It is a very common situation in industrial enterprises that the factory and even some of its production systems have existed long before their information security has even been discussed.
For the majority of the parties responsible for the profitability of the factory, updating old systems to highly secure models – when the old systems have not yet reached the end of their life span – seems to be an unreasonably expensive investment. Another fact that does not make the transition any easier is that suppliers of automation systems are often reluctant to improve the information security of the existing systems. The reason for this is obvious: due to various interdependencies in the system, the need for change may be so immense that it would be easier to build an entirely new system.
Ensuring information security of production systems is a sum of several factors. In this joint effort, the owner of the production plant, the suppliers of the control systems and the third parties – who produce services for the production plant – each have their own important role.
Unfortunately, cybersecurity experts often find companies in a situation where information security of the production systems is nearly paralyzed, thus preventing companies from taking the necessary actions. They are naturally concerned about information security and they discuss it with their system suppliers, but when they do not get the response they expect or the price seems too high, the matter is simply ignored.
Stuxnet and the media attention it received are partly to blame. When it was found out that a national government agency had created the malware, many felt desperate and they were left wondering: How can we protect ourselves from something like this? Things should, however, be put in the correct perspective. I claim that the common cryptomalware have caused globally much more significant financial losses in production systems than targeted attacks, such as Stuxnet.
Although the situation may seem challenging as cyber attacks are becoming more common and they are constantly evolving, there are measures that all companies can take either by themselves or with some support from their system provider to improve their information security. Below is a list of practical matters to get you started.
- Charting the current situation
This means documenting the system structure and device data. In the IT field, we call this CMDB (Configuration Management Data Base) or simply device listing. Although charting the current situation is the basis for everything else, most companies, however, do not have a thorough equipment and software listing. Sometimes, the data may be scattered in various documents that may, or may not, be up-to-date. However, for information security, it is very important that all information is stored in one place and maintained properly. It is also important that all relevant personnel in the organization knows where this list is stored.
The list must include information on all equipment and software (incl. applications, operating systems and possible firmware) in an easy-to-search format (e.g., in a database). There are several tools – including open source software – designed specifically for this purpose. Depending on the scope of the environment and the number of devices, it may also be sensible to use commercial products, since they support the automatic identification of devices and software.
In addition to listing devices and software, the interdependencies between devices, systems or functions should be identified, at least on the network level. This provides you with a good idea of which services or functions affect each other. This is crucial when you are drawing up continuity plans or assessing the importance of a specific vulnerability to the production environment. This is also useful when planning network segmentation.
- Segmentation of the production network
Segmentation means dividing the network into smaller sections and limiting data traffic between network segments. Segmentation aims at limiting, for example, the spread of malware in the network. At the same time, it clarifies the maintenance tasks by excluding unnecessary data traffic from the network. Guidelines for segmentation of a production network are available, for example, in the ISA/IEC 62443 standard, the ISF Framework or the SANS publications.
Direct remote connections to the production networks should be removed, or least monitored. It is recommended that all connections to the production systems are routed via the production plant owner’s network, since the owner can monitor and maintain the information security of this network.
- Vulnerability management
First, let’s make one thing clear. Vulnerability management is not the same as installing information security updates! The primary purpose of vulnerability management is to assess the effect of vulnerabilities and to define a suitable method for controlling them. There are several methods for vulnerability management:
- Installing a software update (if available, requires cooperation with the supplier)
- Removing vulnerable software (if it is not required in operations)
- Protecting vulnerable services on the network level (if it utilizes the network)
- Improving monitoring (if nothing can be done with the vulnerability at the moment)
The production system can be expected to contain software components that have not been updated. The reason for this is often that the application software does not support the installation of updates or that the installation must wait until the next maintenance break, since it requires restarting the system or functional testing. The fact that there are software components that have not been updated does not mean, however, that the system is not secure as long as suitable alternative methods have been implemented.
Vulnerability management requires a profound understanding of the devices and software in the environment and their interdependencies. Knowing and understanding the vulnerabilities also makes the topic easier to discuss with suppliers. If the system-wide vulnerability management is seen as an excessively demanding task, I recommend starting from the system’s critical components and boundary devices (such as firewalls and other devices that are contacted from outside the production system network).
- Monitoring information security
The benefit of production networks, compared to the standard office IT network, is their highly static traffic and structure. The devices must function as expected and they cannot be added and removed continuously to/from production networks. For this reason, production networks are, in a way, easier to monitor, but on the other hand, the tools designed for IT environments may not be fully compatible for monitoring these networks. At the moment, there is an increasing number of sophisticated tools for production network monitoring.
Monitoring information security always requires financial investments. Alternatively, organizations can invest in their own tools and in developing and maintaining the expertise of their own personnel or purchase services from an external service provider. The information security environment is constantly changing and this means that information security monitoring must keep up with this development. Organizations can detect information security incidents by utilizing their own technologies, but verifying and analyzing these incidents requires an expert.
Monitoring the information security of a production environment could – and should – be implemented in phases. In the first phase, you should concentrate on monitoring the interfaces of the production and IT network and their possible central points. It is good to remember that the security of the production network can be utilized in IT network monitoring – provided that no direct connections to the production system exist.
From the cybersecurity expert’s perspective, the primary concern in the information security of production systems is not always the opponent that seems the worst. Common malware and almost trivial, everyday matters, pose a more significant threat.
It is good to realize that there are some events in nearly all production processes that must never take place. These critical factors should be identified and the possibilities for affecting their realization via digital means should be assessed carefully. Protective measures should be selected and implemented in such a way that they are sensible for the whole and they support the company’s business.
by Robert Valkama, Lead Consultant, ICS Security, Risk Management at Nixu Corporation