Why IT security controls aren’t entirely suitable for securing Industrial Control Systems
We all know that the industrial world is changing and production facilities are continuing to embrace new digital manufacturing technologies that are being developed and deployed at an increasingly rapid rate.
As a result, these new technologies such as; IoT and Industrial Edge devices, Smart Sensors, Machine Controllers with built-in AI functionalities, and the use of 5G within industrial environments, are all transforming Industrial control systems (ICS) and operational technology (OT).
The global manufacturing industry has always been highly competitive and industrial businesses are always seeking new methods to benefit from increased productivity, plant safety and operational efficiency.
In simple terms, if you can make more products in a shorter time-frame whilst improving your quality standards, decreasing your defect rates, and driving down your operational costs – then investing in these new connected devices and digital technologies is a really simple choice for industrial business leaders.
The adoption of networked production systems and the implementation of these connected devices also introduce a number of cybersecurity risks, including an upsurge in the potential attack surface across a production network and a plethora of new attack points for cyber criminals to exploit.
As we have often seen elsewhere, there is currently a lack of skilled cybersecurity professionals within the industrial sphere which is leading many industrial businesses to assign the responsibility of securing their plant infrastructure to their IT departments on the assumption that network security procedures used in IT systems can be applied to their industrial networks.
However, many IT teams don’t usually understand operational processes and not all IT security solutions are suitable for securing Industrial Control Systems (ICSs) as there are fundamental differences between ICSs and IT security.
The primary security objectives for IT systems differs to ICS Security
The most significant difference between ICS and IT security is that the primary objectives for IT security is data protection, securing proprietary company information and maintaining confidentiality above all else.
Uninterrupted 24/7 uptime for IT networks isn’t a mandatory requirement, as service interruptions of a few minutes in most applications can be tolerated.
Yet, this simply isn’t case when it comes to implementing industrial security controls for ICSs as plant infrastructure is expected to run perfectly at all times with as few delays or unplanned downtime as possible.
Although protection of information is still important, the main cybersecurity objective of an ICS should be to maintain integrity and control over production process and maximise the availability of its components. For example, a loss of the network for a few seconds, let alone minutes, simply won’t be tolerated by operational leaders or production managers.
The loss of control over plant systems could force automated machinery to run in an unsafe manner, compromising the safety of personnel who come into contact with this equipment which must be avoided at all costs. A cyberattack on an ICS could also result in the loss of production which could have a significant impact upon the company’s profitability.
Regular Patch Management within the industrial environment isn’t always achievable
Patch management is an almost weekly practice within the IT world. This requires IT professionals to implement security patches, usually in the form of automatic software updates, to be regularly installed to fix any potential vulnerabilities that attackers may seek to exploit.
Usually, vulnerabilities are typically only discovered after an attacker has attempted to exploit them. Fortunately, in the IT world, once a vulnerability has been identified a security patch is made available within a matter of days to mitigate any potential damage.
But patch management isn’t as straightforward when it comes to updating / fortifying Industrial control systems. Many industrial facilities use legacy systems and aging equipment which have been in use for many years, possibly even a few decades.
Unlike IT systems, any software or firmware updates to the plant equipment will likely take place at scheduled downtime periods if the update will disrupt production. Therefore, any update must be carefully tested before it is implemented as a seemingly innocent change to a single automation component, such as updating the Windows operating systems on a IPC or HMI could affect its Ethernet communication with a PLC. For this reason, automatic updates on the plant floor are unlikely to be enforced.
Another problem is that many vendors do not support legacy equipment, if these products have ended their phase-out period. Meaning that patches will not be available if an automation component is no longer manufactured. As a result, many HMI which are currently in use operate on outdated or unpatched software and these devices are likely to have limited security controls, leaving them more susceptible to potential attacks.
Access Control and Permissions Management is a little easier on the plant floor
Most IT systems must have numerous connections to the outside world. For example, sales people in the field need to have access to customer information and remote access to the office network is pretty much standard in almost any organisation etc.
Whereas, industrial automation networks and specific automation components should be limited to only authorised personnel who require frequent access. Furthermore, the level of access can also be restricted based upon each person’s requirements. For example, maintenance and engineering personnel might have full access, but production managers might have read-only access rights. This means that certain security measures can be implemented which aren’t practical for an office network.
Furthermore, it is recommended that a connection between the automation network and the enterprise IT network should be restricted wherever possible. However, sometimes this isn’t always practical as many HMIs/ Industrial Computers are typically connected to various corporate systems governed by the IT network. Without effective security controls in place, these devices are a prime target for cyber criminals looking to gain access to a plants industrial control systems as well as the overall automation network.
Therefore, if a connection between these two networks has to be established, specific security controls (such as firewalls, network segmentation etc) as well as device hardening measures (such as Know-how protection, disabling unused device features etc) should be implemented. This is to avoid the automation network being compromised in the event that an attacker gains access through the company’s IT network, as well as limiting the spread of malicious malware between the IT network and the factory floor.
So how can industrial businesses overcome the security differences between IT systems and those found on the factory floor?
Maintaining cybersecurity, regardless of whether it involves securing IT or OT systems, is a relentless process as it requires continuous monitoring for new potential threats, finding solutions to these threats, and implementing them before a network or system is accessed maliciously.
Although OT and IT have diverse missions, business pressure will force a new emphasis on convergence or at the very least alignment between these two domains. These two disciplines can no longer be managed separately when it comes to cybersecurity.
The implementation of digital manufacturing technologies and connected IIoT devices relies heavily on IT infrastructure, so naturally there will be some synergies that can be made between the two disciplines.
Collaboration between the IT departments and plant floor personnel will be crucial to the successful implementation of an effective and robust industrial security program.
Simply put, securing ICSs should be a priority for industrial businesses, especially those who operate critical parts of core infrastructure including power plants and water treatment facilities, as the repercussions of a security breach could have potentially catastrophic consequences.