With more industrial systems seeking to get ahead in the Internet of Things (IoT) space, there are more and more risks from online hazards. We speak to Schneider Electric’s Peter Clissold about how companies can better protect themselves.
The development of the Internet of Things (IoT) has transformed the industrial process and control sector, with digital connectivity increasingly becoming the requisite path to follow for companies and organisations looking to enhance the performance of their systems and achieve advances in productivity and efficiency. The benefits of IoT are well known – the risks that increased connectivity brings to process and control systems, often less so. Once upon a time, operators and managers of these systems had to confront risks from potential physical damages; now, increasingly, with systems connected to mobile phone apps for monitoring and predictive maintenance, there are abundant vulnerabilities and risks from malware, denial of service (DoS) attacks, remote hackers and other cyber threats.
Over the last 20 years, process and control systems have been employing supervisory control and data acquisition (SCADA) connectivity over Ethernet, and now almost every facility has ethernet as a part of their control environment in some way. With connection to ethernet and with the appropriate gateways and routers in place, devices can be accessed across the internet from anywhere. And, as we start to see the proliferation of mobile devices and ever more data being consumed by business systems, we are seeing organisations creating connections from their facilities straight into the cloud to provide capabilities like remote monitoring and analytics.
According to Peter Clissold, senior industrial cyber security consultant at Schneider Electric, there are many process and control systems that are not as secure as they could be against the array of threats today. “The simplest is a DoS attack, where unexpected behaviour on the network can disrupt the process control system and lead to a serious increase in downtime,” Clissold said.
“Hackers present a more sinister problem. A remote hack could lead to code changes, such as a change in a process set point that might result in a tank potentially having a spill or running dry, or a situation where material being worked in machinery can end up with defects or damages.”
And, in larger facilities, such as refineries and chemical plants, which rely on robust safety systems, a malicious hack could impact on the performance of safety systems, with serious consequences. “Safety risk assessments need to encompass cyber security threats and determine what would happen in the instance of a denial of service attack or someone making unauthorised changes. It is necessary to determine what sort of implications that will have for the overall safety of the facility,” Clissold said.
There are also challenges for older control systems in operation. “You can take for granted some of the features you see in newer switches, security appliances and devices with the ability for data encryption and other security features,” said Clissold. “These features are not necessarily available in older equipment where plants in days gone by were using either unmanaged switches or in hubs that are not designed to provide any level of control for the network environment or devices that had no default passwords.”
Assessing the risks
For Schneider Electric, these kinds of situations become part of the larger pool of considerations that they examine when determining when to go about securing particular process and control environments. “It does pose a challenge, but when addressing cyber security and developing a strategy, you have to consider people, processes and technology – cyber security is not only a technical solution. With older equipment and processes, we will often need some level of procedural controls where we typically look to ringfence at risk processes, while ensuring that this ringfence is not only secure but does not affect the overall performance of that process control system. This would be a temporary solution until such time that further upgrades can be carried out to bring the process in line with contemporary techniques.”
When providing consultation and service in the cyber security space, Schneider Electric takes a holistic view when attempting to solve a customer’s cyber security dilemma: assessing their cyber security environment, looking for vulnerabilities, defining solutions, implementing them and monitoring their performance. But, within that, the company works with its customers to help them understand how to build a cyber security management system that helps support that environment, so that the right kind of cyber security threat-awareness framework is provided to identify issues and determine what processes need to be put in place.
“Our services are set up with the entire lifecycle approach to cyber security in mind,” Clissold said. “At the beginning of this process, our clients often have little to no maturity in their cyber security framework. We help put them in a position where they are running an effective cyber security management system tailored to their needs. Likewise, companies that relied on one person handling their security are brought along the maturity curve to a point where they have an established framework within the management organisation. The goal is to help organisations move along the maturity curve to a position where the cyber security management system is maintaining itself rather than relying on the efforts of individuals.”
Clissold said that organisations, at the executive or management level, had to determine what systems are at higher and lower risks. “The challenge is to try and help those responsible for maintaining these facilities to acknowledge that risks and vulnerabilities apply to more than just the equipment they see in front of them and is in fact all encompassing,” he said.
“When a company wants to take advantage of IoT and connectivity they open themselves up to different risks than what were there before. Just having a firewall in place is not enough. You need to practice defence in depth, you need to implement better rigour around the people and processes you’re employing to make that environment more secure.”
Defence in depth
Historically the idea of “defence in depth” comes from military strategy, referring to approaches that delay the advancement of the enemy. Moreover, it refers to strategies that incorporate into their design the awareness that there will be a point in time that any single line of defence can be compromised. In other words, there have to be several barriers to keep threats out. Clissold said that companies relying on a single barrier make themselves especially vulnerable to cyber threats. “If that barrier is compromised, your whole environment is compromised. Defence in depth in relation to cyber security means going through each of level of defence within your industrial environment, allowing an organisation to assess security requirements at each level,” he said.
For example, if a cyber-attacker breaks through a firewall and gets into the production environment, in such an instance a system must have measures in place so that the attacker can’t just log on to the nearest SCADA computer that they find in that environment. Other layers of defence can include managing and maintaining security and privileged access control within that environment or segmentation of the network, so that when an attack compromises the SCADA network, it won’t also compromise the PLC network or IO network.
In concert with defence in depth is what Clissold calls “detection in depth”, which refers to the monitoring of assets. “Again, a lot of people set up firewalls, but the last time they looked at the firewall was when they first put it in service. There is a lot of evidence out there suggesting that while a compromise or an attack can happen within minutes or hours, the vulnerabilities could have been sitting there for months or years before they were exploited,” he said. “Constant monitoring is therefore necessary. Both defence and detection in depth addresses the realisation that no single barrier is going to be enough to protect the system absolutely.”
Clissold explained that people who transition from IT to OT cyber security can look to industry standards such as IEC 62443 which are guidelines and standards that help organisations make a start in addressing industrial cyber security. This is an international standard, and a good place for professionals to see what measures need to be put in place for securing industrial systems.
“People are also looking for a quick fix to their cyber security problems; and, ultimately, any quick fix that has not been considered in its entirety tends to still leave gaps in their system security. This can lead to a false sense of security, which means they miss the opportunity to take informed steps to protect their systems from threats.”
Schneider Electric is now expanding its cyber security offering, recently forming a partnership with Nozomi Networks.
“Nozomi has quite an interesting approach to addressing cyber security, in that they look at the network traffic that is flowing inside network segments, and, with control systems being fairly static in nature, they are very quickly able to develop a profile of what is communicating on the network, and what the nature of those communications are,” Clissold said. “So, within that environment, we are able to get a full understanding of the network traffic; we are able to identify any traffic that is not supposed to be there and understand the hygiene of the network.
“Once we get a clearer picture of that environment, we can start to make informed decisions on what to address, how to address it, and prioritise further remediations that might have to take place within that networked environment. So, what that does for Schneider Electric is that it helps us fill a gap that we have in our solutions offering where we can deploy network anomaly detection in industrial areas next to our PLCs and control equipment in the same cabinet.”
Clissold said that organisations needed to assess the vulnerability of their devices and each of their systems, setting a measure of how much effort an organisation needs to put into protecting that environment. This means that, as new threats and vulnerabilities emerge, organisations ought to be reassessing and recalculating.
“I believe where things stand at the moment is that not enough is being done by organisations in assessing the vulnerabilities in the first instance and how these can affect their systems,” he said. “Organisations need to put more focus on how to assess their environment and then measure the risks to their systems that they have installed today – that is a big challenge, but one that can be overcome.”