Reducing Security Risks Through Authentication and Encryption
Long gone are the days when automation systems could rely on security through obscurity to avoid computer attacks. Assaults on industrial systems are an ever increasing threat and the potential losses from an attack are large.
The good news is that with careful system design and security-aware practices, security risks can be controlled. Network design complying with the ISA-99 standards places barriers between external threats and an industrial control system. Properly configured security options on control system equipment erect further barriers to attacks. Creating and adhering to safe operating policies can limit threats from non-network sources (e.g. thumbdrives, physical access by unauthorized personnel, etc.)
There are many types of threats, ranging from malware to hackers to disgruntled employees. Some industrial sites even need to consider attacks from competitors and state-level cyber warriors. To slow or stop cyber attacks, a combination of security policies, practices, devices, and software must be employed. None of the many automation security defenses on their own can prevent all types of attack. However, when employed together, following a defense in depth strategy they can significantly reduce the risk and associated consequences. Here are some of the tools and techniques that can be employed.
A regular, controlled, systematic process to patch your software is a key defense against malware attack. Microsoft, Siemens, and many other vendors provide software updates that contain fixes to security issues. A user should monitor their respective vendors for these updates and install them in their control systems as soon as possible once they become available. Keeping your systems up to date with all security related patches is one of the single, most important things you can do to improve the resistance of your systems to cyber attack.
Virus Scanning software can recognize known malware and attack mechanisms by identifying patterns in the code. Virus scanners usually include simple intrusion detection systems, watching for suspicious activity on ports and web browsers. Virus scanners are effective against the known universe of malware, so they are widely used.
Whitelisting is something of a mirror to virus scanners, which blacklist malware pattern definitions. Whitelisting comes from the other direction, blocking all programs that are not specifically added to a whitelist. This prevents malware from running on a computer.
Firewalls block communication from unauthorized sources, or of unauthorized types. They are key to keeping unwanted internet traffic from accessing an automation system network and can also be used to limit traffic attempting to egress the automation system network. However, a firewall is only as effective as its configuration, which is not an easy task. Network architecture complicates firewall configuration: a poorly partitioned network requires very complex firewall rules.
Intrusion Detection Systems (IDS) detect attacks so countermeasures can be employed. Network intrusion detection systems monitor network traffic for abnormal activity. To be effective, an intrusion detection system must encode detailed knowledge of what activity is normal for a particular network. An IDS usually reports intrusions via log files. For the IDS to be effective, these logs must be reviewed regularly.
Passwords and other identification mechanisms are the most commonly employed information security mechanism. However, password mechanisms have a key flaw: people are not good at remembering them. In addition, many automation and networking devices employ a small set of passwords tied to a permission level, not to a user.
Centralizing password maintenance and implementing a role-based authentication mechanism can increase the security provided by passwords. The idea behind role-based authorization is to give each user only the system permissions needed to accomplish the tasks that the user is authorized to perform, and no others. Attackers can only access a few areas if a computer is compromised.
Certificate-based authentication is a way of using encryption to positively identify what computer and/or user is making a request. The intent of this is to prevent man in the middle attacks, and to block all requests from non-authorized sources. Certificate-based authentication is much more secure than common practice, which is to accept any computer presenting the correct address and computer name as that computer.
Hackers attack certificate-based authentication systems by either breaking the encryption, obtaining a certificate from a trusted authority through illegitimate means or by hacking a trusted computer and using its certificate to gain the trust of other systems.
Data encryption makes data sent over a network readable only by systems that have the encryption key to decrypt the data. This may include valuable data such as credit card information, passwords, etc. Data encryption on networks is effective against network monitoring attacks because it makes the data unintelligible to attackers.
Encrypting data on a storage media can make the data inaccessible to unauthorized persons if the media is lost or stolen, and makes storage modification attacks more difficult. Like certificated-based authentication, attackers try to defeat data encryption by gaining access to the encryption and decryption keys.
Managers must also provide media access control, in which hackers use malware residing on storage media to attack systems. The use of USB memory sticks that contain malware to infect automation systems has become a common method of attack. One technique often used is the flash drive drop, where a pre-infected USB flash drive is mailed to a person within a targeted company, or even left in a public place where it might be found, such as a site lobby.
The first line of defenses is good media control policies implemented by a trained workforce. In addition, media access control software is available that can be used to support enforcement of media access control policies.
No single approach will stop every attack. The degree to which an automation system needs to be protected is a trade-off between the potential cost and impact of a successful attack and the cost of implementing defensive measures. For example, the level of defenses required by critical infrastructure, such as power plants, is vastly different from that required by a small concrete plant.
All feasible defensive measures should be employed around the automation system. Access to critical systems should be sufficiently difficult to make hackers abandon their efforts, or systems should detect attacks before critical systems can be accessed. With multiple counter-measures, attacks not stopped by one defense may be stopped by another.
Once in place, defensive measures should be regularly reviewed to see if they are adequate to achieve the desired security level in the face of changing security threats. Cyber attack strategies and technologies evolve constantly, protection schemes must follow suit.
To accomplish an effective layering of defenses, networks must be segmented into functional zones, with firewalls between all zones. This segmentation limits what information is available to an attacker should a computer be compromised. Different security zones will have different communications needs, so will employ different firewall rules and other security measures.
A good way to begin improving your cybersecurity posture is with a Security Assessment. A Security Assessment is the first step in the development of a comprehensive methodical approach to improving cybersecurity within your organization. Siemens offers assessment services through its Customer Services Division. In addition, the Cyber Security Evaluation Tool (CSET), available from the U.S. Dept. of Homeland Security at http://www.uscert.gov/control_systems/satool.html, can be used to conduct self assessments
Personnel will set their priorities to be in line with those they see from management. If cyber security is given a high priority in attention and funding, they will make carrying out the policies a high priority.
When automation systems are designed, methodologies such as those described in the ISA-99 standards are a good starting point. There are various other standards that also adequately cover the design and periodic review of security systems, and commercial tools that assist with this process. These may be overkill for small manufacturing processes, but should be rigorously followed where significant public safety or critical infrastructure threats exist.
Have an Inquiry for Siemens about this article? Click Here >>