Friday, August 5, 2016

A Checklist for Cybersecurity in Industrial Internet of Things

By Mike Hannah, MESA Smart Manufacturing Working Group Member 

Over the last year or so there has been much written about the Internet of Things (IoT) and Smart Manufacturing initiatives like Industry 4.0, that promise huge potential benefits for manufactures.  In particular, we hear about how organizations are recognizing that information created by connecting intelligent things (IoT) and industrial control systems (ICS) to the enterprise business systems is achieving greater visibility into their operations, all helping to make significant operational improvements.  To achieve this however requires seamless and secure flow of information from the machines and equipment, to the lines, to the people, to the plants, and to the enterprise levels.  

This network convergence, or connected enterprise, comes with some challenges. User’s face an unclear demarcation of network ownership, and cultural difference exist between OT and IT professional who are deploying both enterprise and industrial assets.  And probably the most important aspect is that it exposes the connected industrial assets to additional security threats that they typically didn’t  have to think about before.  

In fact, I’ve often heard from some OT people that “no hacker cares about our control systems” so out of curiosity I did a quick Google search on ‘ICS Security breaches’ and the top resulting headlines included; “Attackers Alter Water Treatment System in Utility Hack”, DHS Confirms US Public Utilities Control System Was Hacked” and “Breaches on the Rise in Control Systems”, the later was a link to a survey done by SANS Institute that highlighted a 22% increase in ICS security breaches from 2013 to 2014.  These breaches aren’t making the national news, but I think serve as evidence that we cannot ignore security in industrial operations anymore.  For many industrial control systems (ICS), it’s not a matter of if a breach will take place, but when.
Does all this send shivers up your spine?  Are you asking yourself, so what can I do about it?  Simply put, security should not be implemented as an afterthought or bolt-on component, but rather as a comprehensive strategy and framework designed and implemented as a natural extension to deployment of industrial control systems and to any Smart Manufacturing initiative your organization may be driving towards.  It is also not the responsibility of any one person or group, but rather has to be thought of as a holistic approach, supported by all key stakeholders.
Here are six important aspects of a security strategy:
  • Educate employees and build their security competency
  • Define a strong set of rules the system will adhere too based on a risk analysis
  • Design systems against the defined rules  
  • Verify designs and test to industry standards
  • Maintain systems by regular assessments and update
  • Respond to incidents and provide awareness to the key stakeholders.
A security framework should incorporate a comprehensive strategy covering physical, network, application, user, data, end point and device hardening and procedures and policies. The platform should handle user and device authentication, broker communication between devices, systems, people, and things, and handle data transfer, data storage, and business logic, as necessary, for the end user application. 
The framework should address Authentication, Authorization and Accounting of who is interacting and what they are doing.  The framework should be capable of delegating the authentication of the credentials to a directory service system, like Microsoft Active Directory, allowing the system to manage password policies such as password expiration, account lockout, password history, and password strength.
The framework should have a Role-Based Access Control model that allows administration of authorization to a very granular level, providing access that is relative to the user’s role and nothing more, no carte blanche access.
In addition, many comprehensive Smart Manufacturing solutions will include applications accessed by users of various roles from multiple companies and organizations within those companies.  The security framework therefore needs to be comprehensive, multi-tenant, matrixed and adhere to the guidelines established by industry standards, like IEC 62443.
This all sounds very daunting: how and where do I start?  Fear not, there is information and guidance out there to help you to build your strategy.  The Department of Homeland Security (DHS) has presented their “Seven Strategies to Defend ICSs”, and NIST has published a general framework for ICS Cybersecurity.  These can serve as reference guides as you begin to analyze and develop your strategy and execution plans.
The paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems.
1.    Implement Application Whitelisting: AWL can detect and prevent attempted execution of malware uploaded by threat actors.  Databases and HMI computers make ideal candidates to AWL.
2.    Ensure Proper Configuration/Patch Management: Threat actors target unpatched systems, and a program centered on trusted patches can help control.
3.   Reduce Your Attack Surface Area: ICS networks should be isolated from untrusted networks, like the internet, lock down unused ports, and turn off unused services.
4.    Build A Defendable Environment: limit or isolate damage from network breaches by segmenting networks into logical zones (VLANs).  If a breach occurs in one segment it is contained in that segment and does not penetrate into other areas.
5.   Manage Authentication: Implement multi-factor authentication if possible, and limit privileges to only those needed by the user.
6.    Implement Secure Remote Access: Limit access, where applicable implement monitoring only access (data diode) and don’t allow double standards, use the same remote access paths for vendors as you do for employee connections, and use two-factor authentication when possible.
7.    Monitor and Respond: actively monitor for breaches and threats by watching IP traffic and have a plan for when any questionable activity is detected.
Created through collaboration between industry and government, the NIST Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure.  It consists of 5 core functions:
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.  Includes, risk assessment, risk management strategy and asset management.  By understanding the business context and the resources required to support the efforts will allow organizations to focus and prioritize its efforts.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.  Includes functions like: Assess Control, Awareness and Training, Data Security, Information Protection, Process & Procedures and Protective Technology.  Supporting the ability to limit or contain any potential security event.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.  This function is to ensure timely discovery of security events and include: Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.  Once you’ve detected the event you need to contain the impact to your organization, these functions provide Response Planning, Communications, Analysis, Mitigation and Improvements.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.  The final functions are for the timely recover to get back to normal operations and to reduce the impact the security event has had on operations and include; Recovery Planning, Improvements, and Communications.
Industry and device vendors are also helping to prioritize and provide guidance to manufactures to successfully design and deploy a scalable, robust, secure and future-ready plant-wide/site-wide network infrastructure utilizing standard networking and security technology. 
ODVA has recently released a white paper on Cyber Security Model for Manufacturing”. The paper presents an Industrial Control System Cybersecurity framework and further describes its mapping to Manufacturing. In particular, it puts focus on how ODVA’s effort fits into the larger framework and how it can continue to influence and strengthen on the ICS Cybersecurity framework.
 Rockwell Automation and Cisco have been collaborating for many years and have developed Converged Plantwide Ethernet (CPwE) reference architectures. These CPwE reference architectures are tested and validated solutions and provide design considerations, guidance, recommendations, best practices and solutions.
MESA launched a Smart Manufacturing Working Group to help provide consistent messaging in Smart Manufacturing-related topics internally and externally, interacting with other industry organizations to drive common understanding for all.  The group recently released an overarching white paper explaining the different initiatives, terms and integration standards in industry and tying them to Smart Manufacturing.
The Industrial IP Advantage has developed virtual training courses designed to help IT and OT engineers make the most of their network connectivity.  The courses are developed based upon validated reference architectures and will help drive design decisions from the equipment-level to the enterprise network.
So in wrapping this up it’s clear that manufacturing and industrial operations cannot afford to ignore the paradigm shifts brought about by new technologies, like the IIoT.   Securing ICS against the modern threats will require a well-planned and well-implemented strategy to defend your operations, a plan that needs to have multiple stakeholders and be supported at the highest levels of your organization.  Simply having a network with a hardened perimeter is no longer enough.  Without a sound security strategy and execution plan, devices, machines, equipment and networks can be exploited by threat actors, both internal and external.
There are no guarantees in life or in security but by proper planning, deployment and maintenance of your strategy you can minimize the impact any breach or event has on your operations and organization.  

Mike Hannah
Global Market Development – The Connected Enterprise
Rockwell Automation 

Mike Hannah is the Market Development lead for the company’s Connected Enterprise and Smart Manufacturing initiative and responsible for leading the development and implementation of programs to maximize customer demand and sales growth of Rockwell Automation’s global business.

No comments: