Cybersecurity? - “Do I feel lucky?”

That’s’ a quote from one of my all time favourite movies. Here’s the full quote for Harry fans:

“I know what you're thinking. "Did he fire six shots or only five?" Well to tell you the truth in all this excitement I kinda lost track myself. But being this is a .44 Magnum, the most powerful handgun in the world and would blow your head clean off, you've gotta ask yourself one question: "Do I feel lucky?" Well, do ya, punk?

What’s this got to do with Cybersecurity?

You've got to ask yourself one question. “Do I feel lucky about the security of my automation control system, and its robustness to a cyber attack?” If you are reading this article when published [2017], then the chances are that you have not been impacted by a cybersecurity breach …yet. However, statistics indicate it’s only a matter of time with a +2100% increase in the number of cybersecurity incidents over last 3 years rising to 140 million incidents in 2015, and an estimated 300,000 new malware programs now being created daily…

Is this relevant to my Automation Control System?

We can understand why Industrial Control and Automation systems are now under threat – Go back a decade or two, and generally, control systems were not connected to the outside world. They would have generally used proprietary software and communication protocols, making them nigh on impossible to connect to in an unauthorized manner. Control systems have evolved with IIoT technology, smart devices with open Ethernet communications, on-board webservers providing easy to navigate system and application diagnostics. Control systems are connected. This could be to the outside internet, but more likely to intranets, or to allow for remote connection for monitoring and diagnostics.

Where do the threats come from ?

News stories about cybersecurity attacks are all too frequent. Malicious terrorist attacks that target large manufacturers or critical infrastructure. Others where invisible hackers are phishing or searching for soft undefended targets. These hostile attacks, or theft of intellectual property or private information may seem less relevant to the average small/medium sized user of automation equipment. However threats can come in from different sources – and all can have devastating impact on the run-time, performance, efficiency and safety of the application being controlled. Closer to home these threats can come from within the organization, or supply chain. The most vulnerable point is the people who administer the systems – and cyber threats could be intentional (the disgruntled employee) or accidental (where the right levels of defence are not installed).

Not one, but Four Questions

Anyone signing the cheque for new investment in cybersecurity solutions will first need an understanding of the level of risk and implications before possible solutions can be evaluated. As equally important however is the ongoing maintenance and updating of the cybersecurity system once created. We can expand our first question to four key questions. If an unauthorized user can get access to my control system:

1. What could go wrong ?
2. What is the impact (personnel / environment, safety, lost production, financial recovery) ?
3. What do we have in place (or need in place) to prevent this from happening ?
4. How do we ensure that (3) is working ?

 
Cybersecurity certification - Achilles Level 2

Cybersecurity risk assessment, site audits, consultation, installation, maintenance is offered by responsible control systems manufacturers such as Schneider Electric, who are also designing cybersecurity methods into new generation automation platforms such as Modicon M580 ePAC and Altivar Process variable speed drives, which carry cybersecurity Achilles Level 2 certification. The devices can be easily secured (no IT skills required) to prevent unauthorized access with a suite of security layers including encrypted logins, passwords, IP filtering, firmware signatures, Syslog events recorder and IPSEC protocol.

 Modicon M580 ePAC Controller - Achilles Level 2 certified

 Defence in Depth

Of course the “hardened” Achilles Level 2 certified device is only a small piece of your cybersecurity solution. It is important to create a multi-layered security plan. Schneider Electric has published a guide (attached to this article) which recommends a ‘Defence in Depth’ approach, exploring the six key layers of defence that can help a company to assess its needs and vulnerabilities and develop a security policy including:

1. Security planning
2. Network separation
3. Perimeter protection
4. Network segmentation
5. Device hardening
6. Ongoing system monitoring and updating