Control system cybersecurity
Build it in or bolt it on?
By Albert Rooyakkers
Legacy industrial control systems (ICSs), including distributed control systems, programmable logic controllers, and supervisory control and data acquisition systems, were engineered
using cybertechnologies and tools from as far back as the 1970s and 1980s. These industrial control systems are now up against rogue actors and nations armed with cyberweapons that are orders of magnitude more capable than those older technologies. Typical cyberattack vectors of legacy platforms, as identified by ISA99 committee standards research, include message flooding, eavesdropping, message spoofing, message alteration, message replay, malformed messages, server profiling, session hijacking, rogue servers, module counterfeiting, and compromised user credentials. The purpose of these attacks is to achieve remote control or theft of intellectual property.
All ICS modules that compute process control logic, including but not limited to sensors, actuators, I/O, control, power, communication, application, and workstation modules are vulnerable, with varying consequences to the safety of personnel and security of the infrastructure. Protecting these critical legacy systems requires more than bolted-on cybersecurity countermeasures.
The way of the future
The best alternative and most modern approach to ICS cybersecurity is to ensure that it is built in or secure by design. This requires layering strong authentication of the ICS hardware, firmware, software, communications, and applications that comprise ICS computation, designing out most attack vectors and their consequences. Following are some of the fundamental building blocks of a secure-by-design ICS.
Legacy ICS modules are often left with multiple communication ports, including serial RS-232, RS-422, and RS-485, or multiple USB and Ethernet ports for debugging, diagnostics, and interconnection. Most of these ports provide potential access to system resources and cyberattacks. A modern ICS design eliminates all but the essential network ports and then secures and authenticates all devices and networks that connect to it. This is the most fundamental requirement to reduce ICS vulnerability to cyberattack.
Pins and interconnections
Figure 1. Example of a pinless backplane using electromagnetic
interconnection keyed and protected against
snooping and insertion of unintended data packets
Figure 2. Example of sealed all-metal
construction of system modules, which
eliminates RFI susceptibility and provides
integral electromagnetic-pulse hardening
without a complex secondary containment
ICS backplane and module pins provide another simple means for a host of cyberattacks, including snooping and inserting communication traffic via these pins. Revolutionizing the ICS backplane and module pins with a pinless electromagnetic interconnection, which is keyed and protected against snooping and insertion of unintended data packets, is an effective way to counter a frontal assault through pinned interconnections.
ICS module and backplane pins serve as power and communication terminals that route, receive, and radiate direct current to radio-frequency energy. Every pin is an antenna susceptible to radio frequency interference (RFI) bursts from handheld radios and electromagnetic interference from motors, variable frequency drives, and other electrical equipment used on the plant floor. In addition, most ICS modules are constructed of vented plastic. These factors make systems so susceptible to RFI that even a handheld radio can distort and disrupt communication and computation. From crude “RFI bombs” to future complex electromagnetic pulse (EMP) weapons, electromagnetic radiation is an ICS cybersecurity vulnerability. A pinless backplane and sealed all-metal construction of system modules counters this threat by eliminating RFI susceptibility. It provides integral EMP hardening without a complex secondary containment.
Module counterfeiting is widespread. Rogue actors, companies, and nations use counterfeiting primarily for financial gain, and in recent years, as an easily implemented assault by incorporating malware into counterfeit hardware. Counterfeiting has evolved such that it is virtually impossible to physically detect a fake from a real factory module. Bolted-on cyberprotection cannot defend against this kind of attack. However, deeply embedded module hardware, firmware, and software authentication built upon very strong encryption can identify and reject even sophisticated fakes instantly, disallowing the module from booting compromising software.
Security begins with the modular components of the system. The first requirement for a secure module is a secure boot. No unauthorized party should be able to tamper with the software while the processor is starting up—something that cannot just be bolted on. A secure boot starts with an initial phase loaded from on-chip masked ROM, so it must be built into the microprocessor silicon. Numerical cryptokeys that authenticate, decrypt, load, and start additional levels of encrypted software are stored in this secure memory. A secure ICS must be able to start up and to decay in a secure state. Intentional or unintentional power cycling must not degrade the level of cyberprotection and cybersecurity. A secure boot of every system-wide microprocessor is essential to meeting this requirement.
ICS modules must be designed for a service life of many years, often decades. Because of Moore’s Law, the strength of encryption methods degrades over time, so a modern secure ICS design must use the strongest encryption available today.
There are two basic methods for encryption: symmetric encryption, also known as secret key encryption, and asymmetric encryption, also known as public key encryption. Symmetric encryption requires that both parties share a secret key, which can be compromised on even the most tightly coupled networks. Asymmetric encryption uses a public key and a private (or secret) key pair. The public key can be shared and accessed without compromising the private key and message. The private key provides the means to create digital signatures, which can only be verified with the associated public key. Digital signatures are then the means by which other entities can verify the integrity and authenticity of data sent with a particular private key.
A secure ICS uses a combination of the two methods, depending on many factors. Importantly, every individual system module and digital component requires a private key. Security depends upon keeping the private keys secret. This can only be achieved if the key protection is deeply embedded and built into the hardware and digital component technology. All this imposes further requirements on the processor silicon. It must not only support a secure method to store private keys, but also be able to perform the required encryption and decryption calculations. Hardware mathematical acceleration is required to ensure that built-in security does not degrade the primary objective of an ICS to perform real-time process control and monitoring.
High-quality random numbers are a fundamental element of modern cryptography. They are used in real time to generate symmetric keys or as an initialization vector for an authentication protocol. An example is a nonce, an arbitrary single-use number used in authentication to prevent the reuse of older communications, a vulnerability known as a replay attack. There are two types of random number generators: pseudorandom and true random. Pseudorandom numbers (PRNG) are mathematically generated in software. True random numbers (TRNG), also called an entropy engine, are hardware based and far less vulnerable to discovery. The strength of the system security can be directly correlated to the quality of the randomness of the numbers. A secure ICS should be built with every microprocessor having its own advanced hardware-based TRNG.
Operating systems and cyber
One of the more important technology selections in a secure-by-design system is the operating system. A general-purpose operating system (OS) is a software program that manages a computer’s basic functions and provides services to other applications running on the computer. A real-time operating system (RTOS) is a type of OS that has more deterministic event-driven scheduling of computer resources. An ICS uses an RTOS in the control, I/O, and network computers, and a general-purpose OS in the workstation application computers.
Cybersecurity vulnerabilities in an operating system are many and can wreak havoc on system security. They directly affect all aspects of the hardware computing engines. Although only a few general OSs dominate the market (i.e., Windows and Linux), there are more than 50 commercially available RTOSs. Choosing the right one will have a significant effect on the strength of the cybersecurity for control, I/O and network computing. The operating system must have the inherent architecture to support integrated and validated middleware, secure communication stacks, network security protocols, and embedded encryption libraries for safety and security applications.
Testing and validating an OS is a critical measure of design robustness. One key cybermetric is Evaluation Assurance Level (EAL1 through EAL7). EAL is a numerical grade assigned after a Common Criteria security evaluation, an international standard of security testing in effect since 1999. A higher assurance level denotes the increased assurance requirements required to achieve Common Criteria certification and the higher confidence that the system’s security features are reliably implemented.
Other standards are evolving to address the security issues of embedded systems. The first ISASecure certification program, Embedded Device Security Assurance, for example, focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices (www.isasecure.org/en-US/Certification/IEC-62443-4-2-EDSA-Certification).
Achieving a modern secure-by-design automation platform is a complex challenge. However, when properly designed and executed, the resulting system cybersecurity can be much simpler for users and easier to implement than the bolted-on status quo—with significantly lower security life-cycle costs. When simplicity reigns, security wins.