Industries are becoming increasingly reliant on advancing technology and the benefits it provides. The rapid development of long distance communication technologies has created a global interconnected platform allowing for boundless information sharing that is not limited by proximity.
Remote systems in isolated locations are able to rely on control centres in capital cities where diagnostic and operational data is relayed back and forth through a network, eliminating the need to have a large physical presence on site.
In the manufacturing environment, facilitating operating uptime, efficiency and safety are crucial to productivity. Cyber security is a factor that can impact both these operational goals — remote operation relies on timely data transmission and the efficiency and safety of the manufacturing environment is reliant upon networked system integration.
As Internet connectivity expands to touch industrial control systems, new variables are introduced to automated systems. Left unchecked, these variables can lead to compromise of the integrity of information and control aspects of the system.
Critical infrastructure is defined as assets that are essential for the functioning of a society and the economy. Some examples include power generation and supply, water supply, telecommunication, transportation and health and financial services.
Regardless of industry or application, attacks on networks are becoming increasingly more sophisticated and targeted. They often originate as a 'simple' email scam or virus that is spread like the common cold from computer to computer.
The advanced design of contemporary malware allows it to be skilfully cloaked from detection. Once a computer asset is successfully infected, what was merely a latent security risk can quickly evolve into a real and insidious threat and all-out attack that expands from one asset to an entire system.
Many new cyber threats first manifest their effects as simple information-gathering activities. As the malware continues to evade security countermeasures, espionage activities may be altered to target specific assets such as intellectual property or confidential information.
In the extreme case, elaborate cyber attacks on critical assets may successfully disrupt safe and reliable control system operation. Targeted malware attacks validate previous fears that the frequency and impact of critical infrastructure incidents will increase in the future.
As a result, it is essential that companies assess their risk of both physical and cyber attacks and execute measures to help address, and where possible, eliminate known cyber vulnerabilities.
Unforeseen operating conditions
Industrial network security is multifaceted; it is essential that all variables that introduce risk be proactively identified, tracked and addressed in order to help facilitate a safe and reliable industrial process. For manufacturing customers, primary foci of control system operation have historically included uptime, integrity and safety of operation.
Risks that may affect any one of these foci continue to be carefully evaluated and mitigated. Such risks typically look toward potential mechanical failures, human-errors and oversight and unforeseen operating conditions brought on by the environment.
Security proves another element that requires strong risk consideration. It too is a variable that can affect the safety of the system, integrity of the operation and productivity; however, unlike traditional activities to address risk, security mitigation actions must work to address a creative and, regrettably, sometimes malicious human-element that may specifically seek to circumvent risk controls.
Intellectual property (IP) — patents, trademarks, employee knowledge or trade 'secrets' — are often more valuable to an organisation than its physical assets. For this reason, protecting IP is another very important aspect of network security.
"A holistic view of security, control system and enterprise has been shown to be the most effective way to protect IP assets," said Brad Hegrat, Senior Principal Security Consultant, Rockwell Automation. "It is essential because there is no single element that can fulfil the whole range of security needs. Security needs to encompass both technical and non-technical factors to address risk."
Communication between people in an organisation on an ongoing basis is critical. If employees are informed about information that needs to be protected, they can be more aware of ways to protect it. The technical standpoint is based on using controls that interact within this framework for people.
Software tools can be used to locate confidential documents, and also identify people that are using them and what they are using them for. It is advisable to keep sensitive data in a particular location (physical or virtual) that can be secured to monitor and restrict access to those who need it.
Using strong passwords and changing them regularly is also a simple but effective way of keeping sensitive information secure. Implementing a holistic approach to developing an effective security process involves adopting policies, strategies, guidelines and organisational instructions to create a framework for people to interact with a complex system.
Standing between subnets
Firewalls continue to be used as one of the first lines of defence to segregating company assets and protecting operations against potential security threats external to a particular system or subsystem. The firewall can isolate business, office and industrial networks from one another standing between subnets in various parts of a facility.
Furthermore, these same firewalls can separate systems from open access to the Internet, or other infrastructure-means used to enable remote network access. The use of firewalls is often supplemented with other defence measures, utilising several layers of protection such as access control, anti-viral software and intrusion detection.
Appropriate asset maintenance and management of these defence measures can determine the level of protection offered by security measures such as firewalls. Proper configuration is essential to maintain the efficiency and efficacy of a firewall system. Regular updating is recommended to keep it current with the internal and external environment of the network.
By checking activity logs on a regular basis, attempted and successful intrusions can be monitored and addressed. Technical controls such as intrusion detection/prevention and a host of other software systems can be implemented to help protect the security framework.
More industries are connecting to wireless networks to access the benefits that the increased flexibility offers. For example, on a factory floor, wireless, remote, monitoring systems can lead to reduced installation and maintenance costs and an enabling of mobile workers, no longer tethered to a particular machine.
In remote operations, such as mines and oil refineries, wireless networks remove the need for personnel to be in close proximity to hazardous environments. Although wireless networks provide substantial benefits for organisations, stability and uptime can be a concern for the application engineer and security remains the number one concern — to avoid unauthorised access to the networked environment.
In the absence of appropriate security measures, a wireless connection is easily accessible to potential threats. It is an air-based media, without the pathway limits of copper wires, that extends in many directions; often well beyond the physical envelope needed by the system.
Technological advances continue to evolve allowing advanced methods of restricting wireless network access to only authorised users. Modern encryption techniques can be used to avoid someone accessing data maliciously, while filtering and strong authentication allow only authorised devices on the network. It is advisable that organisations interested in deploying wireless networks consider a multifaceted approach to security that involves both procedural and physical components.
While it is well established that organisations such as government departments, defence contractors and financial institutions are likely targets of highly sophisticated, malicious attacks, industry should not be complacent.
Unintentional security breach
By far the biggest threat to industrial organisations is the non-direct effects of an unintentional security breach — such as an employee making a parameter change online that has far-reaching effects somewhere else in the plant: potentially creating a safety risk, damaging equipment or resulting in information contamination, exposure or loss.
In addition to non-direct threats, critical systems are increasingly prone to the effects of many broadly-focused, ill-targeted malware attacks. Such malware, whether or not intended to affect mission-critical control systems, may still lead to operational disruption with potentially grave consequences to those depending on safe, reliable operation of these systems.
By conducting an asset-based risk and vulnerability assessment, security procedures can be developed that will address potential risks and threats targeting control systems so that people, assets and key information are protected. Specialist consulting services can often help achieve a more thorough and complete evaluation of security posture.
Industrial security affects all business sectors, but it is possible to significantly reduce the risks by adopting some simple and actionable steps. By controlling who has access to critical control systems, unauthorised threats can be mitigated. The employment of firewalls and intrusion detection/protection systems can help protect an organisation's valuable assets.
Keeping up to date with patches and updates, managing passwords and changing them frequently using a variety of upper and lower case letters and numbers are simple but effective ways to reduce security risks. Control systems should always remain in 'run' mode and use measures like controller mode and key switches to help thwart unintended or malicious attempts to make changes to an operational system.
When used concurrently, these measures help address basic security risks to control systems and provide a good foundation on which additional measures can be built.
[Steve Lawlor is Business Manager, Customer Support & Maintenance, Rockwell Automation.]