that collectively make up the smart factory—a facility or operation with the technical advantages of self-prediction and self-awareness in the processes used to make and move products and services.
A key aspect of Industrie 4.0 is that it’s not just about pure industrial products and specialized technologies. It includes outside influences, such as business and consumer-grade technologies, that are becoming comingled and tightly interlaced with other industrial-grade devices inside a production environment.
In today’s systems, it’s to be expected that ICS will also carry IT-oriented traffic, such as web services, remote access, virtualization services, and encryption technologies along side of the control services needed to run a process. In fact, a cadre of well-established technologies originally created for business-to-business activities, commercial communications, consumer services, and entertainment are now readily found inside most contemporary industrial systems; however, without a view of the network, these technologies are often unknown to engineers, technicians, operators, and even to control system manufacturers.
Learn more about monitoring the ICS network and the potential risks that come with more connectivity.
More connections = more risk
New vulnerabilities have surfaced as a result of greater connectivity, and control systems have become an attractive opportunity for adversaries. Risks and access points into ICS networks will continue to increase significantly, and the skills shortage in managing ICS cyber security exacerbates this problem.
Some facility owners and operators continue to unknowingly disregard the importance of their network infrastructure. Attackers, on the other hand, are increasingly focused on accessing these systems and devices and affecting operations for a variety of reasons, such as to extract valuable proprietary information or gain control of the systems and assets that citizens rely on daily; or, in the worst-case scenario, to cause physical harm.
When the network is recognized as a means to deliver value and as a conduit to bring new risk to a control system, the importance of industrial network monitoring and anomaly detection becomes readily apparent.
For the electricity sector, for instance, assuring the reliability of the bulk power system and mitigating risks associated with the ever-expanding network connectivity, the North American Electric Reliability Corp. (NERC) developed critical infrastructure protection (CIP) standards. The standards even call out the importance of network monitoring for protecting electronic security perimeters and aid in system security management, incident response, vulnerability, and change management.
Despite the power that comes with negative reinforcement of regulatory fines for noncompliance, NERC CIP’s positive effects can only come from industry participants that adopt a security culture that extends beyond a "check-the-box" mentality that regulations can often drive. IIoT brings benefits and risks that will take a toll on those who don’t make proactive investments and establish a comprehensive security program and culture.
A recent cyber security assessment published by the Snohomish Public Utility District (SnoPUD) is a prime example of how convergence has killed the air gap. As the largest public utility in the state of Washington, the facility had robust security in place on the corporate network to presumably prevent adversaries from gaining access to its ICS network. Although the facility had corporate security and was NERC CIP compliant, assessors gained access to the ICS network within 22 minutes-and once that task was accomplished, they found absolutely zero security tools in place.
It’s an example of how complexity results in risk as well as how regulatory compliance doesn’t necessarily equate to security. It also reinforces the importance of effective network anomaly detection for ICS systems that can identify unusual events as early as possible and notify responders and trigger other security controls to protect critical systems.
Monitoring the ICS network
Despite the industry’s best efforts, there likely will never be standards or federal regulations advanced enough to fully keep up with the proliferation of IIoT and the risks associated with a connected infrastructure. Instead, the burden falls largely on each organization to maintain the integrity of its own assets. One surefire way to do so-akin to how corporations have secured their IT infrastructure-is to monitor the industrial network at all times.
With the evolution of a connected enterprise, there’s now an interdependence of IT and OT functions in organizations because their respective systems are often integrated.
There is such an array of activity on control system networks today, organizations need visualization into communications to determine what is approved, malicious, or even accidental. Monitoring control system network infrastructures can aid with identifying a newly connected or failed device, misconfiguration of a system, unauthorized activities and changes to the networks’ health, and even highlight the first indicators of potential cyber attacks.
Industrial Internet of Everything
Industrie 4.0 is proving to be much more than a fleeting trend—it’s a force likely to continue to expand and accelerate. Its effects on industry are already starting to display great value and returns, but they bring new risks. Industrie 4.0 has the potential to impact almost every aspect of our lives and the critical systems that we rely on for reliable power, safe water, transportation, communications, and goods and services necessary to keep us safe. There’s no better time than now to begin paying attention to what’s happening on the networks to which all of these industrial things connect.
Doug Wylie, CISSP, vice president of product marketing and strategy, NexDefense. Edited by Chris Vavra, production editor, Control Engineering, email@example.com.
Industrie 4.0 is the next revolution in manufacturing, but it brings several risks from a cyber security standpoint.
Proactive planning and the use of continuous network monitoring can help alert engineers of abnormal events and other breaches.
People need to pay attention and be aware of the potential risks of Industrie 4.0 as it becomes more integrated in everyday society.
What other risks could Industrie 4.0 bring to the plant floor and what can you do to offset or minimize those risks?
See related stories about Industrie 4.0 linked below.