|Home>||IIot & Smart Technology||>Cyber Security||>Cyber security vulnerabilities & how to mitigate against them|
Cyber security vulnerabilities & how to mitigate against them
21 April 2020
Industry 4.0 and the Internet of Things (IoT) presents powerful opportunities for manufacturers to develop new competitive advantages. However, as systems and processes become digitised and interconnected, so cybercriminals are increasingly hacking into the critical infrastructure of connected production facilities, as Paul Taylor contends
Across a variety of industries, from manufacturing and processing plants, to energy suppliers and rail, cyber-physical systems are being implemented to enable higher efficiencies, unmatched flexibility and innovative business models. However, as systems and processes become digitised and interconnected, so cybercriminals are increasingly hacking into the critical infrastructure of connected production facilities. Therefore, in order to harness the opportunities, industry must fully understand these the challenges of cyber security and take steps to minimise the potential risks.
Open to attack
Many installations for industrial automation and control systems are built from standardised hardware and software components. These open systems facilitate the integration of individual components and enable the interconnection of control systems, installations and office IT, even over long distances. But of course, by their very nature these open systems are also vulnerable to attack and manipulation.
There are a wide variety of possible cyber security vulnerabilities in the manufacturing environment. This includes a lack of knowledge in the different industry sectors, about how to apply IT security protection to systems (machinery) that have traditionally not required it. These systems can operate very differently from office-based IT and may also still be running legacy communication networks, with which more modern cyber security software is incompatible. Also, merging traditional ways of working with the needs of the smart factory can cause problems. For example, using USB drives for machine maintenance, monitoring or programming can infect one machine, which is then passed on through connected network.
Remote maintenance by equipment suppliers or subcontractors requires a connection to their network, which may be infected or have less stringent IT security. Likewise, any existing machines on the factory floor, which lack digital identification and authentication functionality, do not have the capability for end-users to be sure that operating instructions received by the network are from an authorised person (source). There is also the risk that the smart tags on components or the final product being produced may be manipulated by an attacker.
As cyberattacks become more prevalent, for manufacturers deploying such machines, this new connectivity translates into a shift in the risk landscape. A security breach involving a connected industrial application can put an entire facility at risk and the consequences for operations, people and equipment can be devastating. Against this backdrop, suppliers and system integrators must optimise the cyber resilience of their components and systems by improving their development, integration and support processes.
As cyber security vulnerabilities can appear throughout the component or system lifecycle, it is necessary to plan ahead and implement security from the onset. From specification, to design, production and support, component suppliers must therefore consider how the cyber resilience of a connected device can be optimised for its entire lifespan. Further down the line, the system integrator must take the possible threats of the automated solution into account. Suppliers and integrators are also required to mitigate risk, even when the prospective configuration and the potential threats are still largely unknown. Furthermore, full transparency from them is necessary for machinery end-users to place trust in the security capabilities of the products and solutions that they offer.
Analyses, assessments and tests play a key role in implementing appropriate security controls against these threats. The challenge is to harmonise the requirements of IT security with the specific demands of automation and control systems (including real time, safety).
The international standard IEC-62443 “Security for Industrial Automation and Control Systems (IACS)” holds the answer here, as it aims to mitigate risk for industrial communication networks by providing a structured approach to cybersecurity. Originally developed for the IACS supply chain, it is a collection of multi-industry standards focused on cybersecurity protection methods and techniques. Consequently, the standard has become the leading industrial cybersecurity standard for all types of plants, facilities and systems across industries. The standard applies to component suppliers, system integrators and asset owners.
Through a set of defined process requirements, IEC-62443 ensures that all applicable security aspects are addressed in a structured manner. This includes a systematic approach to cybersecurity throughout the stages of specification, integration, operation, maintenance and decommissioning. Also, the standard foresees that processes are established to facilitate all necessary technical security functions. When adapted to the relevant project scope, IEC-62443 lays the foundations for cybersecurity robustness throughout the product and system lifetime.
As a third-party certification demonstrates to asset owners and operators that the purchased component or system is based on a methodised and coherent approach to cybersecurity, in line with industry best practice, the implementation of IEC-62443 can also deliver some competitive advantage to suppliers and system integrators.
The IEC-62443 standard addresses security processes along the complete supply chain. For example, product suppliers’ certification should be based on IEC-62443-4-1 “Product security development life-cycle requirements”. This part of the standard applies to the supplier’s overall security programmes, and also to the security processes connected to the development of the relevant component and control system.
Corresponding certifications are available to system integrators based on IEC-62443-2-4 “Security program requirements for IACS service providers”. In this case, the compliance of generic processes, as well as the compliance of security processes for a reference architecture or blueprint, can be verified. During the certification process, the auditor executes a conformity assessment based on document reviews, interviews and on-site audits. When compliance with standard requirements has been confirmed, the certification concludes with the issuance of a report and a certification mark. An annual surveillance audit is required to maintain the validity of this certification.
Beside the generic process aspects during product development and system integration, the IEC-62443 standard also specifies technical security requirements for components and systems. These technical requirements are described in IEC-62443-4-2 and IEC-62443-3-3. The assessment of both process and technical requirements are the basis for the certification of both components and systems.
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. It is clear that by combining the strengths of the physical and virtual worlds, cyber-physical systems have the potential to significantly enhance industry performance, facilitate new products and spark innovative business models. While smart factories will see reduced risk in several areas, such as fewer worker injuries as machines take over hazardous tasks, the increasing number of physical and digital interfaces also introduces new risks and serious vulnerabilities can be exploited by new forms of cybercrime.
Both industrial IT security and the security of wireless products which manufacturers produce will therefore become increasingly important. Ongoing investment in cyber security is therefore crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks. IEC-62443 provides a holistic approach to help mitigate these risks and provides increased assurance to the entire machinery supply chain.
Whilst having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and which are better equipped to help manage new and evolving cyber threats. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring - from design through to obsolescence.
Paul Taylor is Head of Industrial Products (UK) at TÜV SÜD