How did the Internet of Things find its way into Industrial Control Systems?
I have to admit, the first time I heard the Internet of Things (IoT) was finding its way into industrial control system networks, my mind switched to visions of Terminator: Rise of the Machines.
The reality turned out to be ‘Industry 4.0’, the name given to the fourth Industrial Revolution. It is a result of the growing number of inter-connections of computers and automation within the IoT and cloud computing. As an example, Industry 4.0 has helped create smart factories, where cyber-physical systems monitor physical processes across multiple locations and make decentralised decisions.
Industry 4.0 builds on the third Industrial Revolution, which gave rise to the Industrial Control System (ICS) to provide control over the automation of robotics. With the addition of the internet interconnectivity and the virtualisation of physical locations, Industry 4.0 is creating smart factories. This has led to the creation of the Cyber-Physical System (CPS), a mechanism controlled or monitored by computer-based algorithms. CPS includes smart grid, distributed robotics, autonomous automobile systems, process control systems, medical monitoring, and automatic pilot avionics.
Traditional IT security focuses on providing confidentiality, integrity and availability, and while ICS environments support the same requirements, focusing on ‘availability’ is an absolute priority. In the past, security options have been limited to corporate IT solutions that didn’t offer the hardware resilience required or software ‘availability’ required for industrial environments e.g. low latency networking, fan-less hardware. They also didn’t offer the low level understanding of vendor created protocols used for supervisory control and data acquisition (SCADA) and low level communications (e.g. OPC, Modbus, Profibus, EthernetIP, DNP3.0, CAN bus) that were built for robustness, speed and simplicity.
Historically, protection for ICS protocols also relied on isolation to avoid external risks, by creating a hard shell design that relied on security at the outer edges to protect the vulnerable core. This hard shell was achieved with the deployment of firewalled gateways at the border of ICS networks. However, with little or no deployment of AV or patching of systems inside ICS networks, once past the outer shell, the soft core is largely exposed. This approach was driven by legacy system restrictions and concerns over performance impacts and compatibility issues, which prevents operating system upgrades and system patches being applied.
Unfortunately, there are already plenty of examples where weak ICS security has led to cyber security breaches; giving unauthorised external parties the ability to take control of industrial systems. In the Water industry, hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water. In Power, hackers took a Ukraine substation offline, leaving more than 230,000 residents in the dark. Industrial has been targeted with a blast furnace at a German steel mill suffering massive damage following a cyber-attack on their plant's network. Transport environments, from roadside sensor vulnerabilities to smart cars, have also been breached.
The best example of a failed hard shell design is the StuxNet attack on Iran’s Plutonium enrichment program. It proved that even when systems are physically isolated from all external networks, they can still be compromised. Therefore, maybe we should acknowledge that the hard shell design is broken. Given the benefits of reducing production costs and inter-operability, hard shells will only continue to fail under the increasing pressure. So maybe it’s time to start building stronger protection within the soft core of traditional industrial networks?
Industry 4.0 requires a solution built on hardware that is not only ICS compatible, but is built from the ground up to exist and provide protection within dirty environments, where availability is key. The historical lag of industrial control systems and networks behind developments affecting corporate IT environments is fast disappearing under Industry 4.0, exposing the vulnerabilities of soft ICS core networks to evolving cyber threats.
The rise of the machines, or at least Industry 4.0 is happening. So rather than building a harder shell around our ICS, we need to start building cyber security tools into the core and use the lessons learnt from traditional IT evolutions, without losing sight of the unique and critical requirements of the industrial environment.