IoT in an Industrial Environment—Industrial Control Systems and Industry 4.0
Introduction
As it was mentioned in previous chapters, industries have been using different sorts of technologies for decades to make their processes more effective and efficient. By controlling and monitoring different aspects of a process in an automated or semiautomated fashion, it is possible to reduce throughput times, increase quality, and minimize waste. These types of systems, based on sensors, actuators, and controllers, are known as industrial control systems (ICS). Other names that you might have heard earlier which are related to this same concept are distributed control systems (DCS) and supervisory control and data acquisition system (SCADA). Some examples of ICS can be found in manufacturing, mining and metal industries, oil and gas, water plants, and electricity generation and distribution.
ICS were created and used from long before the Internet existed, so most of them were originally designed to operate in isolation and controlled locally, using elements such as keyboards and screens for configuration and command execution. With the development of different types of communication networks, it became possible to monitor them remotely from a control room or an office desk. As much as they were not meant to be connected to external networks, they often had means to send alerts in case of emergencies such as sending alerts to a biper or via e-mail or SMS.
At the beginning, controllers had their logic “wired.” This means that they had a hardware that was designed to perform certain actions according to predefined rules. Then controllers became programmable, which means it was possible to load code on them to specify their rules of behavior. Usually, this code is known as “Firmware” which is a type of software designed to perform in a specific machine distinct from a standard computer. For decades, these “operational technologies” (OT) developed on a separate path from information technologies (IT). Therefore, cybersecurity was not really a concern in modern industries since they could ensure an acceptable level of security by restricting physical access to the systems.
To carry out a cyber-attack in an industrial control system in the past, a person required a combination of the appropriate technical skills, knowledge about the specific system, and also needed to gain access to the perimeter. This means that while attacks still occurred, they were less frequent and often they were perpetrated by insiders or required the collaboration from somebody with internal access. With time, computers became a more flexible and cost-effective platform and developed interfaces for monitoring industrial processes. Added to this, improved data processing capabilities today provide more efficient ways to capture and analyze data from different operations. User interfaces became friendlier thanks to the use of visual tools and interactive screens that made it easier for humans to interact with machines.
For many people, ICS and IoT are very different things. This is because OT existed way before IoT was a popular concept. However, for many others, despite their different origins they both converge into the same paradigm: a future where everything will tend to be connected. Actually, the first time I heard the term IoT it did not feel like something new at all for me because I was familiar with ICS already. IoT sounded very similar thing to other systems I knew. Later, I adopted a term that is used by many authors that acknowledges both the similarities and the differences between OT and IoT, which is “Industrial Internet of Things” (IIoT).
A well-known type of IIoT architecture is SCADA, which stands for Supervisory Control, Administration and Data Acquisition. This type of system is based on a monitoring and control software, which usually has a visual model of the process and allows communication with sensors, actuators, and controllers. Sometimes sensors and actuators may not be “smart” and may be wired to the controllers. This means that they are less vulnerable to cyber-attacks but they can still be vulnerable to physical tampering, being disabled, sabotaged, or replaced by rogue ones. In these cases, the sensors and actuators that communicate with controllers through electrical signals and controllers will have the “smart” capabilities such as providing rules, and connectivity with communication networks. Nonetheless, this connectivity is usually through protocols that y do not always consider security measures such as encryption. To communicate with IT systems generally a gateway is required to translate these protocols into more standard ways of communication such as TCP/IT.
Nowadays, computer systems have become not only an effective way to process and collect data from sensors and actuators, but in many cases they also allow remote control of machines and a higher level of integration between design, manufacturing, and quality controls. This is allowing the rise of the fourth industrial revolution, or “Industry 4.0,” and there is a high level of expectation about how this is already changing the world, as we know it. According to the Strategy+Business magazine, Industry 4.0 is a combination of several major innovations in technology, which includes advanced robotics, artificial intelligence, sophisticated sensors, cloud computing, the Internet of Things, data capture and analytics, digital additive manufacturing (popularly called 3-D printing), navigation tools, smartphones, and other mobile devices (Strategy+Business 2016). In general, this is the inter-operability of all these elements especially the ones that allow the development of more efficient means of production and delivery of products and services, based, on new and original business models.
We are witnessing the future right in front of our eyes. Many new industries are emerging and it is becoming easier to make a good idea possible without requiring an exorbitant amount of capital. Technology is offering, apparently endless, possibilities to humanity, and hackers are not the exception. The more connected things are the more likely there could be a “single point of failure” which means that if a part of a system is compromised, all the main functionalities of it can be at risk.
An important difference between IoT and IIoT is that OT are designed to have a longer life span. So they are expected to work for many decades, which means that many industries have a mixture of old and new technologies. This is not likely to change in the short or medium term, since many legacy systems are not easy to replace. It also must be considered that some industrial operations use expensive machinery which operates 24×7. Therefore, this equipment is a long-term investment and replacing it implies not only high capital expenditure but also the cost of the idle time and the risk of changing what is already known and working well in production for something that might require adjustments or might present problems in its first stages of implementation. In other words, for many business operators the premise might be, “If it is working fine better not touch it!”
Most of the old systems were designed with strict safety requirements but no cybersecurity defenses at all. In many cases, it is not possible to add cybersecurity controls to them so security measures have to be built “around them,” for example, by physically isolating them from other systems, if possible. Strict security policies and controls for access and operation are crucial, as well as giving security training to the personnel that uses them. Of course, this is not always what happens in real life. According to several studies performed in different types of industries that use ICS, there are still many security gaps of different nature in these types of systems (Kapersky Labs 2017; Positive Technologies 2018; CyberX Labs 2018).
One of the most significant cyber threats in industrial IoT systems are insiders’ attacks. Somebody with internal access to the system has the opportunity to exploit security vulnerabilities. A typical vulnerability is shared or generic passwords. Usually, old data systems use software that is outdated and has known security flaws, which can in turn be used to carry out an attack. Administrators that create ways for administrating the system remotely can often introduce vulnerabilities (Positive Technologies 2018). This can also open the door to malicious agents coming from outside the network. External attackers that manage to get into the corporate network in some cases can find a way to gain access to the industrial network, as well.
The potential damage that an attack to IIoT can cause goes beyond money losses and can even threaten human life. Therefore, it is important to carry out a thorough risk analysis and minimize the vulnerability level of these systems. Cybersecurity is a relatively new discipline that has so far focused mostly on IT systems. Nevertheless, security experts have already raised a number of red flags regarding industrial technologies since it is believed that IoT/IIoT will become “the attack infrastructure of the future” (Boddy and Shattuck 2018).
Your cybersecurity program should not be a one-off investment only but a permanent component of your overall operational costs. In the long term, the cost of not making this investment can be much higher. To make a rational allocation of resources for prevention and cyber defense, it is important to do a systematic evaluation of risks. Underestimating threats can be an issue, especially because attackers can have a wide range of motivation. If your cybersecurity strategy is based on the odds that no attacker will bother with your company, you need to know that you can draw their attention just by being an easy target. Investing in cybersecurity also allows you to conduct a better forensic analysis for investigating the causes and assigning responsibilities of an attack or issue. For example, if activity logs are monitored, it is possible to track when an internal user is misbehaving.
Example of an IIoT System
To better explain how an IIoT system looks like, and what the consequences of an attack might be, let us set a simple scenario. Imagine a chemical plant that discharges residual water from a process into a tank through a pipe. This water is at very high temperature and it is necessary to cool it down. A second pipe allows cold water to flow into the tank to help cool down the water. The water is drained from the tank through a third pipe. Figure 6.1 shows an image of this example where a level sensor “L” and a temperature sensor “T” indicate, respectively, the level and temperature of the water. There is a SCADA control system, which automatically opens and closes valves according to the variables from the sensors. For example, if the level of the water in the tank is rising and the water is cold enough, then the valve that allows the water to drain opens, whereas, if the level is getting high and the water still needs time to cool, then the valves that allows water into the tank closes.
The SCADA system allows monitoring of the different sensors and the state of the valves through a visual software that shows a diagram similar to the one in Figure 6.1. Operators can also open and close the valves through this software without the need to operate the valves in situ. This software is operated from a control room with no direct access to the Internet, which is a common security and safety practice in industries. Nevertheless, there are some remote access servers separated through a firewall, which allows e-mail alerts to be sent to operators in case of emergencies. Often, system administrators would enable some remote connections to do maintenance to the supervision and control software or to the computers where it runs. Because access is limited, often there is a false sense of confidence regarding the system’s security leading to a high number of vulnerabilities. Some examples are remote connections that have been enabled and then forgotten, which is unknown to most users; also, the use of easy-to-guess passwords, and sharing passwords is not rare. Outdated operative systems and software, users having too many unnecessary privileges, and no cybersecurity continuous monitoring and alerts are other areas of vulnerabilities that an attacker could use.
If a malicious agent wants to attack this system, they would just need a way to get in and once access is granted, they would be able to do mostly anything they want to cause damage. By underestimating the levels or skills or their motivation, a usual misconception is to think that such malicious agents do not exist. Nevertheless, it is often that the knowledge and abilities that are needed to breach these types of systems are not that sophisticated as one might think. Especially in the presence of vulnerabilities that have fairly well-known means of exploitation. If we want to look into the motivation or attack goals, by looking into known attack cases from the past it is clear that attackers can perpetrate an attack for many reasons and their level of motivation should not be underestimated. Internal attackers appear among the highest threat to IIoT, including employees, contractors, and former employees. Their motivation could be personal revenge, they could have been bribed by a competitor, or they could have infiltrated from a terrorist group or an enemy nation. Outsider agents can also be part of these types of organizations and get remote access by vulnerabilities left by administrators when they connect remotely for configuration and maintenance to the systems.
We already know that the system has vulnerabilities and that there is a population of agents that potentially can have the capabilities and motivation to exploit them. Then, to understand the level of risk we are dealing with we need to review the possible consequences of an attack. A simple threat scenario would be an attacker managing to gain access to the SCADA software. The motivation of the attacker in this case would be to cause physical damage in the plant. For the attacker to carry out an effective attack, he or she would have to disable the sensors that can trigger safety alerts such as the level sensor, which would indicate when the tank is surpassing a safe level of water. Then, if the attacker closes the valve of the drain and the cold water pipes and leaves just the pipes with the hot water open, the tank will overflow. As much as operators could run to close the valve manually, the surrounding area would be flooded with extremely hot and potentially toxic liquid. This can cause damage to people’s health as well as to the infrastructure and equipment.
How do you quantify this damage? Possible direct costs are to have to stop the production process, costs of deploying an emergency operation, medical and insurance costs, and compensation to affected stakeholders, and repairing or replacing damaged equipment. Indirect costs can be damage to the reputation of the company, losing the trust of customers and shareholders, lowering the value of the company’s shares, and fines if the accident implies breaking any regulation. As it will be explained more in depth in Chapter 9, the results of a risk analysis will be highly dependent on the context. A water treatment plant is used in a number of industrial processes including cooling and heating systems, material processing, mining industry, and different types of manufacturing. Additionally, the threats that a system of this type can be exposed to are many, such as other mechanisms of sabotage, industrial espionage, denial of service, or ransomware attacks, among others.
Areas to Look into for Improving Security
In many industries, such as national critical infrastructure and safety critical operations, the common practice is not to have Internet access. Nevertheless, this has not prevented many industries from being attacked in the past. An infected USB drive, social engineering, or badly implemented network isolation can be used as the means for achieving an attacker’s goal. It is important not to rely on one single line of defense but to apply a series of well-orchestrated security mechanisms. The rest of this chapter provides you with some areas where you should pay attention to make sure that your company is doing what is necessary regarding IIoT cybersecurity.
Process-Aware Approach
It is important to understand how technologies, processes, and people interact to detect vulnerabilities and design appropriate security controls. If your processes are mature, it will be likely that you will have a more solid ground on which to build security. A mature process means that it is well-defined, repeatable, and measurable. It is important to understand dependencies between processes and level of criticality each process has for the business. This is crucial for doing an appropriate risk assessment.
Appropriate Cybersecurity Program
It is likely that the cybersecurity policies and procedures that you have for your business operations will be neither adequate nor feasible to apply in your industrial operations. Thus, it would need to be adapted to satisfy functional and security requirements of industrial systems. It is important to remember that ICS and IoT (or IIoT) are different from IT. Despite the fact that they interact with IT systems they also have a variety of different technologies, which are at the heart of safety critical processes. IIoT does not only manage information but it can also have an effect on physical variables. This means that the cost of stopping an operation might have further implications including harm to humans and the environment.
An appropriate cybersecurity program should consider cybersecurity best practices that adjust to both general and industry specific operational requirements. A widely recognized reference for developing a cybersecurity program for IIoT is the Guide to Industrial Control Systems Security from the National Institute of Standards and Technology of the USA (NIST) (Stouffer, et al. 2015). This document also highlights the relevance of having a risk-management process. Other well-known standard is the IEC 62443, which derives form the ANSI/ISA 99 standard.
Network Architecture
A secure and resilient network architecture is a crucial part of cybersecurity. It is highly recommended for OT to be connected in a totally separate network from business operations. In many cases, although the industrial network and the corporate networks are meant to be isolated, network misconfigurations can allow access to the industrial network from the corporate network and vice versa. In the worst cases, this isolation does not even exist (Positive Technologies 2018). Network experts recommend using what is known as a demilitarized zone (DMZ) so manufacturing zones are not directly exposed to remote access servers (Stouffer et al. 2015; Obregon 2015). The different segments of the network should also be secured by appropriate configuration of firewalls, intrusion detection systems (IDS), and access controls.
The best practice is to avoid remote access to IIoT systems and to do it only through private networks when it is necessary. Another good practice is to restrict to the minimum the functions and parts of the system that can be accessed remotely. Any remote access should be limited to staff who have minimum privileges and access rights to do a specific task, such as allowing only access to a specific part of the system. Critical systems should never be exposed to the public Internet.
Distributed systems such as the electrical power grid, water and gas supplies, agriculture and mining operations, and railways present major challenges for defining a secure network architecture since they need to perform long distance communication. This differs from manufacturing industries where it is feasible to confine all the operations to a restricted area (Stouffer et al. 2015). Means of long distance communication can be diverse including telephone lines, Internet, microwave, and satellite communications and usually channels are shared rather than dedicated. It is important to have special considerations regarding network security such as using encrypted virtual private networks (VPNs) and dedicated connections in the presence of critical risks, and appropriate configuration of firewalls and IDSs.
Alignment with Safety Regulations
Where there is a safety critical operation there is a vulnerability. Usually, ICS will have strict safety policies. In many cases, this also obeys legal requirements, which are oriented to protect people, the environment, and assets from physical harm. Examples of this are toxic and radioactive materials, heavy machinery, and exposure to risky environmental conditions. Malicious agents such as terrorists can see the potential harm that these elements can cause as a weapon. Therefore, they might go the extra mile to try to break existing security measures to cause a terrorist action. Cybersecurity policies should be aligned with safety regulations ensuring that systems are not exposed to safety threats in the case of a cyber-attack. Ways to do this is by redundancy of components, and emergency systems that allow a “safe failure mode.” For example, in the case of the water tank, previously described, there could be a mechanical system that closes all the valves if it overflows, which should be totally independent from the SCADA.
Vulnerability and Threat Intelligence
It is important to identify vulnerabilities of different types in the system. This includes hardware, firmware, software, communication networks, access control, as well as operational policies, practices, and procedures. Outdated software and operation systems can have known vulnerabilities that can be exploited by methods that are widely known by malicious actors. Therefore, it is important to install updates and security patches regularly. If a new vulnerability is discovered which exposes the system to a major risk, it is important to follow the security recommendations of the vendor and get the vulnerabilities fixed or patched as soon as possible. It is important that after an initial risk analysis is performed, continuous risk monitoring is done to identify new threats. “Zero day” attacks continuously emerge revealing previously unknown vulnerabilities and developing appropriate solutions might take time. Therefore, it is important to have many lines of defense, which is known as defense “in depth.” This allows minimizing the impact of the exploitation of a single vulnerability.
You could consider subscribing to a vulnerability database and also having personnel dedicated to vulnerability and threat analysis can help strengthen defenses on a regular basis. This can be complemented with periodic vulnerability analysis and penetration testing performed by a certified third party.
Supply Chain Management
Nowadays, many businesses have complex supply chains. As explained in Chapter 5, security has to be a major attribute to look at when choosing suppliers. This goes beyond the purchase domain since in many industries, the installation and maintenance of IIoT systems is outsourced. To cultivate long-term relationships with suppliers where the terms on which security will be handled are agreed on earlier can be crucial in preventing a cyberbreach. Suppliers can introduce risks if their own security is poor, and this becomes worse if they do not have appropriate mechanisms to respond to security incidents and fix vulnerabilities.
I wrote about an example of how good supply chain management practices are related to cybersecurity that was published in the Institute of Information Security Professionals Pulse magazine in 2018 (Adaros Boye 2018). The topic of the volume was about third-party risks so I gave an example of vulnerabilities found in smart vehicles of different brands. While most car manufacturers rely on suppliers to develop their electronics, Tesla develops its own technology, including artificial intelligence. In addition, when they have to rely on suppliers, they pick them extremely carefully. Forbes called this “the 21st century supply chain” (O’Marah 2016). It is not coincidence that Tesla stood out among other car manufacturers that had vulnerable vehicles for responding relatively quickly, fixing their cars through software patches installed remotely. The reasons for their agility in comparison to their competitors probably had to do with supply chain management (SCM).
It is known that third-party involvement has several challenges including dependency on a timely delivery of products and services, quality issues, and “know how” ownership which can lead to the loss of control over critical issues. Cybersecurity is one of those issues. In today’s economy, most businesses need suppliers to function. Vehicle manufacturing is a good example of this since they comprise complex systems that require different kinds of expertise. It is important to consider third-party risks in a cyber-risk assessment and state clear agreements about the minimum security requirements, as well as suppliers’ responsibility and service level agreements regarding incident response.
Physical Access
Physical access controls and restrictions are important, especially in the presence of safety critical systems. Two-factor authentication, as well as generating logs every time somebody enters and leaves the perimeter can be an important input to detect unusual behavior. It can also serve as evidence for an eventual forensic analysis in case an event happens. Personnel that have access grants to the perimeter should be properly trained in security and safety matters.
Assess Risks Introduced by Legacy Systems
Some industries still have legacy systems working which were not built considering security features and might be hard to replace for many reasons. For example, it could mean stopping a 24×7 operation for an important period of time and taking the risk that the new system will not perform as expected. From the point of view of the business, the risk and expense might not be worth it considering these systems were designed to work for decades. Therefore, it would make sense, financially, to delay the decision of replacing them for more secure alternatives. Still there should be appropriate measures to mitigate the risks of legacy systems being attacked or sabotaged, as much as possible. Access controls and physical and logical isolation usually are examples of these measures.
Secure Configuration, Maintenance, and Updates
It is important that security features of the systems are configured properly. An example of this is to use different user profiles to define different levels of privileges according to each role. The best practice is to assign the minimum privilege that allows a certain role to be performed without providing the individuals unnecessary access or control to any part of the system that is out of their domain. It is important to have an updated record of the access rights each individual has and withdraw any credentials that are not being used anymore, for example, in the case of change of position or dismissal of an employee.
Security updates including having supported versions of software and operation systems and installing security patches to software and firmware should be done promptly. This would avoid attackers from exploiting known vulnerabilities. Failing to do this can expose industrial systems in which the preventive measures are already known to attacks. For example, the Wannacry ransomware attack is a computer malware that is propagated by a vulnerability present in older Windows systems. As in other varieties of ransomware, Wannacry encrypts data allowing the attackers to demand for a ransom in exchange for the decryption key. Although it was designed for IT systems, it has already been used in ICS networks causing downtime in industrial processes. Actually, it is believed that this type of attack caused around a quarter of all the breaches in industrial environments in 2017 (Kapersky Labs 2017). There are windows patches that can be installed to the vulnerable versions to prevent this attack. Threat intelligence and vulnerability analysis should obey processes that allow access to the most recent information about the latest attacks and update systems accordingly or put other preventive measures in place in cases where this is not possible.
Personnel Security Training
Industrial control engineers and operators usually do not have cybersecurity training. Additionally, cybersecurity professionals rarely will have enough in-depth knowledge of the productive processes to understand how to apply security solutions appropriately. For example, if an IT system is restarted, this might cause an interruption of the service for a few minutes, which might not have major implications. However, if this IT system is part of a process that cannot be stopped suddenly, restarting the system is a decision that should be made only after consulting with professionals that have knowledge of the industrial process and will be the ones aware of the effect that this might have. There can also be cascading effects that affect other processes. Just imagine suddenly stopping a manufacturing cell that is part of a continuous production line, for example, putting a cap on a bottle. The previous stage that is filling the bottles with liquids continues working, as well as the following stage that is putting the bottles in boxes. You will end up with a few boxes with open bottles, the liquid inside might spill and be wasted and some work will need to be done to clean the mess. Now take this to a car-manufacturing production line, an Oil and Gas Company, or any other industry that uses heavy machinery and expensive materials.
It is important that automation and process engineers have cybersecurity training and that they work in coordination with cybersecurity professionals in order to develop adequate security controls and measures.
Resilience and Business Continuity Planning
As much as prevention is the most cost-effective security investment, it is impossible to foresee and prevent all possible undesirable events. A key aspect of cybersecurity is to have recovery and business continuity plans in case an incident happens. Having appropriate security protocols and best practices can be helpful to mitigate impacts and to recover faster. This means, in other words, having a “plan B,” for example, being able to disconnect a compromised workstation from the communication networks and switching it into manual mode to avoid delays in production. Other options can be having backup systems to replace the compromised ones or to isolate compromised components from a plant and carry on with the processes and activities that can still be performed by trusted components.
Summary
If you are already part of Industry 4.0 or if you are thinking about getting involved with it, you should think well about how to invest wisely, so the risks do not end up being higher than the benefits. This also applies if your company has in place traditional ICS, especially if you decide to connect them to IT services. Many times risks can be overlooked by the lack of awareness about how vulnerable systems are. Dependencies between different systems and business processes could also imply that an incident can unleash a chain of impacts for which it is important to be prepared.