Peter Brown and Laura Élan of CSA Group recently delivered a Webinar for Siemens entitled: “Breaking Down Cybersecurity and Functional Safety Requirements for Industrial Control Systems.” They explained the evolving nature of the Internet and how various trends are impacting industrial control systems.
Within a year, at least 50 billion devices and sensors will be connected to the Internet. A significant share of the them will be involved in industrial processes. This will enable machines to be smarter, more automated and more efficient. The influx of these devices will fundamentally shape future decision making and streamline manufacturing operations.
That’s the good news. The bad news is that this makes industrial control systems a prime target for hackers and cybercriminals due to the convergence of IT and Operational Technology (OT).
- OT is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.
- IT is the entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services.
The place where these two formerly divergent worlds collide in the manufacturing sector is the Industrial Control System (ICS). As a result, control system security must become more robust and must be hardened against the many vectors of incursion that are ready to pounce on any weakness.
ICS systems have traditionally been focused on safety and physical security. Operators, therefore, tend to leave cybersecurity to someone in IT. But the convergence of IT and OT is now making the need for cybersecurity more apparent. However, this requires a change of mindset. An important first step is to gain an understanding of the differences between safety and security. This is essential if systems, processes, data and personnel are to be fully protected.
Functional safety is about protecting systems from accidental failures and avoiding hazards. It depends on a system or equipment operating correctly in response to inputs. This is achieved when all the specified safety functions are carried out and the level of performance required of each safety function has been met.
Functional safety is undertaken by active, not passive, systems. It offers a means of controlling dangerous failures and avoiding systematic failures during operation through robust design and processes. Existing standards such as IEC 61508/62061/61511 and ISO13849 cover the functional safety of electrical, electronic and programmable electronic safety-related systems. Regardless of the incursion of IT into the world of OT, these standards remain as applicable as ever. But they must be augmented by rigorous cybersecurity standards and processes.
Cybersecurity has a different slant than functional safety. Instead of protecting people, processes, systems and the environment from hazards, cybersecurity is about protecting systems from failures through unintentional or intentional attacks. Such attacks are on the rise. Their numbers are trending sharply upward and targeted attacks have become far more common. Any facility suffering a breach faces severe consequences such as loss of production, downtime, and corruption or loss of data. In some cases, organizations have had their data stolen, only to be returned when a ransom was paid. In other cases, millions have been siphoned out of corporate accounts.
The headlines tend to shine the spotlight on attacks against the corporate or government sector. Their IT systems continue to be exposed to a variety of threats. But the convergence of IT and OT means that industrial systems are increasingly under attack.
Malware, for example, has targeted data historians, ERP and MES systems in the industrial sector. Various social engineering tricks such as phishing emails have been used to infiltrate control systems, gateway controllers and PLCs. And HMIs have suffered from physical attacks via USB devices and other threat vectors. As a result, cybertheats have transitioned from being a purely IT, database or information problem to being one that can impact personnel and environmental safety. In fact, hackers are even going after operational safety systems.
For example, the recent Triton malware was designed to infiltrate safety instrumented system (SIS) controllers and feed malicious code to Triconex controllers. Faced with this threat, some operators used the SIS to shut down the processes. This brought about financial losses due to downtime and the complexity of plant startup procedures. Other operators took a different tack. They decided to reprogram the SIS to allow an unsafe state. But this opened the door to a potentially hazardous situation that could have physical consequences to equipment, products, the environment and human safety due to a loss of SIS functionality. This attack makes one thing very clear: functional safety systems are far from immune from cyberattack.
Implementing Best Practices
Traditional IT best practices for cybersecurity, therefore, now need implemented in the operational technology arena. This includes
- Changing default passwords
- Disabling unused services
- Network segmentation to avoid exposure of industrial control systems to the internet
- Limiting ICS exposure even on internal networks
- Deploying technological solutions such as demilitarized zones (DMZ) and data diodes to export data safely from ICS to corporate networks while eliminating the possibility of malicious incursions.
- Patching systems as often as possible; even once a year during plant maintenance is better than doing nothing. Unpatched systems are a primary avenue of exploitation.
- Tying ICS systems into intrusion protection systems for additional protection.
In addition to the usual functional safety standards, industrial organizations are also advised to apply cybersecurity standards and frameworks such as NIST SP800 and IEC 62443, UL 2900 and ISO 27000.
To view the recorded webinar, “Breaking Down Cybersecurity and Functional Safety Requirements for Industrial Control Systems,” please click here.Have an Inquiry for Siemens about this article? Click Here >>