Don’t run away yet! This era is not about machines enslaving humanity (at least, not yet…) but about the introduction of elements (IOT devices, cloud environments, IA, Big Data, SIEM, IDS…) into industrial control systems (ICS) that improve their operation, maintenance, effectiveness, efficiency… and their safety. But… what is Industry 4.0?
“Industry 4.0: It refers to the fourth industrial revolution, which is based on the real-time availability of all relevant product information, provided by an accessible network throughout the value chain, as well as the ability to modify the optimal value flow at any time”.
This is achieved through digitalisation and the union of all the productive units of an economy. This requires the fusion of technologies such as Internet of Things (IOT), computing and cloud, big data and cybersecurity, as well as the complementary ones: mobile, analytics, M2M, 3D printing, robotics and community/sharing”. (Source: https://www.industriaconectada40.gob.es/)
Already in 2015 the current chairman of Telefónica, José María Álvarez-Pallete, in the Ministry of Industry, Energy and Tourism had a clear vision:
“This fourth industrial revolution arises from the union of industry and the physical world with the world of telecommunications and software, […] the fusion between the “normal” world and the logical world and it represents a qualitative leap in the organization of industrial models. Everything will be connected, absolutely everything“.
Within the digital enablers of Industry 4.0 there are two transversal and essensial ones for the digital transformation and its path towards the industry of the future:
- Connectivity, the basis of the new connected industry and that which guarantees the availability of relevant information in real time.
- Cybersecurity, as a result of the above: the interconnection increases the exposure area and therefore the risk.
It is on this road to digitisation and the connection of industrial processes that cybersecurity becomes necessary in operating technologies (OTs).
What are OT systems?
Todo ello con el objetivo de mejorar la competitividad y rentabilidad de la empresa, mejora de la eficiencia de uso de recursos, acortar plazos de entrega, personalizar producción, etc.
We understand OT to be those technologies and control processes related to production, traditionally isolated and now connected to corporate networks: devices are now connected to the corporate IT network, so that the company’s management can make agile decisions based on the aggregated processed data from the production plants. All this with the aim of improving the company’s competitiveness and profitability, improving efficiency in the use of resources, shortening delivery times, personalising production, etc.
As connectivity increases, the area of exposure to potential cyberattacks increases too. To this increase in exposure area we can add the lack of maturity, regarding cybersecurity, of OT processes.
A clear example would be a remote station consuming a specific resource. Maintaining and operating the station would possibly have a high cost, including the need for onsite people and controls to certify its correct handling, maintenance and operation. However, the operation of the same station from a node that would gather the operation of several stations through a secure connection and a software solution would drastically reduce the cost.
In addition, this software can allow the automation and configuration of certain processes and parameters that allow a more intelligent consumption of resources (efficiency) as well as a sharp the production, improving its effectiveness.
Corporate Cybersecurity (IT) Versus Industrial Cybersecurity (OT)
Corporate cybersecurity is concerned with the protection of that company information which is processed, stored and transported by interconnected systems. The important thing is the data based on three parameters:
- Confidentiality: protecting information from unauthorised access and improper disclosure.
- Integrity: protection against unauthorised modifications.
- Availability: protection against interruptions in access.
In the industrial environment (OT) the important thing is the process. It must be considered that industrial processes interact with the physical world, unlike what happens in the corporate environment. Therefore, the impact of an incident can have physical consequences, that is, in the “physical world”, not only in the “logical world” as we saw in the previous quotation.
Beyond the economic or image damage, there can be personal injury, environmental damage, production interruptions, plant shutdowns, or what would be more worrying: alterations in the quality of the final products. In this case:
- Integrity is the most important thing: that data is not altered because it would be difficult to detect and correct.
- Availability: as soon as non-availability is detected; action can be taken to restart the process.
- Confidentiality is important but, in general, less than the previous ones.
In 2016, Industroyer malware affected Kiev, leaving the city with no power at all. Once it reached the industrial system, this malware took control of switches and circuit breakers using typical industrial communication protocols.
The malware is so modular that modifications can be implemented quickly to affect other types of systems. The fact that the protocols did not implement security by default meant that, once the infection was executed in the IT systems, control over the industrial devices was “simple”. By the way, for the devices affected by the attack there was a security patch months before, who remembered to update?
This classic example reflects the need to consider cybersecurity in IT and OT environments. Once the security of control systems, such as a PC or SCADA system, had been breached, the malware had a clear path to spread. The industrial protocols and devices had no additional security measures in place and were even out of date. Several fundamental measures for combating cyberattacks in industrial environments can be inferred from this reflection:
- Define security measures in the IT field that are aimed at protecting industrial systems and devices
- Define security measures in the OT area to protect devices and protocols that may not have security implemented by default. Widely used protocols, such as Modbus (simple, public, but without defined security in the link layer or in the application layer), require measures to mitigate this lack of default security
- Implement good practices defined in standards such as NIST’s “Cybersecurity Framework”, ISA / IEC 62443 or the National Industrial Safety Scheme (ENSI).
More details on OT security
OT security generally covers the security controls around Process Control Systems (PCS), Distributed Control Systems (DCS) and Supervisory Control and Data Acquisition (SCADA) Environments, which are also collectively referred to as Industrial Control Systems (ICS) environments.
The OT (or ICS) environment uses common computer systems and devices, such as authentication servers, IP-based network switches and firewalls, as well as PC workstations that run the engineering software to manage the ICS devices.
Finally, it is important to highlight the volume of vulnerabilities we are talking about and the impact of the cyber-incidents generated. According to the Spanish National Institute of Cybersecurity, INCIBE, 207 security warnings related to the industrial sector were registered in 2019. The vulnerabilities registered through these warnings were mostly (over 75%) of high or very high criticality (more information at https://www.incibe-cert.es/blog/seguridad-industrial-2019-cifras).
Industry 4.0 is here to stay until it is overtaken by 5.0, but the cybersecurity challenges it poses make it necessary to take action and develop new solutions to ensure a safe use of this breakthrough.
Oh, I forgot… What is industrial cybersecurity then? According to the Industrial Cybersecurity Centre (CCI), “industrial cybersecurity is the set of practices, processes and technologies designed to manage the risk of cyberspace arising from the use, processing, storage and transmission of information used in industrial organizations and infrastructures, using the perspectives of people, processes and technologies”. (Source: https://www.cci-es.org/)
Industrial devices are closely related to critical sectors because of their impact on a country, such as the health, railway or maritime sectors. But in addition to the impact on the business and image of those affected, how and in how many ways could the damage caused by an industrial device that modified the composition of food or drink to make it harmful to humans or to leave an entire country without electricity or heating in the middle of winter be quantified? What if they were devices related to hospitals or nuclear or military devices? What impact would this have on the productive fabric or on the health of citizens?
All these aspects in each sector deserve separate comments. But that is another story we will see in other posts.