Auto-Adapting to the Needs of Industrial Cybersecurity 4.0
Connected technologies touch every aspect of our work environment, cities and even personal lives. So does the cyber risk as well. The breadth of cyber-attacks is growing in both volume and complexity. In terms of size, a report recently demonstrated that Distributed Denial of Service (DDoS) attacks have been increasing, on average, by 500%. In terms of cost, damages from cybercrime are predicted to reach $6 Trillion By 2021.
As our critical and industrial infrastructures enter a new era driven by technological innovation, so cybercriminals turn their focus on industry. Energy, transportation, telecommunications, and defense are areas which service the vital functions of a nation. As such, they should be afforded the best possible protection.
However, industrial cybersecurity does not benefit from the same level of maturity as other areas of IT cybersecurity. In this article, we will explore this in more depth and look at how we can ensure that our industrial systems get the best available security and meet compliance requirements.
Why is Industrial Cybersecurity a Laggard?
Industry 4.0 is part of the long-term evolution of our industrial systems and processes. Like for all other industrial revolutions, changes have come swiftly. Industry 4.0 is built upon new technologies, including the Internet of Things (IoT), Big Data, smart data analytics, robotics, and other artificial intelligence-based solutions. These technologies are deeply transforming our industrial systems bring us quickly into a new era of technology-driven industry.
Operational Technology (OT), which covers physical systems like digital control systems or robots, has, until recently, been disengaged from the cybersecurity world. In other words, earlier versions of OT were siloed; individual units were isolated with little connectivity to other networks. With the advent of the technologies driving Industry 4.0, and the convergence of OT with IT, this is no longer the case – our industries and the associated critical infrastructures they serve, are now hyperconnected.
Our industrial systems have not only connected industry and their partners across the supply chain, but they have also connected industry to cybercriminals. Industry 4.0 and the technologies that allow it to blossom are exposing industry to an onslaught of cyber-threats.
“The Road to Resilience” a report by the World Energy Council, looked at the impact of cyber-attacks on utility critical infrastructures. The report found that cyber-threats were amongst the top concerns of energy leaders, particularly in Europe.
Recently, the level of impact of a cyber-attack on a critical infrastructure was demonstrated when a Ukrainian electricity grid attack was infected by malware, known as CrashOverride. The attack caused mass outages. Attacks like this have caused US-Cert to put out a notice informing U.S. utility providers about potential attacks by Russian state-sponsored cybercriminals.
Large critical infrastructure cyberattacks, like those above, coupled with global incidents like the WannaCry ransomware infection of 2017, are causing industry to take note of the threat level of cyber-attacks.
This is where regulations enter the equation. Robust regulatory frameworks are fundamental to support and accelerate the change needed to secure industry. However, these regulations need to be adapted to the special environment of OT.
Are Regulations for Critical Activities Relevant for Industry?
There are about twenty common cybersecurity rules that are applicable to critical activities in industry. These twenty rules can then be sub-divided into three types of rules:
- No-brainers: these rules are based on common sense and need to be applied across the board.
- Worthy challenges: to meet these rules should be a goal. However, they may turn out to be difficult to meet due to structural issues.
- Questionable requirements: these rules are not always applicable to the specific needs of the industrial world.
No-brainer requirements are base-line, MUST have, rules.
For example, defining the organizational and technical security methods needed to protect Industrial Assets in an Information Systems Security Policy.
Other must have rules include Certification of the Critical Industrial Information System using an audit, based on a Risk Assessment.
Although all legal rules are important, some of these often represent serious compliance challenges for industry.
An example is the comprehensive Cartography of Industrial Assets including hardware, software, and all related information. This rule is a must have for Critical Industrial Operators. However, our experience shows that the rule is not always achievable, for reasons including:
- OT Assets are often delivered as “black boxes” and operated by third-party suppliers;
- OT Maintenance teams often do not have the technical competences to operate these Assets; and/or,
- Specific communication protocols and network configurations make it difficult to implement automatic Asset Discovery.
Fortunately, some specialized solutions can now support detecting Industrial Assets, and consequently, consolidate and maintain an up-to-date Cartography of the Industrial Information System, including specific devices.
Some rules are simply not adapted to the industrial context.
For instance, applying systematic Security Updates is simply not realistic in an industrial setting. The lifecycle of OT is differing significantly from the IT one. Applying updates jeopardize the stability of industrial machines and would have to be systematically determined using a technical impact analysis. This is both complex and time-consuming and requires competences which are often not available on the shop floor. The result is that critical industries have to operate a legacy where 30% to 50% of industrial assets are obsolete from a technological point of view.
Essential Security Options for Industrial Information Systems
Industrial cybersecurity is best addressed using a three-point approach:
- Develop Cybersecurity Awareness across the entire organization
- Use portfolio solutions that utilize innovative technologies applicable to the industrial environment
- Apply integration and deployment strategies that are fit for purpose in an industrial setting
One of the most important measures to use in industry is Cybersecurity Awareness Training and Communication. This should be used across the entire organization – incorporating both white- and blue-collar workers – to foster the needed cultural change.
White-collars: White-collar workers often focus their efforts on staff safety and productivity. It is now important to include digital threats in the picture as a key contributor to safety and productivity.
Blue-collars: Cybersecurity is not only about technologies; it should thus embed the human factor. A report by LastPass found that, on average, an employee will share a password with 6 other co-workers. Good training packages cover the entire remit of security preparedness, including day-to-day cybersecurity issues such as password hygiene and security, or vigilance rules to be applied to spot phishing emails, etc.
As well as implementing a company-wide Cybersecurity Awareness Training package, certain rules need to be stringently applied. As an example, the use of mobile devices connected to a USB SHOULD be banned from any critical industrial environment. The fact is, certain legacy Critical Assets cannot be secured using intrusive technical agents like antivirus.
Specific Solutions – For the Specific Needs of Industry
The special nature of industrial systems demands a specialized portfolio of Industrial Cybersecurity Solutions.
These Solutions should give priority to peripheral protections rather than intrusive protection. As a fact, many Industrial Assets are not eligible to intrusive protection for reasons related to response times or supplier responsibility issues.
Adapted Solutions should as well take into consideration specific Hardware, Software and Protocols encountered in industrial environments. This is especially true for Network Monitoring and Automatic Asset discovery tools..
Integration and deployment Strategies
Integrating and deploying cybersecurity solutions in an industrial environment cannot be achieved in the same way as it would be in a standard IT environment.
First of all, whereas IT environments are under the responsibility of an IT Department and centrally managed, industrial environments are most generally under the responsibility of the Business organization, distributed and locally managed, which drastically influences the deployment and operation method. Multi-functional teams are often a good answer to address this challenge.
In addition, deploying and operating such solutions need to be production-oriented. For instance, blocking a suspicious file or data flow, as it would be the case in standard IT, might disrupt the Production, which is simply not acceptable. Solutions such as Antimalware, Firewall or Application Control need to be operated accordingly.
Towards More Advanced Protection Models?
Providing resilience in an unsafe and uncontrolled environment by default is a challenge. Our once trusted, holistic, and deterministic approaches are limited and not fit for purpose when protecting critical environments in an unpredictable industrial context and with increasingly complex attacks.
We need to find new approaches to securing critical Industrial Information Systems. These approaches optimize security whilst maintaining robust operations. Industrial systems are required to allow collaboration, in real time, within a performance-sensitive environment. Dynamic and adaptive solutions that can reconfigure themselves automatically when a change in environment is detected form the basis for the flexible and dynamic needs of modern industrial-level cybersecurity.
To achieve this, we must both:
- leverage the latest protection technologies, such as machine learning, homomorphic encryption, and blockchain options,
- anticipate attack identification through weak signal detection and correlation, as proposed by the MITRE Att&ck Framework
Auto-adapting the level of protection to the level of threat based on appropriate sensor measurements, is the key to combine the three pillars of industrial cybersecurity:
- The need for robust, industrial system applicable, protection;
- Compliance with regulations; and,
- Maintenance of specific operational needs within an industrial environment.
Taking these concepts into consideration when creating a secure industrial environment (security by design) allows benefiting from an auto-adaptive model needed for industrial cybersecurity 4.0 to tackle the complexity of the industrial landscape from a functional, technical, and organizational perspective. It gives you the ability to meet regulatory compliance, within the confines of Industrial Standards whilst protecting your most critical of industrial assets in an industrial context undergoing tremendous changes.