Cybersecurity

Secure-by-design industrial products are increasingly important

Cybersecurity often is the catalyst for control system modernization, and industrial and critical infrastructure sector projects increasingly specify automation products and systems that are designed as cybersecure.

By Larry O’Brien December 2, 2020
Courtesy: ARC Advisory Group

 

Learning Objectives

  • Design cybersecurity into automation and systems, including Industrial Internet of Things upgrades. 
  • Consider cybersecurity as a catalyst for system modernization and use of cybersecurity standards. 
  • Drive cybersecurity into the industrial control system procurement process. 

Those in the industrial and critical infrastructure sectors increasingly seek products and solutions that are inherently cybersecure. In many cases, cybersecurity provides the catalyst for control system modernization projects. This is especially true in cases where users discover they can no longer support an installed base that requires an increasing amount of time and resources to make it cyber-secure.

Much of the cybersecurity focus for industry and infrastructure to date has focused on providing layers of cybersecurity on top of existing infrastructure, rather than procuring products and applications that provide a level of inherent cybersecurity. Inherent cybersecurity is often achieved through some combination of product design features and a secure development lifecycle process. From the supply chain perspective, many end users also are looking to source inherently secure components, microprocessors and embedded systems.

In addition to closer supplier scrutiny during the selection process, the built-in, secure-by-design approach also requires secure implementation, installation and maintenance approaches throughout the system or product’s lifecycle. Two separate but related lifecycles are at play here: One for product development and one for implementation and support. Looking for products certified to a cybersecurity standard, like the ISA/IEC 62443 series of industrial control system cybersecurity standards (formerly ISA-99), also can be a challenge since many users are unfamiliar with the various certification and standards bodies. While even products not certified to a published standard can sometimes provide acceptable cybersecurity, this requires closer scrutiny of vendor offerings and their associated development and sourcing practices. Using certifications to help pre-qualify potential products can save asset owners considerable time and effort.

Industrial products require security by design

Most operational technology (OT)-level products and applications in industry and critical infrastructure worlds aren’t designed from the ground up to incorporate cybersecurity. Until recently, features, functions and open network connectivity have received more attention. The drive toward “openness” in the 1990s and early 2000s resulted in a cybersecurity mindset focused on adding layers of cybersecurity in OT-level systems to address potential vulnerabilities. While this mindset is still required for effective cybersecurity, many end users are finding it is much easier and less expensive investing in products designed from the ground up to incorporate security rather than increase investments to lock down products that are not secure.

Security by design should go beyond the products themselves and how they are designed to incorporate secure development lifecycle practices for applications. The same principles apply to the processes used in control system engineering, installation and startup. End users also are taking a closer look at the security of the supply chain, specifically in how systems are developed and manufactured, and if the systems utilize secure components and embedded systems.

Figure 1: Average lifecycle of process automation system components shows that automation isn’t supported indefinitely and older systems may require replacement due to increased cyber risk. Workstations and consoles may require attention in less than 5 years and controllers in less than 15 years. Courtesy: ARC Advisory Group

Figure 1: Average lifecycle of process automation system components shows that automation isn’t supported indefinitely and older systems may require replacement due to increased cyber risk. Workstations and consoles may require attention in less than 5 years and controllers in less than 15 years. Courtesy: ARC Advisory Group

Industrial IoT increases need for cybersecurity

The new wave of products for Industrial Internet of Things (IIoT), such as edge computing devices; cloud computing platforms; and smart, connected sensors provides an additional level of complexity for end users from a cybersecurity perspective. While many of these “industrial edge” offerings incorporate good cybersecurity, such as “zero trust” architectures, others do not. Since many of these offerings are making their way from the information technology (IT) world into the OT world, they must be more closely scrutinized to evaluate cybersecurity risk.

Cybersecurity as a catalyst for system modernization

Control systems in industrial and critical infrastructure environments typically have extremely long lifecycles. Many distributed control systems (DCSs) and programmable logic controllers (PLCs) have been in service for 20 years or more. Many end users are finding the older installed base is too complex, costly, and risk-prone to continue to support from a cybersecurity perspective. This often provides the impetus for a control system migration or modernization project.

Security by design, cybersecurity standards

The ISA/IEC 62443 series of standards are the key cybersecurity standards for manufacturing and critical infrastructure. The series is recognized internationally and the product of decades of work by end users and suppliers. While the initial focus of the standards was on describing reference architectures and fundamental concepts like defense-in-depth, the IEC 62443 standards today encompass all aspects of industrial cybersecurity, from product and application development through the complete lifecycle.

The IEC 62443-4-1 standard specifies process requirements for the secure development of products used in industrial control systems (ICS). It defines a secure development lifecycle (SDL) for developing and maintaining secure products. This lifecycle includes the following practices:

  • Security management
  • Specification of security requirements
  • Secure by design
  • Secure implementation
  • Security validation and verification testing
  • Management of security-related issues
  • Security update management
  • Security guidelines.

Driving cybersecurity into the ICS procurement process

Selecting secure-by-design products and applications can be challenging for many ICS end users. Many have not developed good selection criteria for systems and applications. Many systems used in industry and infrastructure are obscure and may not consider cybersecurity at all. At the same time, many of these offerings are becoming more IoT-enabled, which compounds the risk.

While most major DCS suppliers offer controllers and other system components that are ISASecure-certified, many suppliers that offer lesser known types of systems, such as terminal automation systems, RTU-based SCADA systems, boiler controls and compressor controls may not incorporate secure-by-design principles.

Having a good selection and procurement process also means different stakeholders within the end user organization must also be involved. The normative requirements described in the IEC 62443 standards provide a solid foundation for such a process.

Security by design means a better return on investment

Many end users have achieved better return on investment (ROI) and lower lifecycle costs by investing in secure-by-design technologies. Many end users have dwindling resources for managing cybersecurity issues. In addition to adding cost to prevent threats during day-to day operations, the cybersecurity dimension of systems design and engineering can add to the cost and time required to complete a project. Incorporating security by design can reduce engineering costs and overall project costs as well as operational and maintenance costs.

Figure 2: Designing cybersecurity into automation helps as part of the security development lifecycle, which also includes cybersecurity for third parties, design, coding, static analysis, vulnerability testing. Courtesy: ARC Advisory Group

Figure 2: Designing cybersecurity into automation helps as part of the security development lifecycle, which also includes cybersecurity for third parties, design, coding, static analysis, vulnerability testing. Courtesy: ARC Advisory Group

Examples of security by design in products and systems

Many products for industrial and critical infrastructure applications provide some security by design that can help end users reduce lifecycle costs and improve cybersecurity. Some products offer security by design in their inherent design or physical properties. These include things like data diodes or unidirectional gateways, which provide secure unidirectional or even bidirectional communications.

Data diodes can incorporate enhanced security into the inherent design of the product or through layers of secure software and network design. One data diode provider, for example, offers a data diode that incorporates physical send-only and receive-only circuits with fiber optic communications. Other data diode suppliers use COTS components to build their data diodes, but incorporate specialized content inspection engines and other software-based methodologies to ensure secure unidirectional communication.

Many other products incorporate secure-by-design principles into automation and control systems or instrumentation. These could include unique backplane designs, port locking features, or other features. A smaller, but innovative automation supplier, for example, may offers inherent secure-by-design principles into several of its systems components, including backplane, power supply, and others. Ask an automation supplier or industrial cybersecurity supplier about secure-by-design features are integrated into products.

The other dimension to look for with security by design is system and network implementation. Some suppliers can offer tested and verified reference architectures for system and network design that incorporate the highest degree of inherent security. This is often the result of partnerships between specialist networking suppliers and automation suppliers.

Other automation suppliers offer design features in process safety systems to prevent unauthorized user access devices. All system suppliers are incorporating these or similar features. New features are being rolled out continuously, which means users should evaluate what existing and potential suppliers have to offer.

Cybersecurity product testing and certification

Other products provide security by design by undergoing a certification or registration process where they are tested against a cybersecurity standard. One example is the ISASecure family of certified products, which are tested against the ISA/IEC 62443 cybersecurity standard. ISASecure offers certifications for both physical products such as controllers, PLCs, gateways and routers. This also goes for systems, which includes process automation systems and process safety systems. It also offers secure software development lifecycle certifications for systems and applications developed by certified suppliers.

Beyond cybersecurity layers of protection

Layers of protection are necessary. But it is perhaps even more important to incorporate secure-by-design principles into products and applications to ensure a certain level of security right “out of the box.” Ensuring devices are secure by design is the goal of many cybersecurity efforts, such as ANSI/CAN/UL 2900 Standard for Software Cybersecurity for Network-Connectable Products and ISASecure. Secure-by-design principles apply to software, devices and networks. Many of today’s commercially-available products and applications were not developed using these principles.

While important, security by design is not a panacea. It does not absolve the end user from following good cybersecurity practice, project implementation or operations work processes. Incorporating security by design is one aspect of a well-rounded and competent cybersecurity organization and strategy.

Other aspects of security in the system design process are also becoming more crucial. These include supply chain cybersecurity, provenance (determining where system computing components like chipsets come from and their inherent levels of security) and other issues.

Larry O’Brien is vice president, ARC Advisory Group; edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.

MORE ANSWERS 

KEYWORDS: Cybersecurity lifecycle, process automation upgrades

CONSIDER THIS 

Like automation safety, cybersecurity requires more than attention to product design.


Larry O’Brien
Author Bio: Larry O’Brien, ARC Advisory Group