Battening down the hatches

Protecting industrial control systems and communication networks

security-265130 small sizeSince the discovery of Stuxnet[1] in 2010, cyber security has been high on the agenda of operators of industrial facilities around the worldIn the following article, Beat Kreuter of DEKRA explains some of the risks associated with cyber-attacks as well as the recent development of standards aimed at protecting against them.

For years, industrial controls were not designed with security in mind since industrial communication networks where largely closed systems. Increasingly though, industrial networks are connected to networks with Internet access to facilitate remote controlling and real-time monitoring (e.g. smart grid). This trend is only set to increase with the emergence of Internet of Things and Cyber Physical Systems in process and factory automation (smart factories). The SHINE project,[2] which ran from April 2012 until January 2014, found over two million industrial control system (ICS) devices accessible via the Internet. Sixty-three per cent of these were found in the top industrial nations – the United States (US), Germany, China, Korea and the United Kingdom.

Cyber security and protection against cyber-attacks is not a new topic. Securing confidential and sensitive information is common for many Internet-based services such as banking, online shopping the general office environment and personal computing. The priorities for these systems are based on keeping information confidential, maintaining the integrity of information and systems and ensuring availability of resources. Computers and servers can and are regularly updated with antivirus software and operating software security to keep systems up-to-date with newly discovered vulnerabilities.

Industrial control systems cannot be updated as easily as regular information technology (IT) systems due to the high availability requirements and the fact that the operating software or firmware is embedded. In addition, the life cycles of ICSs span 20 years or more. The availability of such systems is their highest priority – a targeted denial-of-service (DoS) attack, for example, should not cause an ICS to crash because of overloaded resources and the inability to respond to process events. The potential consequences of such an event include damage to systems, financial losses and could even endanger lives. These kind of cyber-attacks occur typically via the Ethernet port (TCP/IP), wireless ports, USB ports and other accessible external ports.

Cyber security regulations

Governments around the world are aware of the increasing need to protect critical infrastructures, such as supply chains for food, energy and the health sector—all controlled by ICSs—against cyber threats.

In the US, Presidential Executive Order 1336 from February 2013, called for the development of a risk-based set of industry standards and best practices to help organisations manage cybersecurity risks. The European Union (EU) is in the process of publishing a Network and Information Security (NIS) Directive requiring market operators to detect and manage the risk to the security of networks and information systems essential for the continuity of their core services. Various countries in the Middle East have already published their national ICS cyber security standards to protect their national critical infrastructure.

International standards for cyber security

As early as 2002, the International Society of Automation (ISA) started to work on security standards for industrial automation and control systems. Part of the work of the Industrial Automation and Control System Security Committee (ISA99) of the Instrumentation, Systems and Automation Society has been transferred to, and respectively aligned with, the International Electrotechnical Commission’s (IEC’s) 62443 series of standards. This series of standards is to date the most comprehensive set of security standards for the manufacturing, process and automation industry. They cover general policy and procedures, system engineering and component/devices requirements for asset owners/operators, integrators and manufacturers of industrial control devices and systems to minimise exposure to cyber risks. The IEC 62443 series of standards builds on proven and available general purpose IT security standards, such as the ISO/IEC 27000 series, while identifying and addressing differences present in ICSs.

Foundational security requirements

The standards set requirements depending on the target security level for seven foundational security requirements: 1) identification, authentication and access control; 2) use control; 3) system integrity; 4) data confidentiality; 5) data flow; 6) timely response to events; and 7) resource availability. Target security levels are numbered from zero to four, with four being the highest security level providing protection against attackers using sophisticated means and extended available resources (e.g. state sponsored attacks). Target security level zero would indicate that no specifically-defined requirements for protection are required. Industrial control devices with a capability security level of four have sophisticated means employed to prevent intrusions and are capable of withstanding sophisticated DoS attacks.

Testing and certification for cyber security

The IEC Conformity Assessment Board (IEC CAB) Working Group 17 on cyber security was formed in August 2014, to evaluate the need for a global conformity assessment programme set against IEC 62443 standards. As a result the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE )—commonly referred as the Certification Body (CB)—certification scheme is developing a globally-accepted testing and certification scheme for cyber security of industrial control systems and devices based on IEC 62443 standards. At present 60 countries are participating in the IECEE assessment scheme covering over 16 product categories, including industrial automation and control systems. The global assessment scheme is expected to be operational by the end of 2015. The assessment scheme will cover devices such as programmable logic controllers (PLCs), human machine interfaces (HMI), network routers, firewalls and other devices connected to industrial networks.

In addition it will be possible to assess and certify entire industrial control systems against IEC 62443. In this way asset owners can prove to regulators compliance with, for example, the upcoming EU NIS directive or the US Presidential Order 1336.

Insurers may accept an IECEE certificate as proof that operators have taken precautions against cyber risks based on IEC 62443. The IECEE scheme will also allow certification of systems integrators against IEC 62443, confirming that they possess the capabilities to engineer industrial control systems with appropriate levels of protection against identified cyber threats.

DEKRA is one of the world’s leading expert organisations and currently runs activities in more than 50 countries on all five continents. About 35,000 employees are committed to ensuring long-term safety, quality and environmental protection. The DEKRA Business Units Automotive, Industrial and Personnel provide professional and innovative services in the fields of vehicle inspection, expertise, claims services, system certification, product testing and certification, industrial and construction inspection, consulting, qualification and temporary work.

[1] A computer worm designed to attack industrial programmable logic controllers (PLCs).

[2] SHINE (SHodan INtelligence Extraction) by  Bob Radvanovsky and Jake Brodsky