Cybersecurity: a precondition for industrial digitalization
While worldwide trends are pointing to industrial digitalization and Industry 4.0 processes, aimed to higher productivity, industrial cybersecurity experts struggle with how to protect the cyber safe operation of modernized plants. All experts are aware of consequences caused by unsecured design, negligent maintenance, sensor manipulation or cyberattacks on manufacturing plants.
As there is no single method—no silver bullet—that absolutely protects production plants, no matter how advanced or expensive, cybersecurity experts must work harder to minimize the risks, while process experts must increase the productivity and profitability.
Also read: How to assess and address network vulnerabilities
The digitalization of production lines and processes requires deployment of Industrial Internet of Things (IIoT) devices and instruments. These devices increase the cyberattack surface and the overall cyberattack risk, which might cause operation outage and damage to machinery. Engineers and decision makers need to deploy stronger cybersecurity in their plants.
Asset and inventory monitoring
Industrial processes are conducted by interconnected programmable logic controllers (PLCs) and automation servers, which are programmed to perform a predefined set of operations through communicating with sensors and actuators. To ensure cyber-safe operation of production lines, experts recommend deploying visibility analysis techniques for advanced monitoring of the installed assets.
The output of this process shows a list of connected devices, their hardware and software versions and illustration of the data flow withing the industrial zone.
While this method is effective, its integration into an existing, often legacy-type, industrial control system (ICS)/operation technology (OT) plant architecture may be a time-consuming, complex and costly effort. If your task is to protect a small-scale plant, you may consider deploying on each computer a host-based intrusion detection system (HIDS). Alternatively, a larger plant might prefer selecting a network-based intrusion detection system (NIDS), which requires adding a host to monitor the traffic across specific zones of the plant to collect pre-defined information and generate a comprehensive output.
Deploying cyber defense
The intrusion detection system (IDS)-based cyber-defense technology and method may protect the plant and block the known attack vectors. It’s important to mention that, according to best practices for ICS/OT, you must not consider deploying an intrusion prevention system (IPS), because it might create a new, previously nonexistent risk, caused by intervention of the cyber-defense operation with the process. Prior to selecting a specific on-premise IDS, it’s important to conduct asset scanning with a third-party tool.
The output of this process is expected to display a comprehensive and meaningful dashboard, showing all vital details required for protecting your industrial plant. Among the displayed topics are:
- a list of all control devices, such as PLCs and smart sensors, connected to the control network
- a list of remotely installed IIoT appliances that are directly connected to the network
- details on each manufacturer, model number, installed firmware and IP addresses
- a graphical and tabular display of the baseline communication among these devices
- a display of data exchange between PLCs and external appliances and databases
- a list of published vulnerabilities related to installed PLCs and communication appliances
- detected alerts referencing deviation from normal level—physical value or data exfiltration.
System analysis
Prior to selecting an IDS or other cyber-defense appliance from a specific vendor, the following features and capabilities may help you reach your cybersecurity goals.
- Detecting anomaly communication within the OT network: To prevent causing a malfunction, the visibility analysis must be done with minimum intervention. Upon completion of that process, you will have baseline data obtained through the self-learning process, and this will help you to detect deviations and anomaly situations within the system.
- Detecting strange data protocols within the OT network: Analyze error messages caused by strange IP addresses or protocol formats. A cyber-attacker might start with a reconnaissance phase by scanning your system. Since the attacker might not know which protocols are used, detecting such action may indicate on an adversary action.
- Detecting anomaly process within the OT network: Attackers may try harming the process by sending high-risk commands—for example, an unusual temperature increase—created according to what was learned earlier during the reconnaissance phase. A correctly designed ICS with a security-in-design approach in mind shall block such action.
- Detecting intention to damage a machinery: To damage machinery, the attacker must send a harming command—for example, frequently changing the rotating rate—to a specific PLC. Prior to accepting that command, the IDS operation must verify that the machinery will remain within its safe boundary after receiving such command.
- Impact of artificial intelligence (AI) and machine learning (ML) on plant performance: The use of AI combined with ML is capable of enhancing productivity, detecting malfunctions in their early stage and improving profitability. However, these operations, combined with IIoT devices, expand the cyber-attack surface and increase the risk.
Early detection
Organizations are interested in enhancing productivity and profitability and in detecting unusual conditions and malfunctions in their earliest stages. The use of anomaly behavior detection by IDS, deployment of AI/ML and the extended use of IIoT devices are effective methods for achieving these goals.
Software updates at the PLC and the HMI levels and patches aimed to modify the application program must be done carefully. Prior to any system upgrade or patching action, the service person must verify that the modification does not generate safety risks at the plant floor. To prevent lengthy outages in case the update is not successful, service engineers must have a plan to restore the process to its original version.
Finally, the plant operation must meet the cybersecurity goals, and therefore investments in enhanced cyber defense shall be at the top of the priority list.
Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts (SCCE). He presents at industry conferences in Israel and abroad; Ehrenreich has more than 45 years of engineering experience and more than 30 years of experience with ICS/OT for electric, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security. He was reselected as the chairperson for the 7th ICS Cybersec 2021 conference, planned in Israel for November 2022. He has written an article on how to assess and address network vulnerabilities, which can be read at www.controldesign.com/networkvulnerabilities. Contact him at [email protected].
Leaders relevant to this article: