Industrial Safety & IT Security – The Threat Is Real
While IIoT has significantly improved performance and safety, companies must adopt best practices in cybersecurity to safeguard against malware and malfunctions.
As workplaces are getting digitally transformed improving productivity and raising efficiency, the small chink in the technology armour is often overlooked if not ignored. While the connected environment has facilitated many positive developments, it has also created vulnerabilities which the hackers and saboteurs are quick to capitalise on. Often managements are aware of the threat but not fully seized of the seriousness. How serious is the threat? Industrial Automation invited expert views on this topic for this month’s Cover Story.
“Network level vulnerabilities are the most common form of vulnerabilities observed nowadays. The most common attack is the MITM (man-in-the-middle) form of attack, where an attacker can intercept the network requests made by the victim, which means the attacker can track you online and in fact steal your credentials such as of your bank account and social media accounts,” says Athul Jayaram, Consultant, IT & Security. “We should not underestimate the potential impacts of threats on industries and the control systems that drive their operations. While not every threat is necessarily going to stem from a malicious attacker, the scale, complexity and accessibility of today’s connected control systems already make them more susceptible to risks than they were just a few years ago,” opines Doug Wylie, CISSP, Director – Industry Practice Area, SANS Institute.
The problem is complicated by the fact that the connected plant or workplace just does not have a single point of contact with the Internet, which is all pervasive. “Every connection to a system represents a potential attack vector or threat source. Minimising this type of threat is referred to as ‘reducing the attack surface’. All connections must be reviewed and approved only after completion of a detailed risk assessment that considers not only the nature and probability of the threat, but the potential severity of the consequence,” stresses Eric C Cosman, Contributing Consultant, ARC Advisory Group, USA.
“For everyday Internet users, computer viruses, malware are one of the most common threats to cybersecurity. In computing, it holds a very similar meaning – a Trojan horse or ‘Trojan’, is a malicious bit of attacking code or software that tricks users into running it willingly, by hiding behind a legitimate program. A DDoS attack, or distributed denial-of-service attack, is hard to overcome. Since the attack comes from so many different IP addresses simultaneously, a DDoS attack is much more difficult for the victim to locate and defend against,” cautions G Subramanian, CISA / CISM / C/CISO / ISO 27001 LA / Information & Cyber Security Advisor.
According to Karthik Damodaran, Cybersecurity and Information Security Compliance & Risk Analyst, the threats are very dangerous in the IIoT space because of critical vulnerabilities, usually zero-day threats, exploited in the ICS network environment that involves a lot of heavy machinery and equipment such as industrial robots, conveyor systems, furnaces, nuclear centrifuges, etc. “In the information security world, we protect data by evaluating and enforcing Confidentiality, Integrity and Availability of data whereas the threat landscape of the industrial world is different where we protect data by measuring the Security, Privacy and Safety of the interconnected mechanical ICS components. Cyber attacks such as data breach, DDoS, malware, etc., will not only result in the loss of confidential and proprietary information, breach of trust and brand damage, but might result in a catastrophe as it greatly involves loss of our workers’ lives and safety,” says Karthik.
So how can organisations address the issues of cyber attacks and IT security in the age of connected plants? “It is a myth that cyber attacks happen only because of connectivity. Yes, insecure connections are one of the ways in which automation and control systems can be attacked, but it is not the only one. You need a comprehensive approach to secure systems that includes technical as well as non-technical – organisational and administrative – measures,” asserts Mandar Phadke, Head – Indian Operations, Risknowlogy GmbH, Switzerland.
“The increased connectivity and dependence on automation raise the exposure of process plants to cyber attacks. Despite the higher exposure, newer technologies allow a continuous monitoring of anomalies and any strange behaviour is considered a threat and the malicious data can be isolated. Furthermore, artificial intelligence can be a powerful tool to help organisations detect threats in real time, avoiding prejudice to economical results and security. Of course, it’s necessary to have adequate investment in a robust system to achieve this goal,” says Dr Marcio Wagner da Silva, Process Engineer & Project Manager, Crude Oil Refining Industry. “Today, no industry is immune to cyber threats. While more connectivity, especially in industrial automation or manufacturing industry, has brought significant benefits in the production figures and overall business growth, the security point of view has been put under the radar due to the added challenges that appeared with digitisation,” maintains Paresh Makwana (CISSP), International Identity, Cybersecurity, Cloud Computing expert in Government and BFSI sector.
“Organisations should get moving quickly on performing unbiased security gap assessments (especially for existing systems) and accordingly implement more robust cybersecurity practices and thoroughly follow documented policies. It’s like if you don’t know that you really have a gap in your security system, how are you going to solve the problem? Rather it is often observed that organisations that skip the gap assessment and risk ranking exercise end up wasting money on risks that actually need less attention but forget to invest money in risks that need urgent action,” says Shivendra Kapoor, Sr Manager – Functional Safety, Chola MS Risk Services.
“Endpoint encryption, secure communication between dissimilar devices are some of the strategies that shall be implemented through a well-thought out plan. Within a plant, there are numerous entry points or vulnerabilities. These are in package PLCs, control systems, skids, instrument shelters, etc. Each must be meticulously identified and plugged. Open WiFi communications, unused ports on switches, unused ports on devices are examples of entry points. Each unit of a connected plant should be separately examined for vulnerability and the connected plant itself should be treated as a monolith that is to be secured. Whitelisting, blacklisting, check gates are some more implements that can strengthen the IT security,” says Wijay Godbole, Vice President – Projects, Process Automation.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats? Athul Jayaram is of the opinion that these newer technologies are highly insecure and often vulnerable to wide range of attacks. Users should always protect their resources and prevent public exposure of their resources. “Even though contemporary IIoT and cloud-based architectures are uncovering new threats, in many ways companies can actually enjoy greater return on security investments than to continue to limp along with legacy, unmanageable systems that are locked into a past of one or two decades ago,” says Doug Wylie. “The best response here is a well-formulated technical architecture that provides principles, models and standards that are used to make decisions about if and where to connect such devices. Available standards and practices provide considerable guidance in this area, representing ‘prove and effective engineering practice’,” opines Eric Cosman. “In near future, the abundance of IoT devices would give more attack vector to the cyber crooks from where they can serve their purpose,” says Paresh Makwana.
What about internal vulnerabilities like USB devices that are the result of lack of awareness? “Yes, internal vulnerabilities are also to be considered, as training to employees is not adequate on the policies and procedures implemented and on information security best practices, e.g., phishing mails, or pop ads, etc.,” feels Subramanian. “USBs are among the most common devices used for cyber attacks,” says Shivendra Kapoor. Karthik is of the opinion it is highly difficult to restrict USB access in an ICS environment as computer systems and workstations are connected to specialised hardware via USB ports. “It is very important for organisations to follow a good Cyber Hygiene to detect, block and manage unauthorised USB devices proactively,” he adds. On the other hand, Mandar Phadke says employees of most companies that he has interacted with have some idea about cybersecurity, but none about industrial cybersecurity. “That is why we have a new learning course on Industrial Cyber Security. It is a very comprehensive course that covers everything, including USB vulnerabilities,” says Mandar, with a trainer’s perspective.
But Dr Marcio Wagner da Silva is of the view that any training is insufficient, especially in the Industry 4.0 scenario. “Increasingly, continuous training and self-development are necessary, any operational system will present vulnerabilities and the continuous learning and training is a fundamental part of the strategy to deal with this threat,” he asserts. Paresh Makwana feels training the employees is highly essential to avert any damage in the internal network periphery. “Only a trained and alert individual can stop any suspicious activity in the network and save the organisation from any cyber threat by staying away from phishing emails, refraining from using unknown and non-quarantined USBs for official devices, mitigating malicious insider threats, securing privileged accounts from suspicious users, etc.,” he adds.
Well, when it comes to safety and security, often there is a tendency to cut corners. Do companies compromise security by their unwillingness to spend, attributing it to risk appetite? Athul Jayaram says companies should not compromise on cybersecurity at any cost. They should have a good budget to protect the cyber resources of the company. A cyber breach to any large corporation costs minimum five million dollars and also leads to loss of brand value. G Subramanian is blunt. “Yes, there are companies unwilling to spend on security –information, cyber and physical – till they face a cyber attack. It is not about the risk appetite, it is all about the carelessness,” he says, without mincing words. Doug Wylie has a more nuanced perspective on this. “Security maturity and program effectiveness cannot be measured by the amount of risk a company is willing to take, nor how much a company spends on their security program, or lack thereof. If there is a disconnect and difference between how a company’s leadership perceives corporate risk when compared to those responsible for managing IT and OT risks, it often leads to unrealistic corporate budgets that fall short of adequately addressing a company’s actual needs,” says Doug.
Eric Cosman is of the opinion that if a company has the necessary (accurate) information about threats, vulnerabilities and potential consequences they are free to make a determination about the level of risk that they choose to accept. Since there is no such thing as “zero risk” it follows that such acceptance will decrease security beyond a certain baseline. “When there is a conscious decision to accept a level of potential risk it is essential for the asset owner to have appropriate contingencies and responses in place to increase the resilience of the system in case of a successful compromise,” he asserts.
So is there an ideal solution that reaches a fine balance? “Cybersecurity must never be a subject of cost-reduction. The degree of severity and depth of implementation may vary based on an organisation’s exposure. Cybersecurity must be treated as a life saving measure and not as a ‘compliance tick mark’,” says Wijay Godbole. Shivendra Kapoor agrees with this observation. “With mounting expenses and stiff competition it’s becoming tedious for organisations to maintain healthy bottom-lines. But this does not mean that basics should be compromised. In this ever increasing digital age where everything is connected and extensive networking is on the rise, there is need for strict discipline in the way we currently look at and deal with cybersecurity,” he says.
“Conduct vulnerability assessment and penetration testing at regular period preferably weekly. Also have a bug bounty program where researchers can submit bugs and get rewarded for the same,” says Athul Jayaram. “In any organisation, privileged accounts are always vulnerable and targeted by the hackers since these are the gateways to confidential information. Privileged Access Management (PAM) is the only robust solution that can predict, protect and prevent privileged accounts from being compromised by cyber criminals,” says Paresh Makwana.
“While there is no ideal solution to align company spend with the ability to counteract every risk, an effective and comprehensive security program will take into consideration a combination of technology matched to educated personnel and established and tested processes,” is how Doug Wylie sums it up.
‘There is no mandatory standard like OSHA-PSM in India’
-PN Parikh, ISA/IEC 61511 – SIS Specialist.
What exactly is Safety Instrumented System and how is it integrated into a typical plant environment?
Safety Instrumented System is an independent protection layer with specificity, effectiveness and audibility to reduce the risk of hazard in addition to conventional control system.
What is the relevance of Safety Integrity?
It is a performance based measure to reveal "How Safe is safe-enough" in terms of Process Safety of Safety Instrumented Function.
What is the role of IEC 61508 and IEC 61511 in plant safety?
IEC 61508 is an umbrella standard, common to all industry with focus on products/devices manufactured. IEC 61511 is a standard specifically developed by end-users for the Process- Industry for Plant safety.
Has the proliferation of digital devices with greater connectivity changed the plant security landscape for the better?
Not really. Digital devices’ connectivity through bus requires special care to monitor the integrity of data transmission. Some have developed SIL-3 level of Integrity in digital data transmission from digital devices (Profisafe).
Speaking of plant safety in the Indian context, is the regulatory framework and compliance awareness on par with the global standards?
No, there is no mandatory standard like OSHA-PSM what they have in USA in India, which considers IEC 61511 (ISA-84 in USA) as accepted standard to be followed for safety of people, property and environment.
(PN Parikh is ISA-SIS Course Instructor, Sector Expert-PAT Scheme (Chlor-Alkali), BEE, Ministry of Power, GoI.)
Pix1: ‘Companies should not compromise cybersecurity at any cost’
Athul Jayaram, Consultant, IT & Security.
Pix2: ‘We should not underestimate the potential impacts of threats on industries’
Doug Wylie, CISSP, Director – Industry Practice Area, SANS Institute.
Pix3: ‘Every connection represents a potential attack vector or threat source’
Eric C Cosman, Contributing Consultant, ARC Advisory Group, USA.
Pix4: ‘It is not about the risk appetite, it is all about the carelessness’
G Subramanian, CISA / CISM / C/CISO / ISO 27001 LA / Information & Cyber Security Advisor.
Pix5: ‘Cyber attacks such as data breach, DDoS, malware, etc., might result in a catastrophe’
Karthik Damodaran, Cybersecurity and Information Security Compliance & Risk Analyst.
Pix6: ‘It is a myth that cyber-attacks happen only because of connectivity’
Mandar Phadke, Head – Indian Operations, Risknowlogy GmbH, Switzerland.
Pix7: ‘Increased connectivity and dependence on automation raise the exposure to cyber attacks’
Dr Marcio Wagner da Silva, Process Engineer & Project Manager, Crude Oil Refining Industry.
Pix8: ‘Abundance of IoT devices gives more attack vector to the cyber crooks’
Paresh Makwana (CISSP), International Identity, Cybersecurity, Cloud Computing expert in Government and BFSI sector.
Pix9: ‘USBs are among the most common devices used for cyber attacks’
Shivendra Kapoor, Sr Manager – Functional Safety, Chola MS Risk Services
Pix10: ‘Each unit of a connected plant should be separately examined for vulnerability’
Wijay Godbole, Vice President – Projects