Industrial Cybersecurity Pulse - Six answers on industrial cybersecurity effectiveness

While industrial cybersecurity is brought up more frequently, it doesn’t very often refer to infrastructure or industrial automation control systems security. Is the trend changing? Where and how should cybersecurity be addressed for operational technology (OT) applications?

1. How is cybersecurity for industrial automation?

The interest in a subject like industrial cybersecurity, or OT cybersecurity, is growing among manufacturing companies globally. The reference to information technology (IT) cybersecurity is evident – think about crypto-currencies and big players such as Google and Facebook. However, it is interesting to see increasing references to the OT field (for example, see the European NIS Directive or the Russian FSTEC legislation). In the IT environment, problems are mainly related to data confidentiality. For automation, a lack of cybersecurity seriously impacts the availability of production plants.

2. Who should address OT cybersecurity risk and protection?

There is a lot of confusion. Everyone talks about cybersecurity, but only a few solutions address automation systems. It is often erroneously thought the OT problem should be handled by the IT department, but actually, the two environments differ in approaches. Consider the example of the plant operator who must activate an emergency procedure, while the PC screen is locked, waiting for a multi-factor authentication (MFA) code. In that simple example, cybersecurity impacts safety. It is therefore necessary to ask first who can access the area and how to deal with it. OT cybersecurity cannot bypass the deep knowledge required for automation. This is why many companies are internalizing a dedicated OT security division.

3. What are the most effective OT security solutions available?

The world reference standard is ISA/IEC 62443, which defines the approach to the problem. This standard was created by a research group at ISA (International Society of Automation), later developed by IEC (International Electrotechnical Commission). The regulatory framework is still under review, but defense-in-depth approach of IEC 62443 series of automation and control systems cybersecurity standards is the most well-known and globally recognized cybersecurity standards in the OT field. And so, starting from a risk assessment, IEC 62443 aims at developing a cybersecurity management system (CSMS), which is a system of cybersecurity procedures, that includes the security policies and responsibilities related to OT security, such as access or patch management.

4. How can a manufacturing company take over an OT cyber issue?

IEC 62443 approach is systematic: clear processes lead to concrete results. It would not make sense to assess a system without having an upstream strategy. The starting point is defined by IEC as business rationale. Use the rationale as a tool to determine the potential critical issues on the OT systems that impact the company such as a stop to production or product contamination. Through business rationale one can quantify the seriousness of cyber-attack consequences.

It is also useful to conduct a high-level risk assessment (HLRA), which is necessary to segment the network infrastructure and estimate what would happen if a cyber attack were successful. In relation to the seriousness parameters defined in the previous phase, the HLRA helps companies save resources by isolating single areas and performing an in-depth analysis on potential vulnerabilities. HLRA is followed by the low-level risk assessment (LLRA), also called detailed analysis, where, with the help of software for the detection of network information (architecture, software, protocols and existing vulnerabilities), one can perform a network scan and a vulnerability analysis.

5. On a technical side, what are the most concrete OT security best practices for automation?

Start with segmentation, which means only traffic that is strictly necessary must circulate at layer 6 and 5 (the lowest level segment containing components and PLCs). If it’s not segmented with the help of a firewall or OPC UA (OPC Foundation Unified Architecture) protocols, network traffic may reach the most remote corners of a production plant. For this reason, network mapping must be always updated and always clear. Finally, many devices on the market can help with cybersecurity, including managed switches, next-generation Wi-Fi access points, anomaly detection software, VPN servers and the cloud.

6. When is it possible “to be safe” from an industrial cybersecurity point of view?

Never. No installation is ever safe from cybersecurity risk. Put in these terms it may sound shocking, but the point is a good dose of maintenance activities need to be carried out continuously to maintain a secure infrastructure over time. Only through periodical audits, through the repetition of further vulnerability analyzes, and thanks to the constant personnel training, is it possible to ensure OT protection will last over time.

Massimiliano Latini, research and special projects director and ICS cybersecurity manager at H-ON Consulting. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.