The Internet of Things can bring many advantages, but also new risks. Organisations ranging from hospitals to manufacturing plants increasingly depend on being highly connected. A vital ingredient of Industry 4.0 is using big data methods to combine many diverse sources of information to give broad insights into the entire organisation. The resulting understanding of the interrelationships between operations can optimise processes and drive continuous improvement. However, bringing together many sources of data can introduce security vulnerabilities. .
It is now possible for terrorists and state actors to remotely shut down, or even permanently damage, critical infrastructure.
In our enthusiasm to embrace the benefits of Industry 4.0, it is important not to dismiss as luddites those concerned about vulnerabilities. Fundamentals such as business continuity and health and safety remain paramount.
“When talking to either a ‘big data’ evangelist or a risk-averse naysayer, I often find they both share a lack of understanding about the nature, value and significance of the data they produce. Some simply don’t know what data they are generating, whether it is secure and whether it needs to be secure. Questions such as, is the data subject to compliance, is it a business continuity risk, or is it actually a piece of proprietary IP, are not always considered. And when I ask how robust the data security is within their supply chain, the answer is very often ‘I don’t know’,” according to a product solution & security officer at Siemens Digital Industries Software, who did not wish to be named.
Cyber-attacks are increasingly targeting critical infrastructure such as for power generation. The energy sector is increasing experiencing attacks at power generation plants around the world, resulting in near-miss critical safety events. The attacks could produce sustained blackouts with significant economic impact, cause serious damage to the plant and put the lives of workers at risk. Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens, says that cyber-attacks on power stations are getting more frequent and more sophisticated.
Simonovich described a recent attack at a Schneider Electric safety system in a Saudi petrochemical plant. Hackers moved from IT, to operations (OT), and into safety. “Attacks are interchanging their techniques – leapfrogging from digital to physical and back again… What’s common between IT and OT attacks is human error. We want to borrow the principles from safety and the principles of hygiene and awareness and bring those two together.”
CYBER-SECURITY BASICS
An important principle is to minimise the impact of human error, since this can never be completely eliminated. This idea draws on principles from safety, and from hygiene and awareness. Cybersecurity should be based on an awareness of generic safety measures. Having visibility and situational awareness of the risks is equally important. Just as with health and safety, there needs to be a culture where people report any breach of protocol or near-miss event. Common examples are using an unauthorized USB stick on the network or forgetting to log off a terminal. The report must then be followed up with root-cause analysis to ensure mistakes are not repeated.
IECD 62443 – Security for industrial automation and control systems – is a wide-reaching cybersecurity standard consisting of nine separate documents and totalling 1,500 pages (see diagram above). It draws on an earlier standard, with development stretching back over a 20-year period. With its focus on industrial automation and control systems (IACS), it is applicable to all industry sectors and particularly critical infrastructure.
IECD 62443 applies across multiple industry sectors. As a demonstration of that, the International Society of Automation founded the ISA Global Cybersecurity Alliance, a group of more than 50 companies that together represent over 20 industry verticals and more than $3 trillion in annual revenues; these companies all share a commitment to using the ISA/IEC 62443 standards in their own processes and with their customer facilities. In 2018, the United Nations Economic Commission for Europe (UNECE) confirmed that IECD 62443 will be integrated into the Common Regulatory Framework on Cybersecurity (CRF). This will establish a common legislative basis for cybersecurity practices within the European Union trade markets.
Jennifer Halsey, International Society of Automation, says: “The International Society of Automation and the International Electrotechnical Commission have joined forces to address the need to improve the cybersecurity of IACS. The ISA99 Committee and the IEC Technical Committee 65 Working Group 10 develop and publish the ISA/ IEC 62443 Series. These documents describe a methodical engineered approach to addressing the cybersecurity of IACS. They can be purchased from either organisation; the technical content is identical. The benefits of using a standards-based approach include reducing the likelihood of a successful cyberattack, the use of a common set of requirements among stakeholders, security throughout the lifecycle, and a reduction in overall lifecycle cost.”
Cybersecurity is to be viewed as an ongoing process, not a goal to be reached. The standard stresses the importance of redundancy and protecting critical assets in zones. The principle of redundancy is embodied in the concept of defence in depth. This means that multiple layers of protection surround the most critical assets.
A system should be divided into zones, with logical and physical assets grouped according to their security requirements. There must be a clear boundary separating the assets inside a zone from those outside it. More critical zones are contained within less critical ones, providing defence in depth. Each zone is classified into one of five security levels; see box at left.
And, where information is required to flow between zones, it must be transferred through conduits that ensure secure communications.
TRAINING IN CYBERSECURITY USING ISA/IEC 62443
When implementing cybersecurity using ISA/IEC 62443, training is advised. The ISA offers a number of courses in person or online, including ‘Using the ISA/IEC 62443 Standards to Secure Your Control Systems’, ‘Assessing the Cybersecurity of New or Existing IACS Systems’, ‘IACS Cybersecurity Design & Implementation’, ‘IACS Cybersecurity Operations & Maintenance (IC37)’ and ‘Overview of ISA/IEC 62443 for Product Suppliers’.
Concludes Halsey: “The ISA industrial cybersecurity training courses and knowledge-based certificate recognition programme are based on ISA/IEC 62443: the world’s only consensus-based series of IACS standards. The programme is designed for professionals involved in IT and control system security roles that need to develop a command of industrial cybersecurity terminology, and an understanding of the material embedded in the ISA99 standards.”
BOX: Zone classifications
Security Level 0:
No special requirement or protection required.
Security Level 1:
Protection against unintentional or accidental misuse.
Security Level 2:
Protection against intentional misuse by simple means with few resources, general skills and low motivation.
Security Level 3:
Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation.
Security Level 4:
Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.