The rise of the Industrial Internet of Things (IIoT) brings numerous opportunities for organizations to leverage their data to unlock new insights and efficiencies. This marriage of advanced information technology (IT) and operational technology (OT) digital capabilities with physical assets creates new, augmented manufacturing systems that empower businesses to generate more sophisticated, more personalized products — faster, at larger scales and with greater agility — than ever before. Unfortunately, this also means new ways for hackers to exploit, manipulate and infiltrate these systems, making industrial cybersecurity a modern imperative.
While industrial cybersecurity may seem relatively new and unfamiliar, it must be weighted equally as a business risk like any other corporate operational risk factor. Leading industrial companies adapt their corporate risk models to include industrial cybersecurity and associated digital capabilities as part of their overall risk management strategies. The most competitive industrial companies leverage modern advances in IT, data connectivity and analytics combined with advanced manufacturing techniques and OT to continue to stay relevant, competitive and differentiated in their markets without compromising their risk profiles.
Best-in-class companies know they cannot address every risk on day one. Rather, they align themselves with a cybersecurity risk management maturity model such as the National Institute of Standards and Technology Cybersecurity Framework, which provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect and respond to cyberattacks. This article discusses best practices when managing an organization’s industrial cybersecurity risk.
Key points to consider
Traditional hierarchal networks and their classic profile-based access controls are transitioning into new digital, architecturally flattened software defined perimeters (SDPs) with granular and adaptive security controls that extend horizontally (including partners, suppliers, vendors and potentially customers) and vertically (from connected products straight to cloud based services via modernized IT layers of protection).
Recommendations: Baseline digital footprint and assets, expand the evaluation of the baseline to include interactions and endpoints (APIs) within the larger digital software-defined perimeter. Identify security gaps and areas of improvement. Align the business to a cybersecurity maturity model and plan accordingly to attain an ideal security posture.
Recognize the new normal perimeter
The first step is to baseline where exposure to attacks exists — defining the security perimeter. In the past, a plant system’s information network was fairly simple — It entailed following the cables and wires from one end of a device to another. However, leading industrial companies today recognize the newly defined digital perimeter called the Software-Defined Perimeter (SDP). It is no longer just a single network, but a much larger virtual perimeter that includes interactions within their own networks and that of their supply chains, suppliers, partners and customers. This significant horizontal expansion is necessary to be as lean, agile and integrated as possible across the value chain. For example, the latest Open Web Application Security Project Top 10 Application Security Risks for 2017 list now includes Application Programming Interfaces (APIs).
Another dimension to the SDP is the collapse of traditional hierarchal-based network topologies. A shift from traditional hierarchal-based networks that gradually and successively built up from the Purdue Reference Model (PRM) to a much flatter, interconnected set of network segments or zones has taken place. Increasingly, companies turn to existing, trusted technology partners to provide new value-added, cloud-based services that can reduce the on-premises IT burden. This means that vertical connectivity extends well beyond the traditional levels of the PRM and into services provided by cloud service providers (CSP), a role that trusted technology partners are rapidly adopting as natural value extensions to their existing offerings and relationships.
Since information flow is dynamic and interconnected between network zones instead of the traditional layers, increasingly modern industrial networks no longer see the need to “pass through” the business layer before reaching the internet. Instead they are routed directly to IT network zones that are made of multiple defense layers and tools that then are connected to the internet after scrutiny and filtration. In other words, the networked business layer no longer offers inherent network protection.
Now that this extended perimeter has been discussed, what is the implication for managing the cybersecurity risks associated with these ideas? Ironically, as digital footprint reach increases, the need to manage security has to get smaller, more precise and more granular. Security attributes must be embedded into each device, application, service and each network zone.
Managing, maintaining & monitoring digital perimeter
Once the digital perimeter is established, it is imperative to close any identified gaps compared against best practices. It is even more important to continuously and proactively monitor the digital perimeter for any vulnerabilities, threats or infiltrations.
Because the digital perimeter is so flexible, security authentication is of paramount importance. For this reason, traditional security tools such as simplistic firewalls and username and password credentials are no longer sufficient or adequate. Rather, next-generation firewalls (NGFWs) with intrusion detection systems (IDS) and intrusion prevention systems (IPS) combined with mandated use of encrypted traffic between networked zones — especially to external partners in the extended digital perimeter — can greatly reduce the chances of the perimeter being compromised.
The creation of networked zones and conduits to manage data flow between them is critical, as are created safe spaces for transitions between major network segments. An example is the use of demilitarized zones (DMZs) with dual (NGFW) firewalls on entry and exit of the DMZ — one for each directional flow of data so that if one firewall is compromised, no data can be returned to its source. DMZs are extremely effective at making data flows between network segments highly visible under tightly controlled and limited enabled endpoints.
Security now must also be adaptive to the context in which it is being tested. Companies have traditionally relied on role-based access control (RBAC), but in today’s world, a bulk assignment of privileges to an administrator role is too broad and creates unnecessary elevation of privileges that are not always strictly required to support a particular activity. RBAC also ignores the environmental context under which the security model is applied, such as the difference between a known employee who is attached to the corporate network and physically on-site using a familiar device versus a remote employee who uses a public Wi-Fi signal on a public PC. Does it make sense to accord full administrative privileges to the latter use case? Probably not.
The new security model is called attribute-based access control (ABAC). It takes into consideration contextual elements of “who, what, where, when, why, how” and “to what extent” access is required. These elements are dynamic and depend on various conditions. Therefore, a set of policies, rules and relationships are needed to enforce varying levels of scrutiny, proof-of-identity and assurance before giving permissions. To summarize, RBAC puts security emphasis on the subject being protected in a static way whereas ABAC puts security emphasis on the identity and environment that requests the access in a dynamic way.
Another key element to maintaining a solid security posture is to constantly ensure that all software applications – on-premises and cloud-hosted – are kept up to date with security patches and software updates. Cloud hosted software-as-a-service (SaaS) type subscriptions typically are at an advantage in this regard since the cloud service provider (CSP) will do this on your behalf automatically and transparently in a nondisruptive manner. This particular practice of keeping software continuously updated and patched was made all the more relevant given the recent “WannaCry” malware attack. This malware, which infected more than 200,000 systems across 150 countries around the world, according to Europol, took advantage of a Microsoft software exploit that was already addressed by Microsoft in a patch released more than a month prior to the attack for supported operated systems.
Speaking of cloud based services, many industrial automation companies are now becoming CSPs themselves with industrial offerings set to extend their deep domain expertise capabilities. The leaders in these new services will have best-in-class cybersecurity practices included. When looking for industrial cloud service providers to partner with, check if they transparently disclose how they will protect data, their stances on the data location (a.k.a. data residency and digital sovereignty), obtained certifications, how they view data ownership and finally, what service level agreements they offer to ensure data availability.
Key points to consider
Managing cybersecurity risk today is about properly and continuously managing specialized network segments and zones. Rather than monitoring traditional traffic between network layers with a generic security template approach, apply a tailored security policy that addresses all data and data pattern types.
Traditional security tools such as simplistic firewalls and username and password credentials are no longer sufficient, nor adequate. Rather, next-generation firewalls (NGFWs) with intrusion detection systems (IDS) and intrusion prevention systems (IPS) combined with mandated use of encrypted traffic between networked zones and partners within the greater digital perimeter can greatly reduce the chances of the networks or perimeter being compromised.
Recommendations: Seek to understand the security posture of each element of the digital perimeter across hardware and software. Insist where possible that security controls exist at the lowest granular levels and that they are aware of contextual environmental factors. Look for trusted technology partners with deep domain expertise to help quickly accelerate business capabilities while taking advantage of their dedication to cybersecurity best practices to complement the business’ own.
What is next?
A good first step is education. With new digital threats emerging regularly, it is important to understand the potential business impact, and cyberattacks can be prevented by determining who is best placed to address the risk. Assigning accountability to appropriate people helps an organization actively engage in a solid cybersecurity posture. If it is no one’s job, it will be everyone’s problem.
Start today by baselining the cybersecurity digital perimeter. Then, make sure the organization takes the steps to strengthen that perimeter with the security resources needed to support it. Align with a plan compared against a cybersecurity maturity model. Start by filling in the gaps. Partner with vendors who can help accelerate the organization’s capabilities and take on some of the burden, and the business will be well on its way to a secure digital perimeter.
Saadi Kermani is the technology evangelist and business development manager for the Industrial Information Management portfolio at Schneider Electric. He has 13 years of experience in industrial automation. Kermani can be reached at [email protected]. Visit software.schneider-electric.com for more information.