By Mike Hannah, MESA Smart Manufacturing Working Group Member
Over the last year or so there has been much written about the Internet of Things (IoT) and Smart Manufacturing initiatives like Industry 4.0, that promise huge potential benefits for manufactures. In particular, we hear about how organizations are recognizing that information created by connecting intelligent things (IoT) and industrial control systems (ICS) to the enterprise business systems is achieving greater visibility into their operations, all helping to make significant operational improvements. To achieve this however requires seamless and secure flow of information from the machines and equipment, to the lines, to the people, to the plants, and to the enterprise levels.
This network convergence, or connected enterprise, comes with some challenges. User’s face an unclear demarcation of network ownership, and cultural difference exist between OT and IT professional who are deploying both enterprise and industrial assets. And probably the most important aspect is that it exposes the connected industrial assets to additional security threats that they typically didn’t have to think about before.
MAINSTREAM NEWS
In fact, I’ve often heard from some OT people that “no hacker
cares about our control systems” so out of curiosity I did a quick Google
search on ‘ICS Security breaches’ and the top resulting headlines included;
“Attackers Alter Water Treatment System in Utility Hack”, DHS Confirms US
Public Utilities Control System Was Hacked” and “Breaches on the Rise in
Control Systems”, the later was a link to a survey done by SANS Institute that
highlighted a 22% increase in ICS security breaches from 2013 to 2014. These breaches aren’t making the national
news, but I think serve as evidence that we cannot ignore security in
industrial operations anymore. For many industrial
control systems (ICS), it’s not a matter of
if a breach will take place, but when.
Does all this send shivers up your spine? Are you asking yourself, so what can I do
about it? Simply put, security should
not be implemented as an afterthought or bolt-on component, but rather as a
comprehensive strategy and framework designed and implemented as a natural
extension to deployment of industrial control systems and to any Smart
Manufacturing initiative your organization may be driving towards. It is also not the responsibility of any one
person or group, but rather has to be thought of as a holistic approach, supported
by all key stakeholders.
STAKEHOLDER ENGAGEMENT
Here are six important aspects of a security strategy:
- Educate employees and build their security competency
- Define a strong set of rules the system will adhere too based on a risk analysis
- Design systems against the defined rules
- Verify designs and test to industry standards
- Maintain systems by regular assessments and update
- Respond to incidents and provide awareness to the key stakeholders.
A security framework should incorporate a comprehensive strategy
covering physical, network, application, user, data, end point and device
hardening and procedures and policies. The platform should handle user and
device authentication, broker communication between devices, systems, people,
and things, and handle data transfer, data storage, and business logic, as
necessary, for the end user application.
The framework should address Authentication, Authorization and Accounting
of who is interacting and what they are doing.
The framework should be capable of delegating the authentication of the
credentials to a directory service system, like Microsoft Active Directory,
allowing the system to manage password policies such as password expiration,
account lockout, password history, and password strength.
The framework should have a Role-Based Access Control model that
allows administration of authorization to a very granular level, providing
access that is relative to the user’s role and nothing more, no carte blanche access.
In addition, many comprehensive Smart Manufacturing solutions will
include applications accessed by users of various roles from multiple companies
and organizations within those companies.
The security framework therefore needs to be comprehensive, multi-tenant,
matrixed and adhere to the guidelines established by industry standards, like
IEC 62443.
WHERE TO START
This all sounds very daunting: how and where do I start? Fear not, there is information and guidance
out there to help you to build your strategy.
The Department of Homeland
Security (DHS) has presented their “Seven Strategies to Defend ICSs”, and NIST has published a general framework
for ICS Cybersecurity. These can serve as
reference guides as you begin to analyze and develop your strategy and
execution plans.
The paper presents seven
strategies that can be implemented today to counter common exploitable
weaknesses in “as-built” control systems.
1. Implement Application Whitelisting: AWL can detect and prevent attempted execution of malware
uploaded by threat actors. Databases and
HMI computers make ideal candidates to AWL.
2. Ensure Proper Configuration/Patch Management: Threat actors target unpatched systems, and a program centered on
trusted patches can help control.
3. Reduce Your Attack Surface Area: ICS networks should be isolated from untrusted networks, like the
internet, lock down unused ports, and turn off unused services.
4. Build A Defendable Environment: limit or isolate damage from network breaches by segmenting
networks into logical zones (VLANs). If
a breach occurs in one segment it is contained in that segment and does not
penetrate into other areas.
5. Manage Authentication: Implement multi-factor authentication if possible, and limit
privileges to only those needed by the user.
6. Implement Secure Remote Access: Limit access, where applicable implement monitoring only access
(data diode) and don’t allow double standards, use the same remote access paths
for vendors as you do for employee connections, and use two-factor
authentication when possible.
7. Monitor and Respond: actively monitor for breaches and threats by watching IP traffic
and have a plan for when any questionable activity is detected.
Created through collaboration between industry and government, the
NIST Framework consists of standards, guidelines, and practices to promote the
protection of critical infrastructure.
It consists of 5 core functions:
• Identify – Develop
the organizational understanding to manage cybersecurity risk to systems,
assets, data, and capabilities.
Includes, risk assessment, risk management strategy and asset
management. By understanding the
business context and the resources required to support the efforts will allow
organizations to focus and prioritize its efforts.
• Protect – Develop and
implement the appropriate safeguards to ensure delivery of critical
infrastructure services. Includes
functions like: Assess Control, Awareness and Training, Data Security,
Information Protection, Process & Procedures and Protective
Technology. Supporting the ability to
limit or contain any potential security event.
• Detect – Develop and
implement the appropriate activities to identify the occurrence of a
cybersecurity event. This function is to
ensure timely discovery of security events and include: Anomalies and Events,
Security Continuous Monitoring, and Detection Processes.
• Respond – Develop and
implement the appropriate activities to take action regarding a detected
cybersecurity event. Once you’ve
detected the event you need to contain the impact to your organization, these
functions provide Response Planning, Communications, Analysis, Mitigation and
Improvements.
• Recover – Develop and
implement the appropriate activities to maintain plans for resilience and to
restore any capabilities or services that were impaired due to a cybersecurity
event. The final functions are for the
timely recover to get back to normal operations and to reduce the impact the
security event has had on operations and include; Recovery Planning,
Improvements, and Communications.
VENDOR HELP
Industry and device vendors are also helping to prioritize and provide
guidance to manufactures to successfully design and deploy a scalable,
robust, secure and future-ready plant-wide/site-wide network infrastructure
utilizing standard networking and security technology.
ODVA has recently released a white paper on “Cyber
Security Model for Manufacturing”. The paper presents an Industrial Control System Cybersecurity
framework and further describes its mapping to Manufacturing. In particular, it
puts focus on how ODVA’s effort fits into the larger framework and how it can
continue to influence and strengthen on the ICS Cybersecurity framework.
Rockwell Automation and Cisco have been collaborating for many
years and have developed Converged
Plantwide Ethernet (CPwE) reference architectures. These CPwE reference architectures are
tested and validated solutions and provide design considerations, guidance,
recommendations, best practices and solutions.
MESA launched
a Smart Manufacturing Working Group to help provide consistent messaging in Smart
Manufacturing-related topics internally and externally, interacting with other
industry organizations to drive common understanding for all. The group recently released an overarching
white paper explaining the different
initiatives, terms and integration standards in industry and tying them to
Smart Manufacturing.
The Industrial
IP Advantage has developed virtual training courses designed to help IT and
OT engineers make the most of their network connectivity. The courses are developed based upon
validated reference architectures and will help drive design decisions from the
equipment-level to the enterprise network.
So in wrapping this up it’s clear that manufacturing and
industrial operations cannot afford to ignore the paradigm shifts brought about
by new technologies, like the IIoT. Securing
ICS against the modern threats will require a well-planned and well-implemented
strategy to defend your operations, a plan that needs to have multiple
stakeholders and be supported at the highest levels of your organization. Simply having a network with a hardened
perimeter is no longer enough. Without a
sound security strategy and execution plan, devices, machines, equipment and
networks can be exploited by threat actors, both internal and external.
There are no guarantees in life or in security but by proper
planning, deployment and maintenance of your strategy you can minimize the
impact any breach or event has on your operations and organization.
ABOUT THE AUTHOR
Mike Hannah
Global Market Development – The Connected Enterprise
Rockwell Automation
Mike Hannah is the Market Development lead for the company’s Connected
Enterprise and Smart Manufacturing initiative and responsible for leading the
development and implementation of programs to maximize customer demand and
sales growth of Rockwell Automation’s global business.
No comments:
Post a Comment