Even though many users still aren't far along the cybersecurity path, and their operations technology (OT) and information technology (IT) staffers remain divided, two instructors and course authors at SANS Institute report that starting a cybersecurity program is still easier than it was in the past.
"Ten years ago, we had to prove there was a cybersecurity problem. Today, people have their heads out of the sand, and it's more about recognizing there's a plethora of tools and methods available, and methodically finding the right hammer, while deciding the endgame of their cybersecurity program," says Jason Dely, who's also founder and principal at Northern Strong Security Inc., an ICS consulting firm in Ontario, Canada. "However, there are still many IT people coming in, who don't know what's happening on their operations side. The remedy for this starts with increasing awareness of the OEM, SI and operations ecosystems for reliability, safety and security, and tailoring them to meet the unique needs of individual facilities, processes and users. Just as controls must be sized for the equipment and applications they'll work with, cybersecurity must implement features that are clearly needed, and not just changing passwords or relying on the IT department to play Whack-a-Mole in response to threats. This means weeding out the attitude that cybersecurity is some kind mystical occupation."
Jeffrey Shearer, chief automation officer at Morris & Associates (morris-associates.com), a process cooling and poultry OEM in Garner, N.C., adds that cybersecurity was initially built on IT principles and expertise, but the missing piece is designing security into the production machines, support equipment and networks from the beginning, and not trying to add security after implementation and runoff. "The mechanical systems are the muscles and the control systems are the brains that perform industrial processes," says Shearer. "This is why cybersecurity must include an understanding of mechanical systems and processes before the system can be secured. If you don’t understand the machines proper sequencing or understand the process the control systems is controlling, then how will you know when anomalous behavior is occurring? Machine sequences of operations are usually defined by mechanical, process and electrical engineers, but the people who program the 'brains' often don't know what the 'muscles' (i.e. the mechanical systems) are supposed to be doing. Unfortunately, there are still many silos with archaic communications with mechanical engineers, and customers are often left out of cybersecurity discussions. There's often no formal way for engineers to ask for the automation they need, and the same goes for cybersecurity."
Mechanical methods
Shearer reports that understanding production requirements, how a machine is supposed to be sequencing, and code reviewing the automation layers can indicate what controls and cybersecurity gaps need to be filled. "If we start by targeting critical mechanical and electrical systems, and ask 'how do we do something malicious?,' the answer will show us what it is and how to protect against it," explains Shearer. "Looking at mechanical system design, process controls, how automation is programmed, and how they work in concert will also indicate what functions to protect with efficient cybersecurity, instead of assuming the solution is to just add a firewall."
For instance, just as Stuxnet malware famously caused Iranian centrifuges to spin until they broke, Dely and Shearer explain that mechanical machines and their control systems can instead be designed with boundaries and limits to critical parameters that reduce the effectiveness of intrusions and cyber-attacks that will cause these systems to run beyond normal performance limits and risk damage. "This is like putting in a pressure-relief valve or using a decision tree to avoid a bad situation, but it requires studying and understanding an operation to learn what mechanism will protect it," says Dely. "We meet many users that want security for their systems, and they only think about protecting their HMIs and network traffic, when they should first design-in protections for their mechanical equipment and controls."
Dely agrees that, even though robots and other devices can be programmed with hard-coded limits to avoid unintended or unsafe actions requested by network avenues, PLCs, PCs and accessories can still be soft targets for abuse, and ultimately deliver an attack to the control system. "The Ukrainian power grid attacks in 2016-17 were an abuse of trust in tools because the attackers took over a workstation's mouse and keyboard with remote desktop functions, and used them to switch off the power," says Dely. "Likewise, in the Triton incident, malware compromised a safety system's memory, but this was only targeted because the attackers intended to manipulate the safety function. This is why it's important to think about what engineered solutions to put in place before problems can happen. This may begin by putting a lock on a cabinet, but it should extend to whatever mechanical, electronic, automation or controls solutions can provide an efficient defense. IT people talk about establishing cyber-protection, but they often don't consider lower-level mechanical fixes."
Coursework and come-together culture
To help users examine and apply all available defenses, Shearer and Dely report their SANS curriculum covers mechanical methods, along with the usual electronic, process, automation, control and networking strategies.
"We're on a mission to include mechanical system operations into our cybersecurity discussions because, if users step back and take a look, they should remember control systems are there to control a physical process or physical mechanical devices in support of manufacturing optimal products. Cybersecurity is all about ensuring mechanical systems, machines and processes operate within designed boundaries and without interruption." says Shearer. "The problem is there are many people who can do IT cybersecurity, but there are still very few who know how to do industrial control system (ICS) cybersecurity. However, even the government advises looking at the mechanical properties of devices to improve their security, and this means examining all the what ifs. These questions include asking why are we using firewalls? And if so, do they need to do deep packet inspection? What are our cybersecurity goals?"
Shearer clarifies that, "We're not saying that traditional IT and OT cybersecurity practices aren't effective, but if system operations aren't understood, then the security program isn't complete. They can both do a lot to reduce opportunities for probes, intrusions and attacks, and those steps should be taken. However, if you're trying to identify code vulnerabilities that need to be secured, then you must start by understanding how the lower levels like PLC, PCs and I/O subsystems operate and communicate. This will lead to an understanding of which areas may use a firewall, or where implementing a monitoring solution may be sufficient. There's a lot that can be done on mechanical system to reduce the effects of a successful cyber-attack, as well as closing network pathways or backdoors that intruders may find if they're left open."
Because answering these questions draws on expertise from many technical areas, Dely explains cybersecurity must be done by a cohesive group of professionals. "Cybersecurity efforts and organizers need to bring in process control, instrumentation, mechanical and other engineers, technicians and operators, and go over everything with them," he says. "These teams must also look beyond basic failure modes, examine the performance of individual devices and their settings, and ask what are their outcomes and security needs? Maybe users need to add more sensors or fail-safes. Cybersecurity needs to become more like proactive maintenance and reliability, instead of waiting for unsafe conditions to develop and responding reactively."
Dely adds that a sufficient understanding of cyber-threats demands a blend of expertise, which can deal with problems from both high- and low-level sources. "It's true that data is only as good as its sensor, but we can also use our understanding how our cyber assets operate to indicate unusual and possible malicious activity is happening," he explains. "For instance, once we establish a baseline of a 5 V signal from a 1,000 psi process, then we know there may be a problem if we start getting unexpected signals indicating a 20 psi process. Once we can see signals like this, then we can add protection as needed.
"Users can run bench tests for expected behaviors by transducers and other devices to establish levels of trust and verify them. This could require adding an extra engineering step or implementation process. You can't monitor an organization's whole landscape or test all the individual components coming in, but other tools that can be used when needed. Everyone has to evaluate their own process applications for themselves, and see what sticks out or is missing based on what their experts determine is critical."
