Effective industrial cybersecurity protection improves the resilience of industries, defends investments in automation and control systems and becomes an asset to manage industrial systems, risks and business continuity, a range of industrial cybersecurity specialists explain.
The increased connectedness of industrial systems and equipment is helping to improve efficiency, utilisation and maintenance, but also increases their vulnerability to cyberattacks, as the growing attacks on industrial systems highlight, says Check Point South Africa security engineer Justin Berman.
Effectively defending industrial systems requires detailed knowledge of the systems, their functions and patterns of communication within the broader industrial network. Many different industrial communication protocols and generations of equipment and equipment firmware add to the complexity of defending industrial networks, he explains.
Older industrial systems are often more difficult to defend because they are historically isolated from outside connections, and typically have less cybersecurity built into the equipment, often use older and/or unpatched software and do not have their protection measures activated. Software vulnerability is the most significant vulnerability of industrial networks, says Berman.
Most modern industrial automation systems like human-machine interfaces (HMIs), supervisory control and data acquisition (Scada) servers, open platform communications servers, historians, and operator or engineer workstations are built using off-the-shelf, multipurpose hardware and operating systems, such as Windows and Linux, says global cybersecurity company Kaspersky Lab Critical Infrastructure Defence Department head Evgeny Goncharov.
Even the devices used for control over processes, such as programmable logic controllers (PLCs) and remote terminal units (RTUs), are mostly built on operating systems that, albeit not commonly used, remain multipurpose, which increases their susceptibility to vulnerabilities present in other widely used or commercial hardware and systems.
“Restricting these devices to increase their security is achieved by limiting software capabilities. However, the software remains capable of extra or unnecessary functionality, is not always properly configured and retains multiple vulnerabilities. Malicious actors might not even need to hack the actual device because the architecture of the system and the implementation of the network communication protocols are such that they can use legitimate features of the software to disrupt or stop industrial processes,” he explains.
Targets of Infection
The manufacturing and energy sectors are the industrial sectors most targeted by cyberattacks. However, water, sewage, transportation, oil and gas and other critical industries are also common targets and the rate of industrial cyberattacks grows by about 20% a year, explains Berman.
The impact of attacks against and disruptions to these critical systems is typically significant and severe, and, therefore, defending these systems is often a matter of national security.
Spear phishing (targeting key personnel within industrial organisations), email phishing, software vulnerabilities, removable media and attacks on remote technician machines are some of the most common vectors of attack.
There are two main targets for industrial malware: files and processes used by personnel in industrial control systems (ICSs) and Scada systems, and software used to provide remote access to an industrial facility, says Goncharov.
The main purpose of these attacks is to gain access to the legitimate Scada machines, which include operator workstations or HMIs and engineering workstations, and use legitimate Scada software to illegally control physical devices by sending legitimate, but disruptive, control commands to PLCs/RTUs or to prevent operators and engineers from restoring control over facility PLCs/RTUs, thereby increasing the impact of a breach.
“An example is when Blackenergy 2 hit the Ukrainian power grid in December 2015,” says Goncharov.
“Probably even worse is the fact that ICS, which is built with the same components used in common information technology (IT) systems, can be susceptible to malware that targets popular IT systems. Multiple attacks and malware outbreaks like the latest Wannacry and ExPetr cases have proven this.”
“Recording the precise patterns of communications, the protocols used, the values communicated and the command interactions for all industrial equipment and systems provides a detailed baseline with which to design the architecture and microsegmentation of a secure industrial network,” says Berman.
Microsegmentation involves creating separate security layers for equipment controls and PLCs, for the HMI layer and then for the Scada historian servers. Encryption of data, read/write permissions and industrial network gateways and cybersecurity elements are commonly used to manage and protect the data and systems. The network should be broken up based on industrial functions and the traffic and controls for the different functions should be managed and secured separately, he says.
Once the baseline architecture is completed, managing additional uses, such as remote access and control, and additional risks, such as remote technicians, becomes simpler and more effective.
However, identifying key risks – including the potential health and safety risks from hacked hazardous or dangerous equipment or processes and business disruption risks – remains the most effective way to identify the most important systems to protect, says multinational enterprise risk management firm Cura South Africa sales and operations regional director Alex Roberts.
A risk-based business continuity plan provides the necessary detail of risk severity and threat to inform strategic business decisions and cyberdefence measures and priorities, as well as highlights additional vulnerabilities or risks, such as the risks posed by or to suppliers, service providers or clients.
Further, a business continuity plan becomes an asset because industrial companies can use it to determine how best to prepare for and react to an attack or disruption (including triggering physical alarms if dangerous processes are at risk or have been hacked), how quickly the most critical systems must be restored, how best to secure against or recover from disruption and how resilient the organisation is to disruptions, he explains.
Operational technology (OT) and IT cybersecurity best practices are merging and require the input of IT security specialists and the engineers working with the industrial equipment and systems, says digital security and encryption multinational Gemalto Africa regional sales manager Neil Cosser.
The input of IT and OT specialists provides a finely grained view of the communications, and the context for permissions and authorisations of ICS enables effective control and authorisation to be established and enforced, which helps to improve security, limit the scope of impact as a result of a breach and manage internal and external vulnerabilities, whether to malware or malicious actors.
Encrypted industrial data and effective data management and industrial cyber- security enable companies to leverage industrial Internet of Things systems to enable real-time reporting, analytics and monitoring and control to improve their operational efficiency, manage equipment, service level agreements and software version and vulnerability control, he says.
Further, encrypted industrial data is not exposed even if lost and effective data management becomes an asset for companies, as they can effectively determine business risks and subsequently take strategic risks to seize business opportunities and disrupt markets, says Roberts.
Encryption presents a key way in which industrial companies should defend their operations, not only from disruption, but also from exposure of data that serves as a competitive advantage, for example the geological survey data of mines, which is an example of high-value industrial data, says Cosser.
Recovery and Continuity
Disaster recovery and availability systems can help to mitigate an emerging threat and ensure rapid recovery of operational capabilities. This can reduce the associated downtime, but also indicates that an organisation is confident and has tested its disaster recovery processes and can ensure the safety, security and continuity of the business, highlights IT availability multinational Veeam technical product marketing director Rick Vanover.
“Many industries are dependent on technology and industrial technology has to be resilient and available before even taking into account ransomware and cyberthreats. Another practical tip for industries is to use some form of offline storage, and this air gap is a good defence in the current threat landscape,” he says.
Further, while newer industrial systems have fewer known vulnerabilities and exploits, they can still have zero-day vulnerabilities, which are newly discovered and unpublished vulnerabilities.
Behavioural analysis components of industrial endpoint protection solutions should be used, if available. This would help to protect against widespread malware outbreaks and ransomware attacks, says Goncharov.
“To protect against more sophisticated attacks, such as advanced persistent threats and internal fraud that target technological processes, equipment and physical assets, industries should be able to perform behavioural analysis of malware or malicious actors. Industries will need to monitor network connections, communications and commands being sent to PLCs and RTUs to detect all the attempts to harm or manipulate the technological processes,” he advises.
The number of attacks is growing, which means that industrial systems will be more exposed to attacks and that cybercriminals (as well as other malicious actors) are switching their efforts to attack industrial companies, notes Goncharov.
“We see for this trend continuing. Many industrial companies will need to make significant investments in ICS cybersecurity measures and cybersecurity companies will pay more attention to the ICS security market. However, this should drive the growth of the relatively new discipline and expertise of cyber-physical security,” he concludes.