Just like cleaning up after toddlers and painting the Golden Gate Bridge, some chores are never done, and cybersecurity is one of them.
Comprehensive and effective cybersecurity begins with basic protections like turning on passwords and segmenting networks with managed Ethernet switches serving as firewalls, but that's just for openers. The bad news is this is the beginning of a pretty much endless to-do list, but the good news is that implementing and updating basic, common-sense cybersecurity measures will prevent all but the most sophisticated intrusions, which are rare and unlikely anyway.
"In general, the best IT-based security practices such as a plant's own firewall can prevent most if not all attempts at intrusions from the outside," said Sven Burkard, industrial solutions manager at Belden. "So, learn to love your IT staff, find out what rules they put in place, and use a firewall to separate the plant from the corporate IT side."
Burkard presented "Cybersecurity for Automation—the Cost of Procrastination" on the first day of NovaTech User Conference 2015, Aug. 31 in New Orleans.
The true face of security
Burkard reported that, "About 73% of industrial network failures occur on the three lowest layers of the seven-layer Open System Interconnection (OSI) model, which include cables on the physical layer, switches on the data-link later, and routers and firewalls on the network layer. Once these are addressed, problems can be dealt with by performing deep-packet inspections on the four highest layers, which are transport, session, presentation and application."
Along with making technical fixes, Burkard explained it's crucial for users to confront the demographic and cultural issues of cybersecurity, especially those arising between plant-floor and corporate IT departments. "Plant instrumentation and control (I&C) and IT is most concerned with the availability required for plant safety and productivity, while corporate IT is most concerned with the confidentiality needed to protect business information," said Burkard.
"In addition, the general perception that most cybersecurity threats come from external hacks is incorrect because a cybersecurity incident can be any event that impacts or prevents the functional availability of your network and operations," added Burkard. "Actually, research by the Security Incidents Organization found that about 80% of cybersecurity incidents are unintentional, while just over 10% are intentional and internal, typically by disgruntled employees, and just under 10% are intentional and external, due to hacking.
"Of the unintentional incidents, 48% are caused by device flaws, 38% are due to malware infections, and 14% are caused by internal human errors. These can include downloading the wrong program, duplex mismatches that prevent devices from agreeing on processing speed, and plugging a switch cable back into the switch to create a feedback loop," said Burkard. "So, cybersecurity is not just about hackers trying to penetrate the network—it's more about improving and maximizing network reliability and availability. Reduced downtime means improved productivity and safety."
Burkard reported that many unintentional cybersecurity incidents have been documented, including:
- An oil pipeline shut down for six hours after software was accidentally uploaded to a PLC on the plant network, instead of going to its intended test network;
- Thirteen auto assembly plants shut down by a simple Internet worm, which forced 50,000 employees to stop work for one hour while the malware was removed; and
- Operators at a U.S. nuclear power plant had to scram the reactor after cooling drive controllers crashed due to excessive network traffic.
Despite the prevalence of unintended incidents, it's still the exotic and virulent attacks that get all the attention, even though they're exceedingly rare. Of course, the most famous is Stuxnet, which attacked Siemens' PCS7, S7 PLC and Win-CC systems on Iranian uranium-refining centrifuges in July 2010; went on to infect 100,000 computers at about 22 industrial sites; and continued to infect systems worldwide, especially because its software can be reused and redeployed to attack new targets.
"Stuxnet brought unwanted attention to the weaknesses of ICS/SCADA systems," said Burkard. "It was a real wake-up call for industrial infrastructure players, consumers and hackers, too. Since then, many suppliers and users are taking a more holistic approach to their network security, and the U.S. Dept. of Homeland Security's Industrial Control Systems-Cyber Emergency Response Team allows them to report incidents, and even complain about vulnerable devices and software, which are listed if their supplier doesn't respond to requests to fix them."
Beyond the basics
Before implementing cybersecurity remedies, it's crucial to take an inventory of an application and facilities network, controls and operating equipment to find all available ports, open wireless local area networks (WLANs) and other vulnerabilities; assess the severity, frequency and overall risk if they're breeched or compromised; and then seek new vulnerabilities that may arise.
Burkard reported these issues can include:
- Soft targets, such as PCs that run 24/7 without security updates or antivirus software, or controllers optimized for real-time I/O, but not for robust networking connections;
- Multiple network entry points, because most cybersecurity incidents originate from secondary points of entry to the network, as well as USB sticks, maintenance connections, laptops, etc;
- Poor or no network segmentation, such as control networks that are wide open with no isolation between different subsystems, which allows problems to spread rapidly through the network.
To help its users improve security and availability, Belden has transformed over the past decade from a regional cable supplier to a global signal-transmission solutions provider by acquiring a variety of companies, including Hirschmann, Lumberg, GarrettCom, Thomas & Betts, Tofino Security, ProSoft, Tripwire and others. These have been organized into four platforms for delivering connectivity solutions, including broadcast, enterprise connectivity, industrial connectivity and industrial IT.
"We have a broad portfolio of holistic solutions, which we can use to determine exactly what our customers need, particularly in terms of security," says Burkard. "We have switches four miles down in sub-sea applications, and even some IP67 Ethernet switches with M12 connectors on the International Space Station (ISS). We're all about maintaining uptime."
Likewise, NovaTech reported that its upcoming D/3® Process Control Module 5 Series (PCM5) will include an integrated firewall to prevent unauthorized access at the controller with multifactor verification. This will virtually eliminate the need for added security appliances between PCM5, servers, workstations and I/O points. It will also reduce configuration time, failure risks, hardware costs and system complexity.
Finding best-fit plant security
The main reason that cybersecurity has become increasingly critical is that almost all industrial networks have expanded and grown more integrated with each other in recent years, and so reliance on former network isolation and air gaps has become ineffective.
"If you thought an air gap was enough, it isn't, because all it takes is one mobile hotspot to bridge it, so that gap probably doesn't exist," added Burkard. "Users often say, 'We have a firewall, so aren't we secure?' However, a contractor, integrator, OEM or the user can unknowingly connect an infected PC or a defective device or network interface card (NIC), or an accidental network loop can cause a debilitating broadcast storm.
"We can't just install a firewall at the edge of the network and forget about security. Because the bad guys will eventually get in and many problems originate inside the plant network, we must harden the plant floor as well with defense in depth. This means identifying the ISA99 (now IEC 62443) standard's zones and conduits between functional areas in the network, and allow only the minimum required network traffic to pass between zones to prevent denial of service (DoS) attacks, and generate alarms when traffic is blocked."
While adopting many corporate IT-based security practices and policies can be helpful, Burkard cautions that they must be carefully applied for use on the plant floor.
"Control devices impose severe limitations," said Burkard. "They can't be secured with automated/third-party tools because patching or updating PLCs usually isn't practical. As a result, plant security solutions must be specially adapted to their environment. They need to support SCADA and industrial protocols. They must be able to be configured, tested and maintained without shutting down the network. They have to survive the harsh electrical and environmental conditions in plant settings, and achieve often decades-long long lifecycles. Finally, they also need to reduce network complexity to reduce the risk of human error."