How to secure the connected industry
The ineluctable rise of the Internet of Things and industry 4.0, with the resulting networking of a large number of systems and objects, has shed light on the indispensability of securing facilities and data against hackers. ICS Forum tips for starting off on the right foot. Maurizio Cacciamani
The first ICS Forum - Industrial Cyber Security proved a huge success in terms of visitors, an inevitable outcome given the urgent importance of the subject matter. Held in Milan in late January, organized by Messe Frankfurt in partnership with Innovation Post, this event represents another entry on the agenda leading up to SPS IPC Drives Italia.
On the table was the theme “Culture and technologies for a secure connected industry”. The participation of over 500 people at this event proves how interest in cyber security (henceforth referred to as CS, Editor’s note) and tools for applying it is higher now than ever before.
In an opening address, Messe Frankfurt Italia CEO Donald Wich discussed the necessary project of bringing as much clarity to this issue as possible. Reminding his audience that the theme of Expo 2020 in Dubai will be “Connecting minds, creating the future”, he confirmed that CS will feature prominently at the upcoming SPS in Parma.
Fabio Marchetti of ANIE then stressed how, as the Calenda plan goes into effect, it has acted as a major catalyst in this field, since industrial software is an essential building block for functioning industry 4.0, which must be protected with the utmost security.
The situation today
Industrial systems that, with some exceptions, were effectively segregated (perhaps partly due to a certain backwardness), are now suddenly vulnerable to external attacks that had previously only threatened a company’s IT.
This situation is set to worsen, making it necessary to protect one’s business not only from malware, but also against criminal attacks that attempt to intercept company secrets (intellectual property like pending patents, recipes, designs and business strategies). The number of attacks is on the rise, but also their severity, seeing double digit growth. Everybody thinks the attacks are targeted. In actuality, they are standard and predictable, and criminals prefer easy-to-infiltrate systems with little or no protection measures.
Since it is very easy to find information on important IT personnel (or OT or HR), attackers develop personalized emails to insinuate themselves into the systems of these individuals. Hackers attack vulnerable devices, like those based on Android systems, which are also used for info/entertainment in the car. The fact that CS is still not taken seriously is demonstrated by the fact that the addresses of 147 connected PLCs can be found online, and thus easily attacked.
The good news is that these connections are still small in number. For example, only 14% of companies in the USA are interconnected.
What is to be done
Keeping in mind that there is no such thing as complete protection from hackers, it is very important to raise awareness of CS at all levels of business. To this end, one useful strategy is forming committees that include top executives in order to plan and oversee CS implementation and monitor attacks.
Feasibility assessment. Many stop here. Although it is an important step, it’s not enough protection. It’s not enough to know where the unsecure access points are! It is still essential to understand what needs to be implemented before getting started.
Cyber Security Check. In order to get started, it can be useful to go through the 14 simple questions of Assolombarda’s Cyber Security Check, in order to evaluate the level of security, the concern’s exposure and perform a general risk assessment. Anyone can contact Assolombarda for individual assistance (cybersecurity.assolombarda.it).
Study US regulations, IEC 62443 and European ISO 27001 regulations. This complex of regulations indicates how to manage security, issues with solutions, products to use and how to segment network structure (cells, connections, protection).
What are the advantages of certification? Firstly, good practices, preventive measures and assessments are applied. US regulations are the first to address the relationship between personal and machine security (IEC 61508) and CS (IEC 62443).
Make a resource of centers set up by suppliers. Such is the case of ABB and GE, which have developed centers for utilities that are equipped with monitoring systems and backups enabling quick restart following an attack. Saipem also provides its customers with similar services, while Uni Roma3 has developed dedicated software that can be used by utilities as well as other businesses.
The problems to be addressed
Below are summarised the problems that arose during the round tables.
- The human factor in CS matters, and a lot! A recent study has shown that 60% of people click where they shouldn’t, and 43% (including executives) provide enterprise credentials.
- The lack of dialogue between IT and OT, that have always worked in different environments, is an obstacle: IT experiences CS as a challenge, and tries to keep up with it, it simulates potential attacks; OT is more conservative, less willing to change, it awaits for the attacks to occur, even if it is now more sensitive to the subject. The Internet-Cloud-hardware-software concept has still not been metabolized by OT operators.
- OT and Industry 4.0 have favored the use of components not designed for new communication, hence highly insecure and uncertified systems have been put in place.
- One needs to be aware that the intrusion in production systems, as well as resulting in data theft, can also potentially cause physical damage and harm to operators due to corrupt software.
- OT systems feature different and sometimes outdated (based on a no longer updatable Windows XP) protocols, or protocols where the update is typically quite slow; usually the systems operate in critical environmental conditions that favor attacks. In the industrial field SCADA-, robot-, AGV-, tablet and mobile phone systems are more vulnerable to attack.
- Old habits are hard to eradicate: in the industrial sector USB keys are still used to update software ... One of the Trojan horses of malwere!
- In Italy entrepreneurs that are highly responsive to the market invest in new systems while neglecting CS or only considering it subsequently.
- The difficulty of updating industrial software remains, as it always requires unscheduled downtime that is not tolerated within the company: Continuous operation and hence productivity takes pride of place over CS.
How to protect oneself
The best antivirus is ... good old common sense.
• One first need is to make the people operating within the company aware that it is not a question of “if” there will be an attack, but “when” it will happen.
Given that security is not a cost but an investment in the long term, as a minimum IT type protection should be applied.
• Strict monitoring should be carried out to detect the symptoms of ongoing attacks in time, to plan and forestall possible attacks and to be able to return to initial conditions as soon as possible. It takes companies months, some even a year to realize they are under attack!
• Clouds may be the solution for CS, but first the problems of the security of the industrial systems must be solved. Clouds all the same expose data to attacks, it is prudent not to use them, for example, as someone intended, to file away patents and designs!
• Keeping machine and general operating systems up to date is paramount. Operating systems though may only be installed after the compatibility test (typically performed by the vendor) has been carried out; hence, just any old patch, if untested, should not be installed; the remedy might be even worse than the disease.
• Only use guaranteed CS products sourced from endorsed CS premium suppliers.
The guarantee should also apply during transportation of the product, to avoid duplication. Choose tested and “designed by” technologies in order to solve your own specific CS problems.
• Take out insurance to cover the damage from hacker attacks covering civil liability/forced unfulfillment, stopping activities of third parties, remedial measures, cost of notifications, forensic investigation, interruption of ones own work. Reputational damage, the damage associated with business risk plus of course software updating and staff upgrading cannot be insured against. Supply contracts should be re-read in the light of the conclusion of an insurance contract. Insurance, as demonstrated by recent cases, can save the life of a company!
• Training personnel not only on the new regulations governing privacy (we will talk about that further on) but also regarding CS is deemed fundamental. As mentioned above, the human aspect is one of the weakpoints. Possible countermeasures? Internal phishing for example, awareness campaigns, simulated attacks to understand the degree of reactivity of company personnel, all obviously devised and designed in collaboration with HR.
What the future holds
Due to the development of block chains, security operations will be streamlined and automated and will become increasingly more complex. Decentralized systems, very small open source application layers, non-cancellable information are the benefits offered by this technology, not to mention the use of artificial intelligence to analyse the malware.
A review of the coming deadlines
• On 25 March 2018 the new rules regarding the protection of personal data as well as information about employees and customers and so-called GDPR, General Data Protection Regulation-EU regulation 2016/679 come into force. The hope is to help change the perspective: from privacy regulations to be complied with to planned activities for the protection of personal data.
• According to the new rules, violations must be assessed and communicated to the guarantor. In the event of a serious anomaly the customers must be informed notwithstanding any resulting loss of image. It should be noted that, as of the announced date, the theft of information becomes a prosecutable offense. It is hoped that this new law will act as a stimulus to unlock company budgets for spending on CS. Those interested in internally managing GDPR can find more information on the Italian data protection Commissioner website (http://bit.ly/Garante_GDPR).
• By 9 June 2018 the Italian Government must approve the new European directive 943 on the protection of know-how and confidential business information (trade secrets) against the illicit acquisition, use or disclosure of the same. Companies will therefore be in the position to organize effective activities to protect their industrial secrets and must be in a position to prove the existence of the same. This means arranging protective measures and incurring costs to keep the secrets of one’s customers, suppliers, strategic plans, etc.
• To help companies and institutions defend their strategic infrastructure (energy, transport, defence) from cyber attacks, the European Commission is bound to establish a new Cyber Defence Agency by September 2018, to replace the current one that has reached the end of its mandate.
• Pending Italian approval of Directive No. 1148/2016, the Network and Information Security (NIS) Directive, that came into force 8 August 2016, determining measures for a high common level of security of network and information systems in the Union. The aim of this directive is to achieve a high level of network and information system security common to all EU Member States.
• The three key points of the NIS directive are: Improve the CS capacities of the individual States of the Union; increase the level of cooperation between the States of the Union; obligation of the operators of essential services and digital service providers to manage risks and to report incidents of a certain gravity. Every State, if it doesn’t already have one, should in fact adopt a national cyber security strategy that defines the strategic objectives, appropriate policies and regulatory measures. The national strategy should include strategic objectives, priorities, governance, the identification of preventive measures, response and recovery; sensitization, training and education; encouraging cooperation between the public and private sectors; a list of actors involved in the implementation of the strategy.
Round tables and workshops Four round tables were on the agenda at ICS Forum – Industrial Cyber Security: 2 in the morning, coordinated by Franco Canna of Innovation Post, and 2 in the afternoon, coordinated by Jole Saggese of Class magazine, with the participation of thirty or so speakers who provided insights on the following topics: - Industrial cyber security in the course of digital transformation of manufacturing enterprises, with numbers on cyber risk, risk assessment and tips for SMEs. - Legal issues and regulations governing cyber security, from the Network and Information Security Directive (NIS) to the General Data Protection Regulation (GDPR). Risk management strategies. - Leaders and technologies bringing us closer to a secure connected industry. - Dissecting SCARA (in)security. The event was complete with eight workshops with Siemens, Phoenix Contact, Schneider Electric, Sigla Group/Stormshield, Kaspersky, ESA Automation/KPMG, Fortinet and Servitecno. The Forum also featured an exhibition, with the participation of twenty or so operators, organizations and publishers. |
Maurizio Cacciamani
Marcom specialist & technical writer about automation, innovation and packaging