Whether manufacturers or operators, industry or critical infrastructure – cybersecurity concerns all industrial environments as the worlds of automation and information technology are becoming more and more intertwined. System boundaries are disappearing, the amount of available data is increasing, and the exchange of data and information is also growing steadily. Because they are mutually interconnected and connected to the Internet, industrial automation systems are increasingly exposed to cyberattacks (lead image).
The German IT security act issued in July 2015 requires operators of critical infrastructures to implement state-of-the-art measures for the protection of their IT infrastructure used for their key services. In other industrial environments, the topic of security is handled differently. Production facilities and remote access tend to be almost unprotected. More often than not, the problem is not due to a lack of awareness that something needs to be done, but to the fact that neither the know-how nor the guidance required to implement appropriate measures are available. In fact, the following questions need to be asked and answered:
• What are the requirements?
• How to deal with the situation?
• Where to turn to for support?
• What are the standards that should be complied with?
Complementing the measures implemented through the IT infrastructure
Industrial security has to be based on a holistic approach, which starts in managers’ and employees’ – that is, people’s – heads. In addition to technical measures such as using industrial security products (technology), organizational measures as applied through security management (processes) must not be neglected either (fig. 1). A secure IT infrastructure is the basis for enterprise security, customer data, engineering, and production, but is that sufficient?
When comparing it to IT (information technology) security, OT (operational technology) security, also referred to as industrial control systems (ICS) security, needs to address different challenges when dealing with the same topics (fig. 2). In order for the OT infrastructure to fully cover access security, the measures implemented through the IT infrastructure must be complemented by appropriate additional activities. The series of ISO 27000 standards specifies IT security measures for companies, a topic we won’t discuss in more detail here. By contrast, IEC 62443 describes the requirements that operators, integrators, and device manufacturers have to fulfil when implementing OT security. So, automation systems not only need to offer a certain automation solution, they must also be designed securely in accordance with parts 2-4 and 3-3 of IEC 62443 (fig. 3).
Guidelines on how to proceed
When it takes into account security aspects, the process of designing an automation solution usually involves a close collaboration of integrators/service providers and operators. In a first step, all information related to the environment of the facility (unoccupied space, buildings, etc.), to its structure (network, list of elements and their locations, etc.), and to the processes (procedures, communication relationships, sensitive data, etc.) is identified. New as well as existing facilities are included (fig. 4). Then, the next steps are as follows:
After taking stock of the situation, a security specification is drawn up for the facility. It encompasses the network concept as well as a list of assets that includes all networked devices, and already defines hardening measures. To ensure access security, the activities that have been specified must be verified when the facility is taken over by the operator. Thus, the test specification, which will serve as the benchmark for site acceptance testing later on, is already being developed during the process of specification.
Protection requirement analysis
The protection needs are assessed in a next step. This includes identifying and documenting sensitive assets, data, and communication paths. The analysis is based on the protection goals of availability, integrity, and confidentiality. It also includes identifying the zones and conduits in the system. The final result is a protection requirement determination for the automation solution. It is sufficient and appropriate for the IT infrastructure in use (fig. 5).
Based on the above, a threat analysis is carried out as a next step. This analysis can, for example, be based on the top 10 threats described by the German Federal Office for Information Security (BSI) and may be complemented by operator-specific topics, if necessary. Together with the operator, the threats are assessed in terms of their relevance for the automation solution before being documented in written. The threat analysis is again based on the data protection goals of availability, integrity, and confidentiality.
After the threats have been identified, a risk analysis is performed before risk handling strategies are implemented. On the basis of the present risk (risk impact multiplied with probability of occurrence), the threats can be assessed as follows:
• Measures are developed and their effect on the assessment checked for risks that are unacceptable to the company.
• If the risk can be minimized to an acceptable level, the measures should be implemented in consideration of their economic efficiency.
As a result, operators obtain recommendations for the implementation of a holistic, individual, and product-independent security concept tailored to the specific requirements of their company.
Risk assessment is also about deciding how to deal with remaining risks. Potential risk handling options are:
• Risks can be avoided by eliminating their causes, for example.
• Risks can be reduced by changing the situation which the determined risk level is based on.
• Risks can be transferred to other parties.
• The operator accepts the risk.
By regularly checking the implementation of measures and the threat situation, continuous risk monitoring is ensured.
When the company takes no measures, the risk is accepted and continues to exist. In those cases, the management should be involved with the aim of dealing with all identified, analyzed, assessed, and prioritized risks in an appropriate manner. Resulting additional security measures are included in the security and test specification. In general, the following applies:
• All process steps need to be carried out in accordance with current, state-of-the-art technology.
• The results are documented and
• the operator signs off the analysis results.
The integrator/system supplier implements the measures defined in the security specification of the facility. Before the facility is handed over to the operator, the security measures are verified on the basis of the test specification, which makes verification a part of the site acceptance test (SAT). Checks for newly evolved threats or risks that might require re-assessment must be carried out within defined intervals, for example, annually.
Selecting a suitable service provider
It is recommendable for operators to select a suitable service provider to co-define the topics addressed by means of the described security measures. Such a company should be a certified security services provider according to IEC 62443-2-4. This ensures the know-how and processes needed to design an automation system in accordance with the requirements of this standard will be applied.
Providing support by means of a wide range of services
In April 2019, Phoenix Contact became one of the first companies in Germany ever to receive a TÜV SÜD certification for OT security in accordance with the IEC 62443 series of standards. The certification confirms that the company is capable of developing and implementing secure automation solutions together with its customers. The range of security services offered includes:
• Development of individual solutions and approaches for failsafe network structures, for the protection or remote maintenance of machinery, and for powerful wireless communication networks, taking into account the various industrial standards
• Fulfillment of the security and network requirements regarding configuration and documentation, the introduction of management systems, the detection and troubleshooting of anomalies, network maintenance, and the testing of the systems gone into operation
• Support during the installation of security updates and during the modification of firewall rules
• Basic and advanced security training courses, security awareness trainings, basic Ethernet training courses, and individual practical training courses tailored to specific needs
Fig. 1: Security as a holistic approach
Fig. 2: Comparison of ICS security and IT security
Fig. 3: The scopes of ISO 27000 and IEC 62443
Fig. 4: Process for designing a secure automation solution
Fig. 5: Protection requirement analysis
More information: www.phoenixcontact.de/security
Werner Neugebauer, Vertical Market Management, Phoenix Contact Electronics GmbH, Bad Pyrmont (Germany); Torsten Gast, Leiter Competence Center Services, Phoenix Contact Electronics GmbH, Bad Pyrmontermany)