The Power of Industrial Cybersecurity

bei

 / 24. July. 2020

Since decades operational environments like factories, train systems, energy networks and city infrastructures have been equipped with dedicated communication and control technology that addresses the specific needs for timing, reliability, availability and safety. Such operational technology (OT) for industrial equipment, assets, processes and events is increasingly combined with information technology (IT). Strictly isolated before, OT domains are now being connected with the back and middle office for business process integration and analytics. Furthermore, IT best practice and technology components are increasingly being applied in the OT domain, such as certificate-based authentication and secure communication.

This industrial digitalization opens new attack vectors for operational environments – but has also created new approaches for holistic security concepts for human-cyber-physical systems that address all system actors and the full lifecycle of system components. Unfortunately, too often publications focus on individual security incidents. Like folklore, stories about attacks on operational IT (no matter whether observed in the field or only in laboratory conditions) are passed down and shared broadly, while ignoring the actual advances in industrial cybersecurity. In this article we, thus, want to highlight new powerful developments in industrial cybersecurity for converged OT/IT environments, particularly in the context of machine and device identities.

Human-cyber-physical Systems

In general, cyber-physical systems connect the processes of physical devices and machines with computing technology. The conditions of the physical processes are measured by sensors, then provided as input to a controller that evaluates the input according to a digital model of the physical process. The output of the controller is a modification that is applied to the physical process via an actuator. This control loop often runs autonomously following real-time requirements, which make human interaction impossible. Operational personnel are, however, needed to configure and manage the control loop with a human-machine interface (HMI), which can be in the form of a monitoring or engineering system.

Human-cyber-physical system [1] are potentially vulnerable to cybersecurity attack vectors on the social level, targeting the mental model of the operational personnel in front of the HMI as well as on the digital level, targeting the digital model and controller (Figure 1). In the latter cases, the approach of an attacker is to enforce a disconnect between the mental model (i.e., what the operator thinks is happening) from what is actually happening in the digital and physical world. In the former case, the approach is to enforce a disconnect between the digital model (i.e., what the control system has as dynamic representation of the physical processes) from what is actually happening in the physical world. In both cases, the larger objective of an attacker is, typically, to influence the operation of the physical processes (e.g., hold a factory production, stop a train, cause a blackout). This is sometimes also achieved by simply overloading or breaking systems, for instance in the form of a denial-of-service attack.

Figure 1: Human-cyber-physical system

The security requirements in human-cyber-physical systems often differ from IT security requirements, which gravitate around confidentiality, integrity and availability. In operational technology systems, safety and the continuity of operation have generally highest priority. The general threat and risk modeling methodology as well as the sets of security controls that can be implemented to bring security risks into acceptable levels, are similar for IT and OT systems.

Industrial Cybersecurity today

Ten years after Stuxnet [2], industrial cybersecurity has advanced significantly. The Stuxnet computer worm was aimed at industrial control systems, particularly ones that control centrifuges to separate uranium-235 from uranium-238 isotopes. The worm was introduced to target environments via an infected memory stick. It then propagated across the network, looking for a process control portal (HMI), modify the portal to give wrong commands to the process controller while pretending to the operator normal system operation. This first major attack against industrial infrastructures (and others that followed) triggered broad awareness and led in multiple areas to advancements in industrial cybersecurity:

Organizational measures: Cybersecurity ownership and responsibility are today anchored at highest management levels in industrial companies, typically in the form of a Chief Cybersecurity Officer (CCSO). In addition, processes are established to enable visibility, define and enforce governance, educate employees and management as well as to provide response capabilities and transparency internally and externally, e.g., computer and product emergency response teams (CERTs). These organizational measures helped tremendously to build, protect, defend and generally manage critical infrastructures with higher safety and security levels today.

Frameworks and standards: In the last decade, the ICT industry has developed frameworks and standards (formal and de-facto) in industrial cybersecurity consisting of collections of security technologies, controls, policies, concepts, guidelines, best practices and risk management approaches. Some exist already for a longer time but are broadly applied only recently. The most relevant frameworks and requirement standards are:

IEC 62443 [3] is the most comprehensive standard for security management of plants, facilities and industrial systems. The standard applies to manufacturers, integrators and operators with their specific requirements and defines four security levels that determine security measures accordingly. Initially focused on industrial production, IEC 62443 is already being applied also in other verticals, such as rail or power systems.

NERC-CIP [4] was developed by the North American Electric Reliability Corporation (NERC) as a set of Critical Infrastructure Protection standards, mostly aimed at the bulk electric system, which includes generation and transmission.. NERC-CIP standards are regularly enforced by the Federal Energy Regulation Commission.

ISO/IEC 27001 [5] specifies a management system that is intended to bring information security under explicit management control. Enhancements for security controls in specific industry verticals are available in the ISO 27000 series.

NIST published guidelines and frameworks addressing cybersecurity issues associated with the Internet of Things (IoT) and smart manufacturing. In particular, the Cybersecurity Framework [7], which includes a set of industry standards and best practices to help organizations manage cybersecurity risks, is broadly followed.

MITRE ATT&CK [6] is a knowledge base of adversary tactics and techniques built from real observations. The knowledge base is a foundation for the development of threat models and methodologies in the general cybersecurity community, but with applicability in industrial products and solutions.

For regulatory reasons and for better differentiation on the market, many large manufacturers, integrators and operators are getting certified according to IEC 62443, NERC-CIP or ISO/IEC 27001. In fact, requests for proposal in the process, energy and transportation industry often ask for such certification.

Laws and regulations: Many countries have issued laws and regulations to protect critical infrastructures against cyber-attacks in sectors such as energy, water, food, health, finance, telecommunication and transport. These laws and regulations refer to, both, organizational measures as well as frameworks and standards. According to the German Security Law (ITSiG) operators of critical infrastructures are required to establish organizational measures, must implement “state-of-the-art” technology and, furthermore, must report security incidents to the Federal Office for Information Security (BSI). In the US, the Presidential Decision Directive 63 (PDD-63) initiated a program for Critical Infrastructure Protection (CIP) that triggered the NIST Cybersecurity Framework. In Europe, the European Programme for Critical Infrastructure Protection (EPCIP) addresses European critical infrastructure that, in case of fault, incident, or attack, could impact both the country where it is hosted and at least one other European Member State [8]. Worth mentioning in the European context is also the Directive on Security of Network and Information Systems (NIS Directive) [17].

Partnerships: Companies operate today in globalized markets with suppliers, partners and customers in all regions in the world. The security, safety and privacy of industrial products, solutions or infrastructures depends on many stakeholders and cannot be solved by a single company alone. Partnerships, like the Charter of Trust [9] help to keep pace with cybersecurity technology and threats, coordinate actions among businesses and governments and set common trust principles between society, politics, business partners, and customers.

Technology: Security in OT environments has significantly improved over the last ten years. Field-level protocols that had literally no security controls at all, are now revamped with authentication, integrity protection and other security controls. The OPC UA (Open Platform Communications Unified Automation) protocol, broadly used in industrial automation, the Industrial Internet-of-Things (IIoT) and smart city systems, includes client/server authentication, user authorization, integrity and confidentiality of communications as well as auditing of client server interactions. Concerns on network and information security and infrastructure integrity with BACnet, a widely used standard in building automation, are now being addressed by BACnet Secure Connect [11]. PROFINET, a data communication protocol over Industrial Ethernet, will soon have security enhancements [10] according to the defense-in-depth approach described in IEC 62443. A challenge comes with the fact that well established security controls were designed with assumptions not suited for OT environments. For instance, TLS key updates can cause unacceptable side-effects on industrial operation. For power system, a standard series has been developed with IEC 62351 to address specific communication protocols utilized in this domain. The standard incorporates state-of-the-art security mechanisms for authentication, authorization and secure communication.

Key for the integration of OT and IT environments is that technology can bridge both domains securely. For instance, regulations in transportation demand juridical event recording. Galvanic separation in passive one-way gateways makes sure data can only leave, and never enter, a critical network [12]. Furthermore, various state-of-the-art security technologies (e.g., identity and access management, secure communication, privacy- and confidentiality-preserving techniques) are deployed in industrial cloud infrastructures, such as MindSphere.

Research directions in Industrial Cybersecurity

Industrial cybersecurity is an exciting and relatively new research field. Problem statements and research go far beyond standard IT security due to the involvement of the physical world (e.g., an electricity infrastructure, a hospital, a rail network). The following paragraphs provide evidence about this ongoing research in the areas of identity (Product PKI, Generic Trust Anchor, Zero Touch Onboarding, Zero Trust in OT environments), product lifecycle (DevSecOps, functional agility, penetration testing, industrial asset discovery) as well as in analytics and trust.

A key foundation for many security controls (authentication, signing, encryption, etc.) is identity. In industrial security, the identity of devices and machines is as important as the identity of people. For instance, a device needs an identity during operation for any form of secure communication. But how can the device receive the identity securely from the manufacturer? How can the identity be stored securely on the device? How can the integrator securely and efficiently prepare the device with the identity needed during operation? How can the identity of a device securely be updated or revoked securely? In order to address these questions, research is pursued to build industrial identity solutions based, as much as possible, on existing technologies, such as public key infrastructures (PKI), hardware security modules (HSM) and secure elements. This research goes in the direction of establishing certificate management and digital signature functionality. Such Product PKI services are used for securely hosting specific root and issuing certificate authorities as well as signature keys. A factory can use these services, for instance for issuing “birth certificates” to devices being produced.

A secure element is often used in industrial devices to anchor an unforgeable identity within the device. This can be achieved in the form of a firmware-based trusted platform module, dedicated FPGA, trusted execution environment, physically unclonable function or hardware security module. However, low-level specifics of secure elements pose challenges for application programmers. Applications could be developed faster and more securely when low-level complexities are hidden by a logical secure element interface. A research direction is, therefore, to define a Generic Trust Anchor interface. An ISO/IEC initiative is currently underway to propose respective specifications [14].

The deployment of devices in the field includes the secure management of “birth certificates” according to the operator’s certificate authority. The proper transition from the manufacturer’s to the operator’s administrative domain is cumbersome and, unfortunately, often shortcut. Research and standardization (IETF, OPC UA) are addressing this problem with new technology called Zero Touch Onboarding. Devices equipped with a “birth certificate” of the manufacturer can be simply dropped in a target environment. Operational certificates will then be automatically deployed using a registrar service, which is connected with the manufacturer domain.

Today, the internet and, even more, industrial networks are highly fragmented with many levels of segmented intranets in every organization. Firewalls and network address translation set perimeters that are costly to manage and don’t actually bring more security in a world of mobile devices, company merger and acquisition, outsourced cloud services and the Industry 4.0. Zero Trust is a network architecture concept that removes network perimeters. Instead, Zero Trust assumes (i) applications and services can be accessed from anywhere in the internet, (ii) identity and access management can be based on user and device certificates (in combination with behavior-based authentication methods) and (iii) strong endpoint protection and management. While for IT environments Zero Trust has been implemented (e.g., by Google), it is today an open research question whether and how OT environments benefit from Zero Trust. Scenarios from the emerging Industry 4.0 suggest that also in industrial networks perimeters will get dissolved in order to enable multi-party interactions within factories for the benefit of higher production flexibility.

Monitoring and penetration testing of devices in OT environments is often demanded for compliance and is clearly essential for anomaly detection and security related asset management. Due to the heterogeneity of devices and protocol stacks, standard asset discovery technology fails to provide the necessary visibility. Advanced analytics-based detection capabilities, applied mostly passively by observing network traffic, is the focus of research teams in the industry. Similarly, dedicated tooling for industrial penetration testing is developed by research teams [15].

Industrial products have long lifetimes – sometimes up to 30 years. The design of such products has to include mechanisms for updates, upgrades and patches throughout a very long lifecycle. In this context, research is ongoing how to enable crypto agility [16], such that the cryptographic schemes deployed today can be updated continuously in the future. A concern is that integer factorization, discrete logarithm or elliptic-curve discrete logarithm are soon no longer hard problems for quantum computers. In this case, the security based on these mathematical problems can be broken, unless crypto agility would allow products to switch to quantum-safe cryptography.

Security starts with a threat and risk assessment to understand how an attacker can compromise a system. An important research direction is to provide methods and tools for continuous security assessments and compliance according to industrial security frameworks (e.g., IEC 62443) in agile development (DevSecOps), which is increasingly applied for industrial products and solutions [13].

Analytics, machine learning and artificial intelligence are entering also industrial environments. First robots were equipped with neural engines that improve their ability to pick parts during production. Research is starting in the cybersecurity community how to protect such systems from adversarial attacks, which use inputs to machine learning models that are intentionally designed to cause the model to make a mistake. These models may be part of a digital representation of a physical device (so-called Digital Twin), which can be analyzed for anomalies simultaneously with traditional direct monitoring approaches.

Mostly, OT/IT integration is still confined to a single company, a single trust domain. The next phase of digitalization will go beyond company borders and leverage the synergy within entire ecosystems for new productivity growth. First examples, such as pay-per-use financing of machines, demonstrate the strength of tighter ecosystem interaction for new industrial business models. These examples, however, also show the need for research into new technologies to implement trust and confidentiality for future automated ecosystems.

Conclusions

During the past ten years, businesses and governments have advanced significantly in industrial cybersecurity. This is demonstrated by organizational measures, frameworks and standards, laws and regulations, partnerships and technology. Security is increasingly powerful and pre-configured into the design of products, functionalities, processes, technologies, operations, architectures and business models [9]. In many ways, security is no longer a non-functional, but a functional requirement in critical infrastructures. However, the race between the good and the bad will continue, and contributions from the research community will be essential for the good to stay ahead also in the future.

 

 

References

[1] Pacaux-Lemoine, Marie-Pierre, Quentin Berdal, Simon Enjalbert, and Damien Trentesaux. „Towards human-based industrial cyber-physical systems.“ In 2018 IEEE Industrial Cyber-Physical Systems (ICPS), pp. 615-620. IEEE, 2018.

[2]Stuxnet, Wikipedia, https://en.wikipedia.org/wiki/Stuxnet

[3]IEC 62443, Wikipedia, https://de.wikipedia.org/wiki/IEC_62443

[4]CIP Standards, North American Electric Reliability Corporation, https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

[5]ISO/IEC 27001, Information Security Management, https://www.iso.org/isoiec-27001-information-security.html

[6]MITRE ATT@CK, https://attack.mitre.org/

[7]Cybersecurity Framework, NIST, https://www.nist.gov/cyberframework/framework

[8]John Perdikaris, Physical Security and Environmental Protection, CRC Press, 2014.

[9]Charter of Trust, https://www.charteroftrust.com/

[10]Security Enhancements for PROFINET, https://www.profibus.com/download/pi-white-paper-security-extensions-for-profinet/

[11]David Fisher, Bernhard Isler, Michael Osborne, BACnet Secure Connect, A Secure Infrastructure for Building Automation, SSPC 135 IT Working Group, http://www.bacnet.org/Bibliography/B-SC-Whitepaper-v15_Final_20190521.pdf

[12]Secure your data flows and infrastructure with Siemens Data Capture Unit, https://www.mobility.siemens.com/global/en/portfolio/rail/automation/secure-connectivity.html?sitc=wwmoi10007

[13]Moyón, Fabiola & Beckers, Kristian & Klepper, Sebastian & Lachberger, Philipp & Bruegge, Bernd. (2018). Towards continuous security compliance in agile software development at scale. RCoSE ’18: Proceedings of the 4th International Workshop on Rapid Continuous Software Engineering, 2018.

[14]Generic Trust Anchor Application Programming Interface for Industrial IoT Devices, ISO/IEC JTC 1/SC 41, Internet of Things (IoT), 2020.

[15]FLUFFI (Fully Localized Utility For Fuzzing Instantaneously) – A distributed evolutionary binary fuzzer for pentesters, https://github.com/siemens/fluffi

[16]Project Aquorypt, https://www.forschung-it-sicherheit-kommunikationssysteme.de/projekte/aquorypt

[17]The Directive on security of network and information systems (NIS Directive), European Commission, https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

 

Dr. Andreas Kind is Head of Cybersecurity Technology at Siemens, Corporate Technology. He received his Ph.D. degree in computer science from the University of Bath, UK and worked in various positions for IBM Research from 2000 until 2018. Andreas is a Senior Member of the ACM.