Why is trust becoming such a big issue?

The latest thinking of automation vendors, relating to cybersecurity in the OT environment, indicates trust is an issue.

By Suzanne Gill April 15, 2024
Image courtesy: Brett Sayles

Zero trust insights

  • Trust in automation grows crucial as cybersecurity threats increase in connected operational technologies.
  • Zero Trust security models, which verify every connection assuming a network compromise, are becoming standard.
  • Experts suggest combining physical security, ongoing training, and advanced technologies to build comprehensive cyber defenses.

There can be no denying that the rise of connectivity from the device level to the cloud, driven by the industrial internet of things (IIoT), has increased the attack surface for automation facilities. While there are compelling business reasons for direct cloud connectivity – including remote maintenance monitoring, key performance indicator (KPI) tracking and process optimization — these benefits have been achieved with the tradeoff of weakened security. “These new, direct connections, which can allow bad actors to gain access to industrial networks, are driving an increased focused on security concepts like zero trust, which always requires verification to connect to a device. The importance of deploying multiple security approaches to cover all parts of the network has increased significantly as well,” explained Steve Fales, Director of Marketing at ODVA.

The concept of zero trust makes the assumption that the network has been breached. This means that every connection must be verified, regardless of the source and given the minimum amount of access needed for the minimum amount of time. Additionally, all communications must be secured. To move toward zero trust, it is important to be able to encrypt communications, to have role-based access available, be able to authenticate end points and to ensure that communications aren’t being tampered with.

In addition to working toward zero trust, Fales advises employing multiple security approaches as a part of a defense-in-depth security model to secure industrial control networks. “Physical security and employee training are excellent places to start as a part of a holistic process-oriented approach,” he said. “These are two of the simplest and most effective ways to deter bad actors.”

Conducting threat modeling is another important way to understand network vulnerabilities and to create plans to address them. From there, switch-based firewalls, deep packet inspection, approved lists and other network protections are in order.

“It’s important to also protect the device level if the network has been opened up to attack via direct second channel connections,” Fales said. “An example of device level protection is CIP Security for EtherNet/IP, which offers device authentication and identity, data integrity and confidentiality, user authentication and policy enforcement. CIP Security also offers flexible protection via profiles that can be implemented as needed, depending on the use case. Finally, it is important to continually review and revise security policies, trainings and protections on a regular basis since threat actors and approaches continue to evolve.”

With the flattening of networks and the rise in the number of automation devices connected directly to the cloud, it is important to have a well-resourced and planned security strategy. “The new reality is that breaches are a likely occurrence, and this has led to the rise of zero trust security approaches requiring verification for every connection for only the access that is needed. It is also important to remember that physical security, employee training and process-based methods, offer a very high return on investment.

Finally, Fales argued it is imperative to secure devices at the lowest level. “Security is an enabler of automation device to cloud connectivity which is driving substantial increases in productivity, so it is an invaluable investment in the future of industrial operations.”

Moving away from tradition

Traditionally, the Perdue structural model has been the solution used by organizations to enable secure operational technology (OT) environments by segmenting physical processes, sensors, supervisory controls, operations and logistics. However, as we have already heard, today’s more open platforms brings OT network security more keenly into focus.

“Organizations now need to consider cybersecurity during the front-end engineering and design of a control system project – making systems ‘secure by design’,” warned Michael Lester, director of cybersecurity strategy, governance and architecture at Emerson. “Too often cybersecurity defenses are added later. This is more expensive and rarely as effective as building cybersecurity into the project from the outset.”

So, there is now a need for vendors to start to design their OT software applications from the ground up based on zero trust principles to create secure-by-design plants and factories.

Commenting on this at the recent Emerson User Conference in Dusseldorf, Peter Zornio, chief technology officer at Emerson, said: “Inherently secure by design plants will be a multi-year development – it will only be fully realized following the gradual updating of system software to include security constructs into the software. Every time the software communicates with another piece of software it needs to look for authentication and it needs to have the correct access rights to data. Some of our latest offerings already include inherently secure by design software, but realistically we are talking about a five to 10-year journey until all software in a plant is able to support zero trust. When this becomes reality, however, it will be the final solution to the cyber security problem.”

Until then, however, cybersecurity needs to consist of more than just technology. “Cybersecurity requires behavior and culture change. A deep-rooted understanding across the entire organization of the “why” and ‘how’ of cybersecurity is critical to driving meaningful behavioral change. It is therefore important to build a cybersecurity culture that encompasses people, processes and technology,” Lester said.

More robust measures

As OT systems continue to integrate with IT networks — such as with the introduction of internet-based communication protocols such as message queuing telemetry transport (MQTT) as well existing data transmission protocols such as HTTPS for WebMI, CsCAN and Modbus — the attack surface widens, and new attack vectors are introduced. This necessitates a more robust cybersecurity measures package to mitigate risks.

Séan Mackey, Cybersecurity Engineer at Horner Ireland, suggests that the following steps can help control engineers to better secure their OT environments:

Know the environment: Begin by thoroughly understanding the OT infrastructure which includes industrial control systems, supervisory control and data acquisition systems (SCADA), programmable logic controllers (PLCs) and other interconnected devices. Identify possible vulnerabilities by documenting such components as assets, network architecture, protocols and communication pathways.

Risk assessment and asset inventory: Conduct a thorough risk assessment to identify critical assets and potential vulnerabilities. Develop an asset inventory, categorising systems based on their criticality and assessing associated risks. Prioritize security measures based on this assessment.

Network segmentation: Implement robust network segmentation such as air gapping, firewall usage to filter and track traffic and critical system isolation to isolate critical OT assets from non-essential systems and external networks. This limits the impact of breaches or attacks by containing them within specific network segments and reduces the attack surface.

Access control and authentication: Enforce strong access controls and authentication mechanisms to restrict unauthorized access to OT systems. Multi-factor authentication, role-based access control and the principle of least privilege should be implemented to ensure that only authorized personnel can access critical systems.

Patch management: Develop and implement a rigorous patch management process to keep OT systems up to date against known vulnerabilities. This includes firmware and software updates related to any vulnerability fixes for PLCs/HMIs. Prioritize patches based on criticality.

Network monitoring and intrusion detection: Deploy robust network monitoring tools and intrusion detection systems (IDS) to detect and respond to anomalous activities in real-time. Monitor network traffic, system logs and behavior patterns to identify potential threats or security breaches promptly.

Endpoint security: Defend your industrial devices against malware and unauthorized access by implementing endpoint protection solutions such as firewalls, antivirus software and intrusion prevention systems on devices within the same networks as the mentioned industrial devices.

Encryption: Data should be encrypted both in transit and at rest to prevent unauthorized interception or tampering. Implement strong encryption protocols such as Transport Layer Security (TLS) for network communication, specifically X.509 certificate utilization in the case of emerging MQTT usage within the industry, and encrypt sensitive data stored on OT devices.

Incident response plan: Develop a comprehensive incident response plan outlining procedures for detecting, containing and mitigating cybersecurity incidents. Define roles and responsibilities, establish communication protocols and conduct regular drills to ensure preparedness for cyber-attacks.

Employee training and awareness: Train OT personnel on cybersecurity best practices, including identifying phishing attempts, recognizing suspicious activities and responding to security incidents. Foster a culture of cybersecurity awareness to empower employees to actively participate in safeguarding OT systems.

Vendor risk management: Assess and manage the cybersecurity risks associated with third-party vendors and suppliers providing OT components or services. Establish contractual agreements while specifying security requirements and audit vendors regularly.

Compliance and regulatory requirements: Stay on top of industry-specific regulations and compliance standards governing OT cybersecurity, such as NIST SP 800-82 and ISA/IEC 62443. Ensure OT systems adhere to these requirements to avoid legal and regulatory repercussions and minimize chances of OT breaches due to poor cybersecurity implementations.

High stakes

The critical nature of the majority the systems within the OT environment means that any disruption or compromise could have far-reaching consequences. “Given the stakes, securing OT environments effectively has never been more important. However, it has also never been more difficult to achieve,” said Daniel Sukowski, global business development IIoT at Paessler AG. “In a world that is interconnected and digitalized, the proliferation of connected IIoT devices is on an exponential rise, resulting in systems becoming progressively more complex. Previously isolated OT networks are being opened up to connect with new systems and devices from the outside, often across multiple locations. While this interconnectivity has many advantages, it also poses great risks.”

Sukowski suggested that, to keep OT systems adequately protected, businesses should invest in monitoring technologies. “Having one effective monitoring system in place – with centralized dashboards and alerting capabilities – can provide a more holistic picture. It will bring data from all locations – the OT environment, IIoT sensors, wired and wireless networks and traditional IT devices and systems under one umbrella. It grants full visibility – something that is more vital than ever as cybercriminals continue to evolve and grow in sophistication,” he said.

Alongside this, Sukowski advises that organizations conduct regular security audits and risk assessments on operating systems to help identify vulnerabilities. This should include information security risks and cyber risks, as well as all common OT operational risks.

“Another part of the puzzle is ongoing training for all relevant employees. This should be updated and refreshed regularly in order to ensure that the business is operating in line with the latest guidance and regulations. For example, when the upcoming NIS-2 directive becomes national law in all EU member states in October 2024, employees will need to ensure that they, and the wider business, remain compliant.”

The NIS2 Directive will update current EU cybersecurity law, building on the original NIS Directive (NISD). The goal is to boost OT security, simplify reporting and create consistent rules and penalties across the EU. By expanding its scope, NIS2 will require more businesses and sectors to take cybersecurity measures.

Entities now covered by the scope of NIS2 need to take appropriate and proportionate measures to manage the risks to the security of their network and information systems, and to prevent incidents or mitigate the effects of incidents on the recipients of their services and on other services. These measures are based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents.

At a minimum, these measures include risk analysis and information systems security policies:

  • Incident handling

  • Business continuity, such as backup management and disaster recovery and crisis management

  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers’ or service providers’ security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

  • Basic cyber hygiene practices and cybersecurity training

  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption

  • Human resources security, access control policies and asset management

  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Original content can be found at Control Engineering Europe.

Author Bio: Suzanne Gill is editor, Control Engineering Europe.