Cybersecurity, the 2018 major industrial challenge ?
Industrial systems’ cybersecurity has become a real concern for many companies since the Industry 4.0 and hyper-connection of equipment grew out. Executives are often unprepared and unarmed to face this new phenomenon. Nowadays, industrial systems make extensive use of information technologies even though they have not been designed to cope with the threats they introduce. As a result, the number of ICS vulnerabilities rises inexorably. For a successful digital transformation, which cybersecurity approach should be adopted and what measures need to be implemented to tackle the vulnerabilities frequently encountered? So many questions that Cybelius will try to answer in this article.
Numerous industrial systems
Industrial systems have particularities specific to the contexts in which they are used. They differentiate themselves from information systems by the fact that they manage and control physical installations; some also provide protection of property and people or the environment. Three types of industrial systems can be distinguished: ICS (Industrial Control System), BMS (Building Management System) and SmartSystems.
The ICS are all around our environment: metro station, manufacturing sites, energy grids (electricity, oil…) and even in sewage plants.
BMS, close to ICS, supervise and control the automation of buildings or industrial facilities such as ventilation, access control, fire control devices and air conditioning. This type of systems uses the same ICS technologies. They are often capital to an infrastructure and it is important to make sure they operate properly. Indeed, an attack on a video surveillance system and access control may give to a hacker unrestricted entrance to a critical site, for example.
As for SmartSystems, they have recently emerged and their industrial systems extend to a whole city, region or country. Today, all three are concerned by a common issue: cybersecurity. It has become necessary for the manufacturers to secure their installations in order to avoid any major incident such as the dreaded production shutdown.
While the ICS and BMS have not integrated the cybersecurity aspect since their conception, the SmartSystems are born with it and all must deal with this new concern.
More than ever vulnerable!
Previously fragmented, industrial systems are now highly computerized and interconnected with the various information systems, or even with the Internet. As such, they are now exposed to the same threats, with potentially more serious consequences, depending on the structure’s critical level.
Cyberattacks are caused by a wide range of actors, from isolated individuals to organized groups with multiple motivations. Their financial scope embraces not only the IT equipment renewal or the security systems strengthening but also material risks, where facilities can be physically damaged. The company’s reliability can also be jeopardized by data disclosure, sites disfigurements, information systems takeover or production systems blocking. The attacks usually aim to harm the image of their target, paralyze or ransom her. In addition to financial and material aspects, the risk can also be human: a cyberattack can put the operators/customers/users lives at risk (more info about IT/OT risks).
They are plenty of examples and they regularly come to highlight the weakness of unprotected systems and the high vulnerability of many energy, transport or manufacture actors. In this context, cyber-terrorism can harm not only the production but also the image of the manufacturers. In addition, operational constraints reduce the possibilities of updating industrial systems.
The openness to the digital world and the massive use of Internet technologies are creating unprecedented threats aimed primarily at stopping, disrupting or even destroying the industrial tool.
Wireless networks, for example, seem to be using protocols whose “reliable” level of security is finally low (the recent flaw discovered in WPA2 testifies it). Even if VPNs are a security guarantee, wrong implementation and practices related to remote maintenance also lead to cyber risks (password management, USB keys, operating system that is not updated…). In addition, incidents related to industrial systems connected to the Internet which leave the door wide open to attacks are not negligible. Moreover, the PLC programming and maintenance consoles, used and connected to one installation to another, can be a real risk of spreading a threat. Finally, beware of the danger coming from equipment manufacturers or integrators. The solutions offered to their customers can also be critical “by design” with corrupted software or installations delivered with breaches.
So in this risk context, operational safety and cybersecurity must combine to ward off these new threats! For a long time compartmentalized, these 2 ICS security aspects must be managed together. Thus, for a real IS security, the cybersecurity measures developed for the management systems should be adapted to the requirements of safety and continuity of operation of SCADA.
At Cybelius, as part as the services provided, we have set up a risk analysis that allows to federate in a single method the risk analysis of an industrial information system project: operating safety, cybersecurity, even physical safety or malevolence: the APERO method (Analysis for the Evaluation of Operational Risks).
What strategy to follow and how to protect against cyber attacks?
Ignorance? Fantasies? Myths? Many misconceptions persist among manufacturers, exposing them dangerously. Thinking that one is protected because his industrial networks are isolated or being convinced that his firewall settles all the hacking problems or imagine that his industrial installation is not a potential target, are so many misconceptions that will contribute to a bad management of the systems cyber-security.
To successfully counter attacks, security systems must meet specific requirements. While physical barriers are important first lines of defense, protection must also be implemented within facilities, in vulnerable systems and equipment that can be targeted.
When it comes to security, you have to be organized. Indeed, hackers need only one breach to succeed but defenders must make sure all possible entries are closed. Several paths can then be considered: collaboration, prevention, teaching, skills pooling, sharing information, planning or risk analysis.
However, to each system its strategy and its operating mode. Industrial cybersecurity standards and guides must be appropriate and adapted to the needs of the structure.
Risk analysis is often the first step in a cyber security approach, whereby you can prioritize needs and know where to put your first Euro to ensure continuous improvement in security. We are talking about “smart” cyber security. The goal is to make an inventory, detect vulnerabilities and breaches of industrial systems and choose the most effective solution. The solutions chosen will obviously be related to the importance of the system that has to be protected.
Often perceived as a constraint and a cost center, strategically implemented, cybersecurity can be a factor of industrial performance. Thus, applying good practices and hygiene policies (physical access control, compartmentalization of networks, integrity and authenticity of installed applications, etc.) lead to greater rigor, robustness and productivity of facilities.
Finally, despite all these protective measures, an incident can occur! Total security and 0 risk do not exist. It is therefore necessary to be ready and for that to increase the ICS resilience (return to the initial state). Being resilient is defined as the ability to identify, prevent, detect and respond to technological or process failures and to recover by minimizing negative impacts on customers, reputation damage and financial loss. Cyber risks detection is therefore a fundamental activity. In this sense, Cybelius has implemented a solution capable of mapping equipment and plant flows and detecting cyber-attacks and drifts of the industrial process (more details here).