Cybersecurity for Industrial Control Systems
The hyper-convergence of Information Technology (IT) and Operational Technology (OT) has had profound impacts on automation and industrial control systems (ICS). The rise of the fourth industrial revolution; also known as Industry 4.0, leverages cyber-physical systems underpinned by embedded computing and the Internet of Things (IoT) to significantly increase the performance, scalability, and reliability of a plant; however, these enhancements don’t come without their own challenges. One such challenge is cyber security. The threat landscape in automation and process control systems is evolving at an alarming rate with attack vectors continuously increasing in sophistication, frequency, and severity. The reality is that operators of critical infrastructure assets in all industry verticals including Food & Beverage are struggling to keep up with the growing number of attack mechanisms and entities attempting cyber threats, also known as threat actors, from all over the world; in fact, cyber-attacks on critical infrastructure have evolved to be the new normal for operators.
Cyber-attacks on ICS assets are likely to cause harmful impacts such as degraded performance, availability or integrity of the control system or subsystem within an ICS ecosystem. Moreover, cyber-attacks can also bring devastating consequences to supply chains, national sovereignty, national security, public health and safety. As such, it’s imperative that security considerations for ICS critical assets be classified as a top priority by organisations due to the potential of negative repercussions of intentional and non-intentional cyber-attacks. Most security professionals would agree with the old colloquialism that an ounce of prevention is worth a pound of cure; however, prevention must be in alignment with a comprehensive risk management strategy underpinned by strong security controls.
There is a common misconception that the primary objective of cyber security should be to eliminate all security risks, exposures, and vulnerabilities; however, in my experience this is simply not feasible in most situations. Nothing is un-hackable. I believe that the main goal and objective should be focused on understanding the plant’s security risk profile and increasing its overall security posture, using a multi-layered holistic cyber-defence approach known as ‘defence-in-depth’. The reality is that every launched attack will cost time and money for threat actors; as such, they will normally focus on easy targets by finding easily exploitable system vulnerabilities and weaknesses. By raising the security posture of your ICS, you inherently raise the organisation’s security status as ‘too expensive to hack’ which considerably reduces the likelihood of becoming a target and victim of a cyber-attack. In simple terms, you should channel threat actors to easier targets by making your systems too expensive to attack.
Implementing a strong security posture for a cyber-resilient ICS is a challenging topic for most organisations; moreover, there is currently a severe shortage of industrial cyber security professionals required to help protect ICS assets for critical infrastructures in all industry verticals and sadly this shortage is expected to get much worse in the foreseeable future. As a result, in order for organisations to have a fighting chance to protect themselves against the evolving cyber security threat landscape, automation is currently the most efficient and effective way to drastically reduce the volume of threats and to enable continuous threat detection, prevention and remediation of known threats in addition to zero-day exploits in near real-time. The good news is that there are now several OT-centric industrial cyber security solutions that have been developed in recent years that are designed to leverage automation coupled with Artificial Intelligence (AI) and Machine Learning (ML) in order to provide operators with actionable intelligence on their critical ICS assets in near real-time. Moreover, many of these security solutions operate in passive-mode which is a crucial element for mission-critical and safety-critical systems; in other words, the security solutions should not have the potential to have any harmful impacts to the availability, performance, or integrity of the ICS ecosystem.
Modern cyber-attacks require modern solutions. Organisations which try to defend against the growing sophistication of the cyber-threat landscape using manual efforts will find themselves at a significant disadvantage and unfavourable odds against very determined threat actors. Security automation tools should be leveraged whenever possible to help ensure a strong security posture of the ICS infrastructure and increase the chances of defeating threat actors and their often-devastating attacks. When it comes to industrial cyber warfare, automation is the ultimate equaliser.
By Serge Maillet, Siemens Australia and New Zealand
Serge Maillet is the Industrial Cyber Security - Country Segment Manager for Siemens Digital Industries in Australia and New Zealand. Serge has an engineering background in industrial (OT) networks and holds a Master of Science degree in Cyber Security. He helps organisations in all industry verticals with increasing their IT-OT cyber security posture and compliance for critical infrastructure assets.
A version of this article was originally published as 'Building Cyber Resilience for Industrial Control Systems' in Process Online, October 2020.