Is it time for a change in cybersecurity?
Making automation systems resilient
By Peter Fuhr, PhD, and Sterling Rooke, PhD
Resilience, as defined in Presidential Policy Directive 21, is "the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions . . . [it] includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents." Historically, automation systems were physically separated from the Internet and other networks. With the advent of commodity platforms and common Internet protocols, automation and control systems can now be built at a much lower cost and can use generally available Internet protocols. This results in increased efficiency and significant cost savings, but as the Industrial Control Systems - Computer Emergency Response Team (ICS-CERT) (https://ics-cert.us-cert.gov) reported, the convergence of closed control systems with open Internet-based networks, commodity operating systems, and commodity Internet protocols has brought increased security risk. Given the numerous cybersecurity breaches (e.g., Equifax, Office of Management and Budget, Dun & Bradstreet, Blue Cross/Blue Shield, and Verizon), is it time for a significant change in automation system security architecture and implementation?
As automation technologists know, today's control systems are most frequently specially designed digital systems that operate real-time physical processes by dispatching commands to numerous sensors, actuators, communication nodes, and devices dispersed across the automation infrastructure. These systems can exchange massive amounts of data at high speeds over communication networks to monitor and control physical devices. The control systems operate within the operational technology (OT) environment under rules that have different priorities and policies from standard information technology (IT) systems. In the past, OT and IT systems were largely isolated from one another, with the Internet connected to the "IT side." However, in today's modern automation systems, OT and IT systems are connected, so cyberattacks can originate in business systems and migrate to operational systems-or in demonstrated occurrences the attack reverses with the malware entering via the "OT side."
Internet connectivity has various definitions, ranging from direct Internet connection-perhaps to use cloud resources or provide remote access-to memory devices connected to a device that is connected to the Internet and is then connected to an OT/IT device (à la the Stuxnet malware injection into an OT system). The complexity of such integrated systems ranges from simple supervisory control and data acquisition (SCADA) remote terminal unit topologies to large-scale industrial control system (ICS) architectures with tens of thousands of control and monitoring points.
In January 2016, the U.S. Department of Homeland Security stated, "advanced persistent threat (APT) nation-state cyber-actors are targeting U.S. energy sector and industrial automation and enterprise networks primarily to conduct cyber espionage. The APT activity directed against sector ICS networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States." What protective measures can help us safeguard the integrity and security of the SCADA and ICS communications that operate our infrastructure? This was the featured topic in a 26 October 2017 U.S. Senate hearing on cybersecurity of the electric grid.
Meanwhile, financial analysis reveals that the current methods of applying cybersecurity tools to address such threats-including firewalls, (the ill-named) "data diodes," intrusion detection (IDS), intrusion prevention (IPS), and unified threat management (UTM) systems-are inefficient at best and are financially unsustainable. As stated in that report: "The current strategy of most organizations-layering on many different technologies-is not only proving ineffective, it is overly complex and expensive."
"The status quo is not sustainable," says Keith Weiss, head of U.S. software coverage for Morgan Stanley. Even as companies spend more on cybersecurity, losses related to cybercrime have nearly doubled in the last five years."
Enter ever-advancing technology. Although potentially increasing "visibility for more efficient operations," the introduction of Internet of Things (IoT) devices, in particular IP-addressable devices, into industrial settings most assuredly increases the number of elements vulnerable to cyberattack. The December 2016 Mirai-based distributed denial of service (DDoS) cyberattack illustrates the situation; the attack was attributed to IoT devices first being infected with malware, and then being coordinated in the DDoS attack on major Internet routers. Similarly, the Devil's Eye malware that is within approximately 200 million IP security cameras-many of which are deployed within industrial facilities-further illustrates the need for a change in cybersecurity policy and best practice guidance and implementation.
Examined another way, as stated in a keynote address at the 12th Annual Cyber and Information Security Research Conference at Oak Ridge National Laboratory, "You are spending more and more money on cybersecurity, but the hacks and intrusions continue to increase in sophistication and frequency, so you need to spend more, and the solutions just seem to continually add complexity with your organization ever in a reactive mode . . . in other words, it's costing the organization more-much more-and you're getting less protection. It is a game that you are losing. So, if you can't win the game-in this case, cyber-physical security of automation systems-what do you do? Change the game!"
Figure 1. External dependencies and challenges
Time for a change
Let's be clear. As ICS-CERT and others report, industrial control and SCADA systems are being bombarded with an array of cybersecurity attacks. That situation is coupled with reports about the financial sustainability of current methods, which include a seemingly endless stream of "fixes" like software patches, unidirectional information flow and firewall enhancements, and an array of "better" IDS/IPS/UTM software solutions, all operating as a bolt-on to the existing core design. It simply cannot be overstated that if one simply looks at the Internet connectivity of most (some say all) automation system designs-for remote access to provide firmware updates and, in certain instances, direct cloud-based data services-you immediately see cybersecurity vulnerabilities.
To put this statement into context, consider the cyber-physical security situation for the U.S. electric grid. From the April 2017 Department of Energy's Multiyear Program Plan for Energy Sector Cyber Security: "A secure and resilient electric grid that protects system assets and critical functions and can withstand and recover rapidly from disruptions is a priority of the United States. Protecting against and mitigating cyber- and physical risks to the electric grid in a prioritized manner requires that public and private sector partners continue to work together."
Within the context of the electric grid, controlling the generation and maintaining voltage to meet demand is performed with communication networks and software applications that are vulnerable to cyberattack. Attackers have demonstrated they can disable critical controllers from afar and create a highly disruptive electrical blackout from which it would be difficult to recover (like the cyberattack in Ukraine). Prolonged failure of critical electric systems in water/wastewater, public health, transportation, banking, and industry-essentially throughout the automation world-would halt economic activity, create mayhem, and proliferate life-threatening safety hazards.
Isolated or complex events with cascading effects can have major consequences for automation systems and the electric grid and adversely affect national security, economic stability, and public health and safety. Securing and encouraging investments in risk reduction in the existing electric grid and against such consequences is central to the security goals of the world's public and private infrastructures.
The same situation exists within the industrial sector. Is it time for a change?
Figure 2. Matrix of currently available cybersecurity-relevant assessment or compliance resources
What to do?
In response, a research and development activity-named DarkNet-initially aimed at the electric utility sector has been underway within the U.S. national laboratory system to perform a "fresh eyes" analysis of the methods, goals, and practicality of existing cybersecurity designs and implementations. Briefly stated, the goal of DarkNet is to deliver a modern, cyber- and cyber-physical secure, resilient, self-healing, and cost-effective communications infrastructure for automation systems (from small to large). We feel that it is imperative to analyze and develop fundamentally different strategies from today's "bolt-on" cybersecurity solutions. Today, automation industries, including utilities and power-generation facilities, are moving toward having many more devices connected to the network for real-time assessments of their operations and fast responses to problems. The related IoT applications provide a wide range of opportunities for the electricity industry to improve the efficiency and performance of the power grid. The same situation exists for manufacturing and industrial process systems. IoT allows organizations to collect data from sensors to improve resiliency, with utilization of the data enabling effective management of an organization's resources, so stakeholders can make informed decisions-again, in the electric sector, about power consumption and generation.
IoT in this case refers to network connectivity and the embedding of sensors, actuators, software, electronics, and other devices to more efficiently collect and exchange data for controlling electricity flows. Of particular concern to utilities is the potential for cyber intrusions presented by smart, Web-connected devices. The Web connection may be via an IoT device with a cellular-based communications channel, thereby potentially bypassing the automation system's cybersecurity efforts. The recent denial-of-service attacks brought to the general Internet by IoT devices, such as Web cameras, botnets, and even smart toasters, exemplify the need to continually examine implemented cybersecurity policies. Vulnerabilities reported in the fundamental underpinning of the IEEE 802.11i (Wi-Fi) standard and protocol amplify the need to reconsider existing cybersecure hardware and software architectures. Aimed at a goal of "getting the electricity grid off the Internet," a DarkNet architecture and implementation minimizes-if not eliminates-the automation system's Internet connectivity.
A situation similar to that present in energy delivery systems arises in the more general realm of automation from the cybersecurity designs associated with ISA-95 (Purdue Model) architecture and the associated NIST special publication 800 cybersecurity designs. These designs are core building blocks in all types of automation system cybersecurity and undergo considerable reviews. Where necessary, improvements and updates are brought to the designs, and guidance is given in technology areas, such as communications technologies (IT and, specifically, wireless), which present multiple paths for data flow and Internet connectivity. Placing unidirectional data flow devices and systems; layering more software for malware detection, identification, and reporting; and establishing firewalls and virtual private networks within the "zones and conduits" constructs are noteworthy, but meeting with OT/IT/C-level individuals from dozens of large manufacturing, processing, and utility companies reveals that the dependence on the Internet for business and manufacturing operations is entrenched in the OT/IT architectures. Is it necessary to further examine automation communication systems and associated business practices to decouple them-where possible-from a more traditional IT-centric architecture, with its rules and procedures, to a network architecture (both hardware topology and database hierarchy and structure) that is not bound by the operating principles and restrictions associated with the public Internet, but rather allows network-centric operations that the public Internet simply will not tolerate?
Not only is the network (communications, infrastructure, data) architecture intimately tied to cybersecurity, analyses are required to identify "critical" third parties (i.e., those who provide IT, ICT, or ICS systems critical for operation and maintenance of the organization's automation system). Such supply chain risk management requires an interdisciplinary approach. Legal, IT, and procurement all must work together to first identify and locate the organization's most critical data or third-party connections that could be leveraged to gain unauthorized access into the organization's systems, and then establish the appropriate standards for business partners to meet, develop contract language that binds partners to those standards, and audit/assess the implementation of those standards by business partners. Figure 1 highlights the challenge facing those who must implement an effective cybersecurity program for the automation subsector supply chain.
An abbreviated review of the recognized "certifying" organizations in terms of the currently available security tests, analysis methods, or evaluation tools offered has been performed. Figure 2 is a quick-look reference of the currently available cybersecurity-relevant assessment and compliance resources.
Based on an inspection of the first-order assessment of available tools, our preliminary gap analysis suggests that there are many important efforts that contribute to cybersecurity assessment and compliance, but there is no dominant course of action being pursued by the industry to leverage the available tools for assessment, compliance, and ongoing best practices to implement protective measures. Conspicuously absent is centralized coordinating leadership to unify effort and enable effective action.
ISASecure certification is highly relevant to the challenges of supply chain cybersecurity, because it demonstrates a product development life cycle that includes cybersecurity in all phases of the manufacture and integration, demonstrating an institutionalized commitment to securing industrial automation and control systems, not unlike the early impact that the ISO 9000 and 14000 series had on quality and environmental management best practices. The ISASecure model deserves attention and scale up as a principal tool in the larger scale automation system supply chain cybersecurity.
Regrettably, the good work of the organizations and programs identified in figure 2 is only the tip of the iceberg, with scores of ad hoc working groups, committees, and program-based advisory bodies contributing to the body of knowledge, often out of the view of the principal beneficiaries (the utilities, the manufacturers, and the systems and software developers who comprise their supply chain). This challenge mirrors the dilemma faced by the emergency response community in the early days of the domestic preparedness program, when fire, EMS, public health, and law enforcement agencies were rapidly being propelled into facing the threats and consequences of chemical, biological, radiological, nuclear, and other explosives. Getting a secure grasp on these new burdens required a new class of operational guidance and research resources, such as the lessons learned information system and the responder knowledge base, which maintained a current profile of best practices, successful demonstration projects, and available technologies and tools.
From our initial observations, consideration should be given to the development of an overarching operational portal that provides a cohesive, comprehensive resource to inform industry partners of available solutions, best practices, and pilot/demonstration project lessons learned to help their selection, acquisition, and implementation of enhancements for security and resilience. It must be a resource available to authorized users from equipment manufacturers, software developers, systems integrators, operators, and operations and maintenance service entities and be capable of meeting the needs of these disparate communities of interest.
Industry stakeholders have emphasized in various forums that voluntary critical infrastructure protection reliability standards for managing automation and supply chain security risk should explicitly advance the best available technology, but the community should not let compliance get in the way of innovation. Led by the early adopters, development of the aforementioned topology and the operational portal responds to this approach by aggregating the best solutions to accelerate conformance, compliance, and resilience within a competitive industry.
Figure 3. DarkNet for the electric grid
Organizations face the issues associated with battling hackers and malware potentially infecting-and affecting-their networks and operations. ISA's Communications Division and Test & Measurement Division currently have a joint working group focused on IIoT with the associated examination of functional and operational security when IoT devices are deployed into a control system. Although the term "cyber" is overused, it truly applies in the world of IIoT; however, new sensor and control capabilities bring enhanced attack surfaces in the world of cyber. The central question-and theme of this article-remains. Is it time for a change in cybersecurity for resilient automation systems?
In part 2 of this series, the authors will present a more detailed description of topological changes and cyber-physical security implications for existing automation systems to uphold cybersecurity assurance. This will include comparing traditional components and processes associated with defense-in-depth cybersecurity strategies and architectures, such as antivirus software, firewalls, anti-spyware programs, hierarchical passwords, intrusion detection, and biometric verification; a review of DarkNet's complementary protective measures, which extend beyond a traditional layered approach-focusing on the intelligence and protection of each component in the operational architecture; and describing how DarkNet introduces intrinsic, embedded security features in nearly all elements of the end-to-end grid architecture. There is one thing that we can all agree on. Our collective overarching goal is simple: a resilient automation system architecture and operating process.