October 2021, Vol. 248, No. 10
Cybersecurity
Future of Control System Cybersecurity Built Upon Industry Standards
By Jennifer Halsey, Director of Communications, International Society of Automation
In the most disruptive cyberattack on U.S. critical infrastructure to date, Colonial Pipeline’s 5,500-mile (8,900-km) East Coast pipeline halted its mainline production on May 7, when administrators detected advanced ransomware.
The attack should serve as a wake-up call for organizations in critical infrastructure and advanced manufacturing — now is the time to implement a standards-based approach to risk assessment and mitigation.
The ISA Global Cybersecurity Alliance and its nearly 50 member companies stand behind the International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443 series of standards as the common sense, industry-backed approach to the operational technology (OT) cybersecurity challenges we face in the United States and around the world.
Many voices are contributing to this conversation. Some of these voices are familiar – our organization and our partners have been working diligently on these challenges for more than a decade.
Other voices are new to the OT environment, and likely others are new to the world of critical infrastructure protection in general. Policymakers and media also engage in the dialogue, and we welcome the opportunity to help educate these important influencers.
ISA and the ISA Global Cybersecurity Alliance (GCA) will play a critical role in these conversations ISA standards created by volunteer subject matter experts, representing asset owners, equipment manufacturers, system integrators, government agencies and academia. Let’s begin with the basics – why industry standards are imperative and how the ISA/IEC 62443 series can help address our biggest cybersecurity challenges.
Industry Standards
“Standards equip people and organizations with common technical specifications and procedures so that complex processes can be mutually understood and optimized,” according to Max Wandera, director of the Cybersecurity Center of Excellence at global power management company Eaton. “Standards codify years of expertise and experience, translating deep knowledge into practical specifications that have been tested in multiple environments.”
Wandera further explains that standards play an important role in a global economy, facilitating business interaction, enabling compliance with relevant laws and regulations, speeding development time for new products and providing interoperability between new and existing products and processes.
The detailed information provided by standards documents save manufacturers and asset owners time and money because they do not have to create technical specifications from scratch; they can select devices and components that will operate together regardless of brand, and they can access an ecosystem of like-minded suppliers, integrators and partners.
Asset owners realize a direct return on investment by lowering installation and startup costs, reducing the need to maintain large inventories, enabling interchangeable and connected components, improving design with less custom effort and increasing safety.
Automation providers, equipment manufacturers and others leverage standards to create products and systems so that asset owners can be assured of the quality, safety and interoperability of their purchase.
Standards also are used as criteria for regulatory compliance, conformance testing and certification programs that help ensure goods and services conform to established technology and industry best practices. When standards are globally adopted and harmonized, market barriers are broken down and international trade is made easier and more successful.
In a recent survey conducted by ISA, engineers and managers were asked to select the most important benefits of leveraging industry standards. Eighty-one percent said that standards help companies improve compliance to regulations; 67% said that standards make it easier to train and cross-train people in technical jobs; 61% said that standards make processes and facilities more secure.
Complicating Trends
Wandera, who has responsibility for Eaton’s Secure Product Development Lifecycle Policy, highlights the following five major trends policymakers must address to improve cybersecurity:
Industrial Internet of Things (IIoT): More connections and networked devices mean more security concerns, new scenarios, increased threat landscapes and different risk profiles. IoT and IIoT technologies can take many different forms, but they typically share some common characteristics, including availability, intelligence and connected devices.
Many of these devices do not have standard user interfaces, making it more difficult for users to figure out how to change their default credentials or when they need to download firmware updates. Additionally, these devices are designed to connect the cyber and physical worlds, meaning that the consequences of security vulnerabilities are often not contained online but spillover into physical damage, malfunctions or interruptions.
Furthermore, the sheer scale of sensors and number of IoT and IIoT devices currently being deployed provides a much larger attack surface, with many more potentially vulnerable devices than ever before for attackers to target.
These risks have manifested in a series of serious security incidents. These include the recent attack on a water plant in the United States that almost resulted in the level of chemicals in the water supply to be tempered with or the shutdown of some critical infrastructure because of ransomware attacks.
Not only are attacks like these larger and more damaging than many pre-IoT cyberattacks because of their scale and physical system consequences, they also have proven much harder to mitigate. For instance, in 2018, the FBI warned internet users to reboot their wireless routers in hopes of trying to disrupt a particularly virulent strain of malware.
Since the manufacturers had no way to update the routers’ firmware remotely without the manual reset, this effort relied entirely on individuals paying attention to the warning and following its instructions — a slow, ineffective and unwieldy process for a critical security update. These incidents can have serious consequences for both individual consumers and IoT manufacturers. The U.S. Federal Trade Commission recently brought cases against IIoT manufacturers selling products with a known vulnerability.
These cases indicate just how much is at stake for both consumers and device manufacturers when it comes to developing clear security standards for these devices and implementing them internationally through standards-setting organizations.
OT/IT convergence and interdependence: Server performance and cloud computing power is driving productivity, but now threat actors can leverage information technology (IT)-based techniques to target OT networks. Historically, effective IT defenses do not always work in operational environments.
Regulatory efforts tend to focus primarily on IT/IoT devices, neglecting to consider the unique challenges posed by the IIoT ecosystem. IIoT devices are in industrial settings rather than commercial ones, and they typically facilitate structured machine-to-machine connections rather than ad hoc people-to-people or people-to-internet connections.
This has implications for the potential safety and security consequences of a technical vulnerability being exploited, as well as the likelihood of malfunctions and bugs going undetected for extended periods of time.
Because of the interconnectivity of global enterprise, several specific standards for IT security have been established and are enforceable. The same does not apply for OT, since the OT services that control critical infrastructure were able to operate largely autonomously in the past.
Additionally, OT requires consideration of several priorities that typically do not apply to IT, such as worker safety, so the existing standards for IT cannot be applied effectively to OT. Meanwhile, it is more difficult to vet new hardware or software against the current configuration in OT environments than IT ones because for many legacy systems. There is no way to virtualize the components themselves to test their functionality and interoperability after an update.
Legacy Systems
Difficult to update and maintain, legacy systems typically prioritize availability and integrity over security and make supply chain integrity impossible because manufacturers no longer build spare parts. IIoT devices also have very different reliability, availability and longevity expectations than IoT devices.
While IoT devices typically are designed to last between two and five years and often are cheaper to replace after two years than to service, IIoT technologies are designed to last anywhere from 10 to 30 years and withstand harsh industrial environments.
That means exploits and vulnerabilities in IIoT systems typically last longer and cause more damage than those in other environments simply because of the long lifespan of these technologies.
Continuity of service is also crucial for IIoT devices, which must be able to provide much more reliable service than IoT devices, requiring much less downtime and more stringent availability requirements.
This makes IIoT services even more challenging to update than IoT devices because any kind of configuration change requires an outage that may lead to unacceptable business interruptions or loss of revenue.
IIoT systems also must be able to coexist with legacy systems and support proprietary protocols, while IoT devices typically are based on open standardized protocols.
These characteristics of IIoT technologies present several significant technical and economic challenges to securing the IIoT ecosystem. For instance, IIoT devices have limited computational and storage capabilities, Therefore, they are not designed to support effective security measures, such as advanced encryption or vulnerability and patch management.
Possible solutions to this challenge include development of light-weight cryptographic primitives and business models that will enable more timely upgrades to electronic equipment, as well as making devices upgradeable via firmware-over-the-air (FOTA) and securing those upgrades using asymmetric cryptography and code signing.
Another technical challenge is managing end-point security and traffic analyses for a rapidly growing number of devices. Solving this problem will require exploring security options beyond anti-malware programs, such as using artificial intelligence and machine learning algorithms for anomaly detection and security information and event management.
Multi-vendor environments: Without widespread compliance to industry-adopted standards, integration introduces risks, and many products are not inherently secure. Beyond these technical challenges, there are also a set of economic challenges to securing the IIoT ecosystem.
The IIoT supply chain is complex, making it difficult to secure and difficult to assign clear liability to various stakeholders for vulnerabilities introduced at different stages of the supply chain. Each vendor follows their own design principles, which, most of time, are not aligned with the design for security principles outlined by such standards like IEC 62443.
Possible solutions to this include third-party conformity assessment of IIoT device components as well as a periodic inventory of deployed IIoT technologies to ensure that only trusted devices are installed and operational.
Skill gaps: The aging population of engineers and technical specialists, especially in North America, has increased many industries’ reliance on contract workforces, making consistent practices increasingly difficult to maintain without standardized competency assessments.
Furthermore, there are not enough workers with cybersecurity skills and IIoT experience to meet the demand for managing IIoT systems. Solutions to this market challenge include forging partnerships between companies and academic institutions to develop a strong pipeline of professionals in this area, as well as internal training programs to cultivate cybersecurity awareness and skills within IIoT firms.
“Although feasible solutions exist for all these challenges, a lack of harmonized global standards for IIoT security has hindered the adoption and deployment of many of these options,” Wandera said.
To address these challenges, ISAGCA is working with its 45-plus member companies and industry partners to drive the acceleration and expansion of standards, certification, education programs, advocacy efforts and thought leadership centered around IEC 62443. We invite organizations of all kinds to join these efforts and work with us toward a more secure future.
Author: Jennifer Halsey is the director of communications at the International Society of Automation. The International Society of Automation is a non-profit professional association founded in 1945 to create a better world through automation.
Comments