Electricity + Control

Ivan Fernandez, Frost & Sullivan

A proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries have made progress in minimising the risk of cyber-attacks, the barriers to improving cyber security remain high.

Open and collaborative networks have made systems more vulnerable to attack. End user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.

Cyber security for industrial automation and control environmentsThe uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge.

Against this background, organisations need to partner with a solutions provider who understands the unique characteristics of the industrial environment and is committed to security. Such solutions providers need to assist customers in adopting the multi-layered defence-in-depth approach through a holistic, step-by-step plan to mitigate risk.

The exponential increase in cyber threat levels

The rise in cyber-attacks on critical infrastructure has resulted in cyber security becoming a central concern amongst industrial automation and control system users and vendors. These strategic attacks are aimed at disrupting industrial activity for monetary, competitive, political or social gain, or even as a result of a personal grievance.

Cyber threats are primarily aimed at industrial control systems such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition

(SCADA) systems and human machine interfaces (HMI) through loopholes, which can range from unsecured remote access to inadequate firewalls, to a lack of network segmentation. Although such threats are not new phenomena, a spate of high-profile attacks over the past decade has brought this issue to centre stage.

While motivations for intentional attacks vary, the key attack vectors for any cyber threat are typically

as follows:

  • Physical intrusion or a cyber-attack are typically driven by economic, competitive, political or social agendas. These are obviously beyond the control of the enterprise seeking to protect itself.

However, some aspects that are generally well within the control of an organisation, are often overlooked, such as people, process and physical vulnerabilities.

In terms of a site’s physical security, unsecured gates and inadequate physical access control are obvious, but common gaps. People could include a number of factors such as designer/installer error in configuring/installing the system, operator error in running processes and systems, inadequacy of maintenance and upgrade plans, inadequate skill levels, etc. But errors and accidents are not the only internal threat sources from a human perspective.

Malicious attacks from internal sources are also a possibility, especially from disgruntled employees or contractors. It must be noted that human factors do not only imply individual-specific risks. An overall process culture that does not understand or appreciate the key risks, that does not manage operations in a secure manner (including basic password management or changeover management) or an environment that does not audit and enforce consistently and effectively, and that underutilises available supervision and detection tools, exposes itself to an unacceptable level of risk.

In such a process culture, the priorities of the IT department and industrial control department are often not aligned. In terms of control system vulnerabilities, network loopholes can range from unsecured remote access to inadequate firewalls to lack of network segmentation, while hardware and software issues could include unsecured remote terminal units (RTUs), PCs, USBs, mobile devices, peripherals and specific HMI, as well as all manner of control software.

A cyber-attack can result in significant monetary loss through production/process downtime or disruption, damage to equipment and infrastructure, as well as potential non-compliance with regulation that can result in penalties. It can also result in brand erosion, loss of confidential/proprietary information and quality compromises. In fact, in the near future, implementation of security strategies in factories and all critical infrastructure sites will become mandatory for regulatory compliance.

Despite the emergence of integrated product-specific safety features, an industrial network strategy will be necessary to address the challenges posed by cyber threats in coming years.

Minimising risk: The industry’s response

Some industries have been more proactive than others in minimising the risk of cyber-attacks. Most end users have taken a few obvious steps to plug certain gaps. For example, according to the Repository for Industrial Security Incidents (RISI) database, implementation of security strategies in factories and all critical infrastructure sites will become mandatory for regulatory compliance. An industrial network strategy will be necessary to address the challenges posed by cyber threats in the coming years. More than 60% of facilities had implemented patch and anti-malware management programs in 2017. However, the significant change to identify and eliminate the biggest vulnerabilities involves a higher level of engagement that few organisations have initiated. This is because there are various hurdles to implementing cyber security initiatives.

Barriers to improving cyber security

Increasingly open and collaborative nature of industrial environments

In the past, industrial networks were primarily isolated systems, running proprietary control protocols, using specialised hardware and software.

However, industrial architecture has transformed over time, with collaborative mechanisms that involve internal and external integration. Senior management now requires real-time data access for analysis, decision-making and reporting. Therefore, the degree of isolation of industrial control systems has decreased significantly over the past few decades as the use of IP-based, wireless and mobile devices in industrial environments has increased.

In addition, legacy control systems were not designed to contend with current threat levels.

Although open and collaborative systems have raised productivity and profitability, they have also made systems more vulnerable to attack. According to the RISI database, approximately 35% of industrial control system security incidents in 2011 were initiated through remote access. This is not surprising when another finding from the same report indicates that close to 65% of facilities allow remote access to their control systems.

Inadequate end user awareness and end user inertia

End users in certain industries (notably in critical infrastructure environments such as power, oil & gas, water & wastewater and nuclear facilities) show a high level of awareness and appreciation of the need for a comprehensive security strategy. They tend to have detailed cyber security plans and procedures in place. Their concern is real.

Their investment of time and capital in protecting their assets is considerable.

However, many end users in other industries (including manufacturing) are either unaware of the risk of cyber-attacks or reluctant to implement security strategies in their enterprises, as investments in cyber security do not appear to have a tangible return-on-investment (ROI). This leads to a complacent ‘wait and watch’ approach that only mandatory regulation or the unfortunate instance of a cyber-attack may change.

Given the uncertainty of the regulatory landscape today, this mind-set may persist. Another reason for low uptake of security planning and implementation amongst some industries is the fact that the task appears too daunting and sizable; analysis does not lead to action and the vision of a total system overhaul remains just that ― a vision.

Finally, in the customised control environment of an industrial site, it is difficult to predict how a newly introduced patch will impact the functioning of the control system; especially if the patch is not tested rigorously. This increases the organisation’s reluctance to act on potential threats.

Off-the-shelf IT solutions in industrial environments

While the gradual shift toward IT-based solutions in the industrial space was made for commercial benefits, including ease-of-operability and integration, it has also resulted in control systems having to face increased exposure to malware and security threats that are targeted at commercial systems. This increases the risk to control system availability.

Inadequately skilled manpower

While the industrial sector prides itself on a highly-skilled workforce focused on automation systems, such product-specific expertise does not always translate into adequate expertise in industrial IT networks. This gap weakens an organisation's ability to develop comprehensive protection and prevention strategies.