What does a cyber-attack mean to you? The term brings many different mental images; from pizza driven nerds in a dark basement to organized operations funded and supported by state level actors. The intents for attacks vary greatly; from opportunistic hacking or showing off for friends to pursue of financial benefit and to well organized disruption of a specific physical function.

Even in the best-case scenario, cyber-attacks in industrial automation are highly inconvenient. An example of such a scenario would be an inadvertent attack, where malware intended for ordinary ICT systems enters a production environment, causing disruptions and production downtime. Example of this type of an attack is a crypto malware infecting the HMI systems. In the worst-case scenario, the attack is intentional and causes total destruction, incurring substantial replacement and recovery costs both in terms of time and money, i.e. jeopardizing safety.

Despite the intent of the attack, there are steps that can be taken in order to make it harder for the adversary to succeed in the attack. Securing industrial systems requires both technical and administrative controls to be put in place (essentially in the same way as securing ICT systems, but with slightly different emphasis), and in many cases, these controls also benefit the maintenance of the systems.

Mutual benefits

When it comes to automation systems, the goals of cybersecurity and maintenance are practically the same: ensuring error-free production and safety. The essence of automation systems is that they operate in the right way at the right time. In some industries, automation system’s cybersecurity also includes protecting intellectual property. In practical terms, this means protecting manufacturing processes’ run parameters from information leaks.

Cybersecurity controls can also have substantial benefits for maintenance. For example, asset and configuration management, systems hardening and security monitoring.

Asset and configuration management is one of the corner stones in cybersecurity. Without accurate knowledge of the environment, it is very hard to reliably secure it. A complete, accurate and up to date documentation of the systems in an easily accessible (queried) format is required in order to be able to rapidly respond and investigate the potential impact of newly discovered vulnerabilities on the protected environment. A traditional blue print type of documentation is usually not sufficient for this, as they don’t contain important and needed information of the digital devices like, used software and versions, firmware versions, configuration information etc. This information is essential for example when conducting vulnerability assessments, but it will also streamline fault diagnosis.

System hardening (removing or disabling superfluous software) is primarily intended to reduce the relevant system’s attack surface, but can also have the additional benefit of removing potentially faulty software from the relevant system. This, in turn, reduces the need for unnecessary maintenance.

Cybersecurity monitoring is another function that can be easily utilized in maintenance. These tools focus on keeping track of an automation system’s network traffic and scouring its logs. They are intended to identify exceptions or changes, which means that they can also be configured to monitor maintenance-relevant information, combining and centralizing two separate functions. Monitoring tools can be configured to generate maintenance-related alarms or events when an exception is detected in the same way cybersecurity-related alarms and events are generated. This is especially beneficial in multivendor environments where automation systems from several suppliers are used. In multivendor environments the different systems may be monitored separately, using their own diagnostic tools, but a common overview is not available. Depending on the environment and personnel size the monitoring may also be limited to post incident resolution, or “extinguishing fires” as some may refer to it. With good and high quality monitoring the maintenance of the digital assets is shifted towards a preventive maintenance mode, where incidents are identified before they cause any process disruptions.

How to Improve Cybersecurity

When considering automation systems from a cybersecurity standpoint, one challenge stands out above all: their long lifecycle. IT systems have a lifecycle of around five years, whereas automation systems have an average lifecycle of around 25 years. What this means in practice is that even though today’s automation systems suppliers work on improving the cybersecurity of their own systems, it will take up to 25 years for these built-in security features to permeate the entire manufacturing industry, and at that time, some of the security controls may already be obsolete.

However, it is possible to substantially improve the cybersecurity of automation systems, even though some vulnerabilities might still remain. It is also important to acknowledge that all assets are not equally important, and that the security posture of a system can be substantially improved by making good engineering decisions for example on the architecture and functionality allocation.

It is also recommended to perform a risk assessment. The purpose of the risk assessment is to identify the potential plant vulnerabilities and critical systems related to the operation. I would not recommend putting too much effort into assessing the probability of different events, but concentrating on the potential consequences and their acceptance. I.e. if a potential cause of a cybersecurity attack utilizing a remote connection could lead to an extensive equipment failure or jeopardize employee’s health or life, a strong argument can be made to make some changes to remove or minimize the risk. The risk assessment needs to be a multi domain task, performed in co-operation by cybersecurity experts, process engineers, safety engineers and maintenance engineers.

Regardless of the outcome of the risk assessment, here are some recommendations what should be done.

Consider securing your plant’s safety automation solutions or safeguards, of course provided that they are digital. With these I mean functions intended for protecting employees, production equipment and the environment against accidents or hazards. Where possible, you should isolate protective automatic systems or functions from the operative automation systems. This should also be a basic rule when designing new control systems.

The operative automation system should also be segregated from other company networks. Isolating your production environment from the company network has been considered to be the best control against cybersecurity attacks. It is a solid protective measure for network-based attacks, provided you know what you are doing and procedures are in place to systematically support the isolation. In many cases however, this kind of isolation only serves to give a false sense of security as, for example, production planning and management often requires real time information from the production systems for various business needs. This information is then transferred using USB memory sticks or similar media, which in turn are common vectors for malware infections. Also, automation suppliers often maintain remote maintenance connections to the systems they have supplied, which means that the system is not actually isolated.

A better way to protect your system against cybersecurity attacks is to connect it to the company network, and route all the needed connections through a dedicated access point, allowing the management and monitoring of remote connections and ensuring that existing cybersecurity controls are not bypassed. Continuous monitoring will also help you identify remote sessions from your automation systems vendor and changes made through these connections to the system’s configuration. In other words, monitoring tools can also be utilized for contract management, allowing you to monitor the supplier’s actions, and for configuration management, allowing you to verify whether planned changes have actually been implemented.

All in all, those working with automation systems should deepen their mutual collaboration. This is especially true for maintenance and cybersecurity professionals. Solid cooperation ensures that all aspects required for safe and stable production are taken into account. From early planning stages to decommissioning and dismantling, modern cybersecurity must be considered throughout an automation system’s lifecycle. When considering digital cybersecurity solutions, I would recommend checking that your organization has access to the latest and most comprehensive know-how in the cybersecurity industry.

Robert Valkama

Click Image to Enlarge

Senior information security consultant at Nixu Corporation
robert.valkama@nixu.fi