The X-Force Threat Intelligence Index published by IBM Security 2021 found that the manufacturing industry was the world’s most vulnerable sector in terms of ransomware attacks and cyber breaches. The number of security vulnerabilities in industrial control systems (ICS) increased by 50% compared to the previous year. At the same time, exploitation of these vulnerabilities is becoming an increasingly popular form of attack. For example, the number of cyber breaches that exploited vulnerable software increased by 33%, according to the X-Force report.
This shows why industrial control systems today need just as much protection from hacker attacks as PCs or smartphones– if not more so, considering that an attack against an ICS can bring entire factories to a standstill and cause significant economic damage.
The rapid advancement of digitalisation in many sectors, including the industrial sector, means that control systems are now connected to more extensive company networks or even to external networks. This is known as IT/OT convergence: systems that are used for conventional data and information processing (IT) are being increasingly integrated with operational technology (OT) systems. In modern industrial facilities, industrial control systems are mostly connected to each other, to critical IT systems and even directly to external networks. These systems are therefore exposed to risks similar to those typically found in IT-oriented systems. In view of this new model, ICS cybersecurity solutions are required to protect the security and functionality of automation systems that are connected to the internet (see diagram, top right).
ICS cybersecurity is the framework and concept for protecting industrial control systems against cyber attacks. This includes various measures to protect the integrated hardware and software used for monitoring and controlling machines and facilities in industrial environments. The measures encompass organisational as well as process and technical protection measures.
Contrary to conventional IT, industrial control systems have different protection goal requirements, meaning that ICS security differs from traditional IT security in several respects. First is protection goals. The focus of IT network protection is usually on ensuring the confidentiality and integrity of data, such as through strict access control and data encryption. By contrast, ICS security focuses on asset availability, process integrity and the safety of employees and property. Second is long service life: the components of an industrial control system are designed to have a significantly longer service life (10-30 years) than IT equipment (on average 3-5 years).
Third is proprietary componentry. Today’s industrial control systems use a variety of proprietary protocols and operating systems, which were often developed decades ago and have a long service life. As a result, these protocols and related system functions often do not support security features (such as encryption and access control) and in many cases they cannot be updated. Fourth is their diversity. Industrial control systems combine a variety of different device types. In order to mitigate risks, the technologies required need to be just as diverse.
HOW CAN INDUSTRIAL CYBERSECURITY BE ACHIEVED?
Various basic measures have proven to be effective in increasing the cybersecurity of industrial control systems. Some suggestions are below.
Analyse the ICS assets: Knowing which ICS assets are installed where, as well as whether and how they are networked, is essential for cybersecurity. Isolate the system: The ICS should be separated as much as possible from regular company functions. This allows it to be disconnected from external networks when necessary without disturbing other company activities. Manage rights and access: Each ICS may only be operated by authorised users and must only be used for its intended purpose. Remote access to the system should be carefully considered based on the potential risks involved. Train employees: ICS operators must be made aware of the dangers of cyber attacks and trained accordingly. Users should understand why certain security measures are required so that they do not override them. Make records: All accesses and events should be recorded and monitored. This ensures that, in the event of a cyber attack, it is possible to determine who had access, which actions were performed and what changes were made. Use security software and hardware: Antivirus software and firewalls protect against malicious attacks and malware infections. Back up regularly: Systems and data should be backed up preferably offline. Backups ensure that systems can be quickly restored in the event of an unplanned outage. Keep updating: Updating and patching systems addresses security vulnerabilities and maintains functionality. Unsupported systems and legacy components should be replaced where possible. Don’t forget physical protection: Physical access to ICS assets can compromise their availability and allow protective measures to be circumvented. Industrial control systems should be protected by both cybersecurity measures and physical security measures.
Today, cyber criminals use a variety of different attack vectors to gain access to workstations, servers or control systems on a company network. A multi-layer concept was developed in response to these cyber attacks: ‘defence in depth’ forces attackers to overcome not just one, but multiple layers of security measures to reach their target. In this case, users, system integrators and equipment manufacturers are all responsible for creating a secure environment.
The international standard series IEC 62443 also provides procedures, technical reports and additional information which define processes for secure ICS implementation. The standard takes a holistic approach for operators, integrators and manufacturers. Similarly, the UL 2900 standard series provides companies with the criteria they need to measure and assess the security features of products, the technologies used, and the risk of cyber breaches.
Incidentally, Eaton is the first company worldwide to have its development processes evaluated and certified to both UL 2900 and IEC 62443.
CONCLUSION
To protect industrial control systems from the growing number of cyber attacks, defence in depth is required. In the whitepaper ‘Cybersecurity considerations for industrial control systems’ (see box) Eaton describes cybersecurity protection measures for industrial control systems and automation components.
BOX: WHITE PAPER
To protect industrial control systems from the increasing number of cyber attacks, a multi-layered ‘defence-in-depth’ approach is required. The last line of defence here is automation components and devices. Eaton describes the steps users must take to protect industrial controls and automation components from cyberattacks and how Eaton develops ‘secure’ products.
Learn more about how to properly implement strong cybersecurity in industrial control systems and applications with the support of Eaton via www.is.gd/zewagu