Critical assets owners – such as power stations, water and gas plants, as well as traffic and transport authorities – are having to protect their ICT infrastructures against cyber-attacks on an unprecedented scale. Particularly at risk are industrial control systems (ICS) and supervisory control and data acquisition (SCADA) components, responsible for collecting and processing the operating data for controlling plants.
Against this backdrop, it is not enough for the supplier of a single machine component or subcomponent to claim it is cyber-secure – the entire machine must be so. It is a stark message that is prompting many component OEMs and their supply chains to make sure this imperative is in place by signing binding agreements between them that will better protect the digital supply chain against attacks.
Siemens is certainly to the fore in this regard. Its suppliers must now comply with minimum cyber security requirements, anchored in a separate, obligatory clause in all new contracts. These requirements apply primarily to suppliers of security-critical components, such as software, processors and electronic components for certain types of control units.
Essentially, Siemens is following the course laid down by the Charter of Trust for cyber security. The requirements stipulate, for example, that suppliers must integrate special standards, processes and methods into their products and services. The overarching aim is to prevent vulnerabilities and malicious code from infiltrating suppliers’ operations – and thus Siemens’ products as well. In the future, suppliers themselves must perform security reviews, conduct tests and take corrective action on a regular basis. Siemens is making these stipulations mandatory for its own activities as well.
“This step will enable us to reduce the risk of security incidents along the entire value chain in a holistic manner and offer our customers greater cybersecurity,” says Roland Busch, member of Siemens’ managing board and the company’s COO and CTO. “If all our partner companies put their global weight behind these measures and implement them together with their suppliers, we can generate tremendous impact and make the digital world more secure.”
TOTAL SECURITY? A MYTH
More secure is good, of course, but there is no such thing as absolute security. “If any manufacturer claims a product is ‘cybersecure’, you should take a long, hard look and make up your own mind,” advises Nigel Stanley, CTO at TÜV Rheinland.
The problem, he says, is that cyber security is non-deterministic. “In other words, you cannot prove that a system is secure. This is in contrast to the world of functional safety, where a product/system is provably safe, often measured against an industry-accepted safety integrity level.”
This is made even more complex in the world of ICS, with multiple components and sub-components. “How can any level of security assurance be provided? How far down the supply chain should cyber security concerns travel? This has been highlighted many times, even down to fake semiconductors appearing in military hardware.” In his experience, the more concerned manufacturers or operators will seek assurance three levels down – for example, three sub-component manufacturers along the chain. “In reality, this is complex and time-consuming for all parties. Will a 147-point questionnaire really provide assurance that a supplier has taken cyber security seriously? This is far more multifaceted when considering software and the need to write secure code that will have to be tested to ensure it contains as few bugs as possible – it can never be guaranteed to be completely bug free.”
Contracts are useful to focus the minds of a supply chain, Stanley agrees. “Obliging software code or a piece of hardware to undergo some form of official testing and certification against an accepted standard prior to final acquisition can be helpful. Standards, such as IEC 62443, provide a good cyber security framework that can be tested and certified against, but remember that still doesn’t guarantee a product is secure – only that, at that moment, it met the requirements of a particular, often subjective, standard.”
Despite a myriad of safety and security standards, liabilities following an incident still remain subject to the courts, adds Stanley. Will an individual software developer be held personally responsible following an incident? Where does the blame fall? Until the cyber security industry can figure out this problem, he concludes, “the only guarantee is that there will be a huge amount of work coming down the line for the legal profession”.
EXPANDED ATTACK VECTOR
As the supply chain grows, increasingly complex machines are connecting to each other both physically and wirelessly. This connectivity has expanded beyond local area networks to larger-scaled virtual networks, and the internet is opening up what was once a contained perimeter to an open supply of new computing services, capabilities and availability. The leveraging of these third-party services and technologies becomes part of the industrial supply chain.
Maximising the capabilities of industrial systems in this way also comes with an expanded attack vector, says John Yeoh, global vice president of research at Cloud Security Alliance. “When it comes to protecting an entire machine and industrial system, the need for security across the supply chain becomes much more complex and necessary. The business operator of the industrial system needs cooperation from the hardware component manufacturers and services providers to understand the core objectives of the business operator and the security responsibility for each partner in the supply chain.
“Hardware component manufacturers and OEMs have been better at this in the past, because physical systems need compatibility to work together. Machine components are often fused together and there are fewer vendors building in the physical confines of the machine. Coordination happens through updates at the hardware, firmware and OS level. Major component vendors have coordinated disclosure methods to improve the speed and transparency for updates and fixes of performance or security issues facing their components.”
Only enter the realms of connected machines and services through open ports and open wireless connectivity, and the whole picture alters dramatically, as the list of machines and services connected to the system rapidly expands. “With the ease of use, open compatibility and fast procurement of cloud services, connected services can be added by the hundreds, without any physical confines,” he says.
“Mechanisms and open source tools, such as the CSA STAR [Cloud Security Alliance - Security, Trust, Assurance and Risk] framework can be put in place to establish baseline security requirements and shared responsibility for cyber security within the supply chain,” states Yeoh, while it falls to those partners in the supply chain to demonstrate trust in the relationship. “Shared responsibility frameworks allow business operators to align and understand the security objectives of all parties in the supply chain. Tools such as the CSA STAR are becoming a consensus across the industry on harmonising baseline security across cloud and cyber platforms.”
Yeoh believes that blockchain technologies have the potential to automate and verify the management, procurement and operation of security protocols in the supply chain, adding: “A business continuity and disaster recovery plan needs to be put in place for full, partial or limited operations under disruption or a security attack. As the attack vector changes, the security of an industrial system will have to evolve to protect new devices, virtual networks, service applications, and the environmental and human impact of those systems.”
BOX OUT: One strike and out?
While individual components may be labelled as cyber-secure, it only takes a single vulnerability to compromise the entire supply chain, points out John Titmus, director EMEA at CrowdStrike. To remedy this and improve OT (operational technology) hygiene, continuous monitoring and enhanced detection below the OS-level is essential.
“Today, most security products remain blind to attacks that attempt to leverage vulnerabilities in, for instance, BIOS firmware,” he comments. “Accessing endpoints in this way compromises the entire system and can even persist across reboots and reinstallation of the operating system.”
Industrial networks are particularly at risk to these types of attack, since their security has often been neglected for years. “Malware can spread rapidly from individual infected devices, to the whole office, to plants in other countries.” He sees firmware and hardware-level visibility into these vulnerabilities and attacks as the best option in protecting the supply chain, allowing cyber security teams to discover dormant threats that have not yet been detected – “and can even prevent attacks before they have a chance to take off”.