How to Protect Plants from Invisible Threats

A plant's industrial control system (ICS) is no longer an island, and a field device—once ranked low in the risk and threat analysis table—is no longer safe simply because it is protected by its own control configuration. Today, a cyberattack can be initiated at any point in a plant's interconnected industrial system. For this reason, plant managers must consider cybersecurity at every level of the plant—from the business network to each critical field device and pump. Failure to do so could have catastrophic effects on both human safety and production.

System Complexity

Industrial systems consist of an array of devices, systems and software that are used to control, monitor and report vital data, making them a prime target for malicious activity. Reports of rogue databases, such as Shodan, show that these programs can openly report devices and systems connected to the Internet. They reveal critical system information—including location, purpose and protocol—that a hacker can use to compromise a system, cause damage and interrupt production.

The advent of wireless connectivity and the Internet of Things presents a totally new threat vector that puts even field devices at risk. While much of the modern wireless technology available today (including tools that are compliant with WirelessHART and ISA100) is fairly secure, wireless devices and programs can suffer interference from any Wi-Fi, Bluetooth or other wireless device operating in the same frequency band. Even wireless printers and scanners pose a threat, because most wireless printers come with the wireless facility switched on by default, which alone could compromise an ICS.

Industrial specific protocols are no longer a defense either. A new trend among hackers is to gain notoriety by advertising vulnerabilities in legacy protocols, software and systems. These range from supervisory control and data acquisition (SCADA) to ICS control software.

The Standards

Despite the countless variables at play, plants can employ an effective approach: Adopt an information security management system, as defined by the International Standards Organization (ISO27001), and comply with standards put forth by the International Society of Automation (ISA99) and the International Electrotechnical Commission (IEC62443).

ISO27001 was designed as a methodology to address security. It lists a number of controls companies can use to employ policies and procedures that address system confidentiality, integrity and availability.

Figure 1. This diagram shows a comprehensive cybersecurity standard set. One of the most important things a company can do to prevent cyberattack is to follow best practices recommended by established standards bodies. ISA-62443 is one of the most comprehensive standards and eventually could encompass all of the others. Diagram shows planned and published standards.
(Graphics courtesy of Schneider Electric. Source ISA-99 Standards Committee)

Concentrating more on a company's ICS, ISA99, IEC62443, ISA Secure, WIB and ANSSI address security and protection of industrial systems. IEC62443 could eventually encompass all of these standards, providing one standard that covers best practices, policies and procedures (see Figure 1). It gives direction on network design, protection, maintenance of the industrial network, patching of operating systems and anti-virus software. It will retain the five ICS levels—from field instrumentation and safety instrumented systems (SIS) to enterprise financial systems—put forth originally in ISA99 (see Figure 2).

Figure 2. This chart depicts enterprise cyber protection layers. A cybersecurity assessment begins with an identification of the areas that need to be protected. The ISA-99 standard recommends six levels.
(Source: ISA-99 Standards committee)

For the ICS, Levels 3 through 0 should be protected. Most companies also have Level 3.5, which serves as a demilitarized zone (DMZ) to provide a firewall against outside threats that can compromise the system.

The Strategy

The first step is to assess the risks and threats that might be associated with each layer. To do this, managers must consider their plants' target levels and evaluate the consequences of a cyberattack for each level. What are the chances of this level being exploited and by whom? What skillset and knowledge would be required to compromise this element? Would a compromise at this level result in loss of life or production? The results of this assessment reveal what type of access or knowledge is needed to compromise each level and indicate the most critical areas that need protection.

Addressing ICS security by implementing safeguards in this way is known as creating layers of defense. No one exercise or handbook can dictate what security is needed for each layer in a particular company.

Layers are defined by the security gaps within an organization. Finding these holes requires a site-specific gap analysis that identifies a company's current situation and the factors that are preventing it from achieving maximum security.

To identify existing security gaps, analyze each level and the communications to the next level. The standards ISA99 and IEC62443 refer to this process as identification of zones and conduits.

For example, if a plant started at Level 0 designating all of their pumps in a zone, the conduit would be the communication between the pump and the next device in line (see Figure 3).

Figure 3. Example of communication between devices

This step results in a list of current assets, protocols and connectivity that would allow a plant manager to determine strategies to protect them by applying technologies such as firewalls, switch management and virtual LANs.

This process is continued until Layer 3, although any threat that cannot be mitigated at a low level can be addressed at a higher level. If a field device only accepts Modbus signals, for example, but does not have the necessary resources to discriminate intelligently, a firewall could protect it at the next level. Modern firewalls are capable of deep packet inspection. They can be configured to ignore all but specific protocols and can even discriminate by packet length and content.

Once at Level 3, the number of threats increases because higher levels can include multiple protocols and connectivity to a number of smaller systems. Level 3 is also the top layer before connectivity to the corporate network or outside world, which is why it needs a DMZ.

Many system engineers do not possess the necessary skillset to execute the actions required for maximum cybersecurity. As the demand for security increases, however, plant managers, operators and other personnel must have a greater understanding of modern-day threats and security. In fact, most of the security exploits experienced in the last few years have actually been introduced by ICS engineers, often via a USB key or a compromised CD-ROM. For this reason, facility management should provide up-to-date operator awareness training and push vendors to provide secure products, services and consultancy at every level of security implementation.

Cyber threats are real, and the consequences of a breach could be dire. Plant managers should begin assessments early, ensure that the entire company is on board and remember that cybersecurity is continually evolving as new threats develop.