Cybersecurity

Industrial Cybersecurity Trends | What to expect from ICS security in 2021 and beyond?

Abhisam recently published a report on the State of Industrial Cybersecurity in the year 2020 and the road ahead in 2021. The report was compiled by contributions from several different experts from various industry segments, who are individually having at least 25 years of experience in their own domains as well as having  deep knowledge about Industrial Cybersecurity.

To understand the basics, please see this basic Industrial Cybersecurity guide here.

We received feedback from several sources that they highly appreciated the report and found it useful to get a perspective of ICS security trends today.

The report can be freely downloaded from the link above. You can use it for any non-commercial use with proper attribution. One of the contributions was from the Abhisam management.

We are pleased to post an excerpt from it here, which regards what to expect in the field of Industrial Cybersecurity in the year 2021 and beyond. You can read the entire report at the link above to get a better context.

Note: If you would like to learn about Industrial Cybersecurity and qualify as a certified Industrial Cybersecurity professional, then please take the Abhisam Industrial Cybersecurity training (self-paced online course). After completing the online industrial cybersecurity course and passing the associated exam, you will become a Certified Industrial Cybersecurity professional.

Industrial Cybersecurity Trends in the year 2021 and beyond

 

There are some ambitious (and some might argue not very doable things in the span of one year) in the list. However, one must start somewhere. Hopefully, somebody or some organization can take these up.

 

1. Control System Vulnerability Reporting Platform & Knowledge Repository

We should have an alternate way to report, collate and share information among stakeholders, including asset owners and system integrators, at a global level. Perhaps, professional non-governmental bodies, like ISA (International Society of Automation formerly known as the Instrument Society of America), IEEE (Institute of Electrical and Electronics Engineers) or IET (Institition of Engineering and Technology) should take the initiative, so that the platform/repository is vendor neutral, as well as government neutral.

 

There should be a way to anonymously share information not only about known vulnerabilities, but also about actual incidents, suspected incidents, detection of counterfeit devices (and/or malware loaded booby trapped components). This should be updated as frequently as possible and monitored by plant and asset owners, as well as ICS security professionals, so that they can take quick, corrective actions.

 

To the best of my knowledge, there is no such system now. I guess the main roadblock in getting this done is funding and no possible ROI for the investors, unless subscriptions can pay for it.

 

At present the US Government agency CISA is playing a similar role, but it is limited to listing vulnerabilities and alerts, which are not only ICS specific. It depends on various vendors and others to spot vulnerabilities and report them. Presumably, these are addressed by vendors via updates (patches).

 

2. Securing Industrial Systems against Supply Chain attacks

There should be a better way to secure Industrial Systems against supply chain attacks. As of now, there does not seem to any specific standard for this. ISA Secure is a good initiative, but it can be better. The owner of the IACS (Industrial Automation Control and Safety Systems for short) should also be sure that no counterfeit products are being used in their system.

 

You can buy a model of a network switch that has passed the ISA Secure tests, but how will you know if the actual box in your hands is genuine and not counterfeit?

 

One of the switches below is fake, can you spot which one it is?

 

Real and Fake CISCO switch

 

Difficult, eh?  Take a look at the report here, regarding fake CISCO switches (the image above is from the report link below), discovered by F-Secure labs and also see which one of the two is the fake one.

https://labs.f-secure.com/publications/the-fake-cisco/

https://labs.f-secure.com/assets/BlogFiles/2020-07-the-fake-cisco.pdf

 

Note: The above image is from the F-Secure labs report and shown here for context only. Abhisam has no connection with F-Secure or the study.

It is exceedingly difficult for even an experienced professional to distinguish the fake switch from the original one.

 

3. Automation Services and Software Supply chain resilience to ensure ICS security

 

The term “Supply chain”, should include not just physical devices that are used in Industrial Automation and Safety systems, but also software programs and services, including the individual persons who provide these.

 

As of today, software patches and programs have been covered in IEC TR 62443-2-3:2015 and system integrator/automation vendor services have been covered in IEC 62443-2-4:2015 (and amended in 2017). These are steps in the right direction but there should be commonly agreed due diligence practices, as regarding background checks of personnel who work on these systems as well as vetting of their equipment.

 

How do you know that the automation system integrator’s engineer who normally maintains your system, does not have a compromised laptop that he plugs into your automation system? Are these people aware of Industrial Cybersecurity? Do they diligently follow good practices?

 

Beginning 2021 we should aim towards making all participants of the Industrial automation supply aware about Industrial Cybersecurity and also be competent in the subject. Once this is done, we can be sure that the Industrial Automation supply chain has become more resilient towards thwarting attacks.

 

(Days after the Abhisam Cybersecurity report was published, we had the Solarwinds hack, which was a classic supply chain cyberattack that is sought to be protected against).

 

 

4. Secure Automation network protocols (e.g. Secure Fieldbus)

In my opinion (and you can of course disagree with it), the Zone and Conduit philosophy of protection as given in ISA/IEC 62443 for IACS is at best a stop-gap arrangement. Once a malware breaks through a DMZ/firewall into a Zone, it can pretty much own everything inside the Zone.

 

This is because almost none of the Instrumentation & Control Systems protocols used in the process industry, have authentication and encryption at the field level, or many times even at the controller network level. Hence, we do need a new automation protocol at the field level that has authentication, as well as encryption.

 

The Industrial IoT phenomenon presents us with such an opportunity and again, professional engineering associations like ISA or IEEE should take the initiative. There have been proposals by some IEEE members in the past (P. Swaminathan, K. Padmanabhan, S. Ananthi and R. Pradeep, “The Secure Field Bus (SecFB) Protocol – Network Communication Security for secure Industrial Process control,” TENCON 2006 – 2006 IEEE Region 10 Conference, Hong Kong, 2006 Ref: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4142362&isnumber=4142121)

 

However, apparently this has not been developed further or become popular. If you know of any similar initiatives, do let us know.

 

5. A generally accepted taxonomy about ICS security terms

Taxonomy and definitions, regarding Industrial Cybersecurity seem to be still in development. For example, recently a poll was carried on LinkedIn by ORIGNIX Inc asking people what they thought about the terms, OT security and ICS security and the results were as given in the image below.

Note: The above poll was conducted by ORIGNIX and the screenshot has been taken to add context. Abhisam has no relation with ORIGNIX or the poll.

Since the poll responses have been from mostly people in the Industrial cybersecurity field, it is evident that there are varied ideas of what constitutes OT and ICS sometimes even diametrically opposite of each other (e.g. OT is a subcomponent of ICS versus ICS is a sub-component of OT).

 

This is troubling because if we do not agree about what these terms mean, then it will be difficult to have conversations, as well as contracts, between owner/operators, automation and safety system vendors/system integrators, engineering design companies and others.

 

A well agreed system of definitions and a commonly accepted Taxonomy is therefore urgently needed.

 

There are many more things that we would like to see in the Industrial Cybersecurity domain, but these five things above are the top priority.