This post was written by Sven Schrecker, chief architect of Intel Security’s IoT Security Solutions Group.
The history of industrial automation fascinates me. Continuous innovation and new technologies have taken manufacturing processes that originated in the Industrial Age and catapulted them straight into the information age. Just as productivity seemed to be topping out, the Internet helped boost productivity and efficiency to previously unimaginable levels.
Unfortunately, as industrial automation roared into today’s data-driven, Internet-connected world, it sped past digital security without taking its foot off the accelerator.
Welcome to the digital age, where an anonymous hacker in some virtual landscape can throw a wrench into industrial automation systems. How do we secure these systems while still meeting the needs of corporate stakeholders? Operational technology (OT) teams still demand high resiliency and availability. Information technology (IT) teams demand interconnectivity, enterprise security, and compliance. And both of these teams must accommodate the new kids on the block: data analysts who require real-time data capture, sharing, and analysis for every decision in the business. This article discusses the current state of industrial automation system security, the technological and organizational challenges of improving it, and a dynamic model for embedding end-to-end trust and security into industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Physical break-ins and attacks on SCADA and ICS systems are largely a twentieth-century phenomenon. The overwhelming majority of attacks today are carried out by well-resourced, highly motivated attackers who are often accomplished software engineers working for cybercrime syndicates on other continents. Business competitors and nation states are the latest cyberwarfare participants, as the battleground has expanded to include manufacturing facilities, entertainment companies, and critical infrastructure. Here are a few noteworthy examples:
Sadly, these types of security events continue to increase both in terms of damage and frequency.
Data capture and analysis is today’s competitive weapon—generating analytical insights that refine and optimize processes in every area of business. It is not uncommon for manufacturers to invest hundreds of millions of dollars to achieve a 10 to 20 percent efficiency increase. The efficiencies come from data-driven decisions gained through insights from customer use and demand, purchasing, supply-chain optimization, manufacturing production processes, predictive planning, and more. By hacking and subtly manipulating data, attackers can de-optimize a company’s processes without anyone even knowing. Even the most subtle data manipulation in any of these areas can cripple a business that is on razor-thin margins.
A number of myths and misconceptions have hindered the evolution of industrial automation system security. The most common include:
Current client-server industrial automation systems have moved to an edge-to-cloud architecture for cost and flexibility. They have security challenges that result from today’s interconnected world. Regardless of application, ensuring security begins by establishing a chain of trust between devices, data, and systems. Everything within the trusted system must be authenticated and validated to ensure trusted interoperability and integrity at every point. Of course, availability requirements and the legacy nature of industrial automation systems add challenges. Preserving existing investments in ICS infrastructure is paramount. Therefore, a viable security model must work with both existing and new systems. In addition, security is a dynamic process, because security needs, policies, and threat detection methods change over time. Therefore, any viable solution must be adaptable and updatable.
The embedded security deployment model establishes and ensures trusted interoperability that is essential for industrial automation interconnectivity. This model has three core requirements:
Establishing the chain of trust begins with validating the identity of the device. Previous approaches to validate device identities, such as using IP and media access control (MAC) addresses, are untrustworthy: IP addresses change routinely and can be very easily spoofed by hackers, while MAC addresses can be easily reset. Therefore, device authentication must start at the physical level—the processor within the hardware. Device hardening may use trusted execution technology, which leverages an embedded security coprocessor (a dedicated microprocessor designed to store cryptographic keys in a tamper-proof hardware container).
This allows the chip itself to perform cryptographic operations such as measuring the level of trust in the boot process, an operating system, a virtual machine, or an application. A key aspect of this process is precise measurement of code, data structures, configuration, information, or anything that can be loaded into memory. Measurements consist of a cryptographic hash using a secure hashing algorithm, which allows integrity validation and detection should any measured code, configuration, or data be altered or corrupted.
This is applied to software residing on the disk to determine whether or not it has been tampered with before loading the software into memory and executing it. The chain of trust continues to be built up and verified through the complete software stack, including during the boot process, and across the entire system—even as data is encrypted and transported into the cloud. Execution of trusted devices and data is essential given the prevalence of machine-to-machine communications driving industrial automation. For example, trusted devices can digitally sign data received by trusted industrial control sensors. Should a hacker manipulate data, the data signature will be inaccurate and be flagged by the monitoring system. In this case, the untrustworthy piece of data and the machine or sensor where it originated will be clear.
Trusted transaction spaces are logical zones that allow authorized business communications. The devices must ensure the trust and integrity of data within each zone. Two embedded security innovations allow communications between trusted zones of the past and the present/future: intelligent security gateways, which enable users to securely aggregate, filter, and share data from the edge to the cloud; and trusted execution environments, which allow secure and trusted execution of application data anywhere.
There is a reason legacy systems are so prevalent in industrial automation: they work. In fact, some have been refined for decades. New classes of intelligent gateways (some as small as two inches by two inches) are critical to extending legacy systems by connecting them to next-generation intelligent infrastructure. These gateways physically separate legacy systems, production zones, and the outside world, limiting the attack surface of an industrial automation system.
The gateway can secure a device, or devices, without modifying the device in any way, making it an attractive initial security solution to create a consistent level of security within the environment. As with any hardened device, security gateways must boot securely, be authenticated on the network, and then perform any number of security and communications tasks on behalf of the devices behind them. They can be provisioned to link trusted transaction spaces by validating integrity calculations, verifying certificates, applying cryptography, and establishing trusted communications links. Gateways can also include protocols to manage the production systems they are attached to, which can extend the life of these systems, allowing repair and updates without a physical field visit.
A trusted execution environment enhances security by preventing any device from executing malicious code. It uses virtualization and encryption technologies to create secure containers for applications and data that are only accessible to approved devices. These environments are secure, trusted zones that ensure tamperproof protection of data, making data and applications invisible to third parties who may transport, store, and process sensitive information.
Even within a virtual machine that is being operated by unknown entities, the trusted execution environment can validate data authenticity and create a digital signature to attest to its integrity later. For example, production data from an industrial automation system that a cloud services provider, such as Amazon Cloud, stores and processes can be maintained securely to ensure that the data has not been secretly altered.
There is an old axiom in IT: you cannot manage what you cannot monitor. Effective oversight of distributed industrial automation systems requires the ability to centrally manage devices through an enterprise management console, as well as the ability to monitor, collect, and analyze event information on all devices for end-to-end situational awareness of the entire system.
An enterprise management console allows IT staff to manage complexity and have global visibility of highly distributed environments. The management console is where IT remotely provisions, manages, and updates software on devices, as well as defines and refines policies and pushes those policies to devices. For example, embedded devices may include whitelisting policies, which define appropriate applications, data, communications, and other functions the device is allowed to perform.
A company’s enterprise management console should be tightly integrated with its security information and event monitoring (SIEM) solution and other security modules. A word of caution here: levels of integration differ considerably between vendors and security management components. A higher level of integration can greatly simplify complexity, accelerate accurate situational awareness, and reduce management time and expense. In addition, scalability becomes a critical capability for SIEMs and enterprise management consoles.
SIEM solutions gather, consolidate, correlate, assess, and prioritize security events from all of the managed devices that touch an industrial automation system. The SIEM combines situational and contextual awareness of all events through a process of baseline trending, anomaly detection, and alerting. Behavioral capabilities help differentiate between normal and abnormal operational patterns and refine policies to minimize false positive alerts and responses. SIEM data is also essential for conducting forensics to gain greater insight into a security incident or device failure.
Given the distributed, interconnected nature of today’s industrial automation systems, achieving end-to-end security must be a multivendor effort. To address this challenge, industry collaboration is underway, as manufacturing and critical infrastructure original equipment manufacturers (OEMs) are actively forming consortia with enterprise security vendors to ensure interoperability, set open standards, and define application programming interfaces. New systems and industrial control devices are being built secure from the ground up and designed with security technologies that ensure backward and forward compatibility.
No two businesses are the same—each has unique security infrastructures, operational technologies, and processes. Some have made considerable progress in creating converged IT/OT security solutions, while others are in the early stages. Regardless of where an organization resides on this continuum, here are some general guidelines to keep in mind.
Moving forward, consider how to use these core concepts to build higher levels of embedded security, secure communications, and manageability into industrial automation systems. After all, these days, no one can be too secure.
A hostile takeover through data manipulation: A hypothetical example It is a tough world out there. Unscrupulous players will use any means to improve their own prospects by harming competitors—including hacking, industrial espionage, and sabotage. Consider this theoretical example: a major chemical conglomerate wants to take over a competitor who has no desire to be bought out.
By hacking the competitor’s production systems, manipulating inventory orders, or slightly altering material specifications, it could negatively affect product quality. This lowers customer satisfaction, reducing sales and driving down profitability, likely without ever being detected. The resulting shareholder dissatisfaction could create an acquisition opportunity and a favorable purchase price. Industrial automation systems are particularly vulnerable to this attack trend because many of these systems are now Internet-connected without adequate protection.
And, given the prevalence of automated systems, many daily decisions are made by machine-to-machine interactions, making them difficult to trace without proper security considerations. Although cyberwarfare is clearly a morally bankrupt business decision, it is hard to debate its economic value.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
About the Author
Sven Schrecker is the chief architect of Intel Security’s IoT Security Solutions Group. He co-chairs the Security Working Group for the Industrial Internet Consortium, where he works on open, standards-based platforms to enable end-to-end security across both existing (brownfield) and new (greenfield) technologies
A version of this article also was published at InTech magazine.