Auto-Adapting to the Needs of Industrial Cybersecurity 4.0
Cybersecurity touches every aspect of our lives, work, and even our cities. The scope and breadth of cyber-attacks are growing in both size and complexity. In terms of size, a report recently demonstrated that Distributed Denial of Service (DDoS) attacks have been increasing, on average, by 500%. In terms of cost, damages from cybercrime are predicted to reach $6 Trillion By 2021.
As our critical and industrial infrastructures enter a new era driven by technological innovation, so cybercriminals turn their focus on industry. Energy, transportation, telecommunications, and defense are areas which service the vital functions of a nation. As such, they should be afforded the best possible protection.
However, industrial cybersecurity does not benefit from the same level of maturity as other areas of IT cybersecurity. In this article, we will explore this in more depth and look at how we can ensure that our industrial systems get the best available security and meet compliance requirements.
Why is Industrial Cybersecurity a Laggard?
Industry 4.0 is part of the long-term evolution of our industrial systems and processes. Like its forebears, including the industrial revolution of the 18th century, changes have come swiftly. Industry 4.0 is built upon new technologies, including the Internet of Things (IoT), Big Data, smart data analytics, robotics, and other artificial intelligence-based solutions. These technologies are transforming our industrial systems bring us quickly into a new era of technology-driven industry.
Operational Technology (OT), which covers Industrial Control Systems (ICS) and the ICS management framework, along with Supervisory Control and Data Acquisition Systems (SCADA), has, until recently, been disengaged from the world. In other words, earlier versions of OT were siloed; individual units were isolated with little connectivity to other networks. With the advent of the technologies driving Industry 4.0, and the convergence of OT with IT, this is no longer the case – our industries and the associated critical infrastructures they serve, are now hyperconnected.
However, the lag-time to encompass connected technologies has also resulted in a lag in the uptake of cybersecurity solutions to fit this new brief.
Our industrial systems have not only connected industry and their partners across the supply chain, but they have also connected industry to cybercriminals. Industry 4.0 and the technologies that allow it to blossom are exposing industry to an onslaught of cyber-threats.
“The Road to Resilience” a report by the World Energy Council, looked at the impact of cyber-attacks on utility critical infrastructures. The report found that cyber-threats were amongst the top concerns of energy leaders, particularly in Europe.
Recently, the level of impact of a cyber-attack on a critical infrastructure was demonstrated when a Ukrainian electricity grid attack was infected by malware, known as CrashOverride. The attack caused mass outages. Attacks like this have caused US-Cert to put out a notice informing U.S. utility providers about potential attacks by Russian state-sponsored cybercriminals.
Large critical infrastructure cyberattacks, like those above, coupled with global incidents like the WannaCry ransomware infection of 2017, are causing industry to take note of the threat level of cyber-attacks.
This is where regulations enter the equation. Robust regulatory frameworks are fundamental to support and accelerate the change needed to secure industry. However, these regulations need to be adapted to the special environment of OT.
Are Regulations for Critical Activities Relevant for Industry?
There are twenty common rules that are applicable to critical activities in industry. These twenty rules can then be sub-divided into three types of rules:
- No-brainers: these rules are based on common sense and need to be applied across the board.
- Worthy challenges: to meet these rules should be a goal. However, they may turn out to be difficult to meet due to structural issues.
- Questionable requirements: these rules are not always applicable to the specific needs of the industrial world.
No-brainer requirements are base-line, MUST have, rules.
For example, defining the organizational and technical security methods needed to protect Industrial Assets in an Information Systems Security Policy.
Other must have rules include Certification of the Critical Industrial Information System using an audit, based on a Risk Assessment.
Our next two rule types, however, are more challenging for industry to implement.
Legal rules are important. However, these rules often represent serious compliance challenges for industry.
An example is the comprehensive Cartography of Industrial Assets including hardware, software, and all related information. This rule is a must have for Critical Industrial Operators. However, our experience shows that the rule is not always achievable, for reasons including:
- OT Assets are often delivered as “black boxes” and operated by third-party suppliers;
- OT Maintenance teams often do not have the technical competences to operate these Assets; and/or,
- Specific communication protocols and network configurations make it difficult to implement automatic Asset Discovery.
Fortunately, some specialized solutions can now support detecting Industrial Assets, and consequently, consolidate and maintain an up-to-date Cartography of the Industrial Information System, including specific devices.
Some rules are specific to a particular sector and are not easily adapted to the wider industrial landscape.
For instance, applying systematic Security Updates is simply not realistic in an industrial setting; the lifecycle of OT differing significantly from the IT one. Applying updates jeopardize the stability of industrial machines and would have to be systematically determined using a technical impact analysis. This is both complex and time-consuming and requires competences which are often not available on the shop floor. The result is that critical industries have to operate a legacy where 30% to 50% of industrial assets are obsolete from a technological point of view.
Essential Security Options for Industrial Information Systems
Industrial cybersecurity is best addressed using a three-point approach:
- Implement Cybersecurity Awareness Training across the entire organization
- Use portfolio solutions that utilize innovative technologies applicable to the industrial environment
- Apply integration strategies that are fit for purpose in an industrial setting
Cybersecurity Awareness Training
One of the most important measures to use in industry is Cybersecurity Awareness Training. This should be used across the entire organization – incorporating both white- and blue-collar workers.
White-collars: White-collar workers often focus their efforts on staff safety and productivity. With the increase in cyber-threats, it is now important to merge digital with non-digital threats. Cyber-threats have entered the SQCDP (Security, Quality, Cost, Delivery, People) arena, impacting performance scorecards.
Blue-collars: May not be directly associated with making security decisions. However, Cybersecurity Awareness Training needs to be extended to all workers. A report by LastPass found that, on average, an employee will share a password with 6 other co-workers. Good training packages cover the entire remit of security preparedness, including day-to-day cybersecurity issues such as password hygiene and security.
Security awareness training also offers simulation exercises which help to train users in how to spot phishing emails, etc.
As well as implementing a company-wide Cybersecurity Awareness Training package, certain rules need to be stringently applied. As an example, the use of mobile devices connected to a USB MUST be banned from any critical industrial environment. The fact is, certain legacy Critical Assets cannot be secured using technical agents and in the other hand, it’s unrealistic to use exclusively specific USB sticks.
Specific Solutions – For the Specific Needs of Industry
The special nature of industrial systems demands a specialized portfolio of Industrial Cybersecurity Solutions. Certification focused on the specific nature of these types of environments then follows. This is especially true for Network Monitoring and Automatic Asset discovery tools, where specific industrial protocols and devices need to be covered.
The fact that many legacy assets are based on outdated Operating Systems, prevents the use of a number of standard protection solutions. For example, anti-malware solutions may not be supported. Because it is unrealistic to block production as soon as a suspicious behavior is detected, specific non-blocking Application Control Solutions integrated in an Industrial SOC are needed. These can be used alongside Specific Protection Integration Strategies, based on peripheral protection.
Towards More Advanced Protection Models?
Providing resilience in an unsafe and uncontrolled environment by default is a challenge. Our once trusted, holistic, and deterministic approaches, are limited and not fit for purpose when protecting critical environments in an industrial context.
We need to find new approaches to securing critical Industrial Information Systems. These approaches optimize security whilst maintaining robust operations. Industrial systems are required to allow collaboration, in real time, within a performance-sensitive environment. Dynamic and adaptive solutions that can reconfigure themselves automatically when a change in environment is detected, form the basis for the flexible and dynamic needs of modern industrial-level cybersecurity.
To achieve this, we must leverage the latest protection technologies, such as machine learning, homomorphic encryption, and blockchain options.
Auto-adapting the level of protection to the level of threat based on appropriate sensor measurements, is the key to combine the three pillars of industrial cybersecurity:
- The need for robust, industrial system applicable, protection;
- Compliance with regulations; and,
- Maintenance of specific operational needs within an industrial environment.
These three pillars of industrial cybersecurity, applied when creating a secure industrial environment, build the auto-adaptive model needed for industrial cybersecurity 4.0 These auto-adaptive models have the capacity to tackle the complexity of the industrial landscape from a functional, technical, and organizational perspective. They give you the ability to meet regulatory compliance, within the confines of Industrial Standards whilst protecting your most critical of industrial assets.