Legacy control systems—the decades-old systems that are fixtures in most manufacturing facilities and that operations managers are loathe to rip out and replace—were not built with cybersecurity in mind. So in our increasingly connected industrial environments, security has had to be approached primarily from a network perspective, securing the perimeters with access control, firewalls, DMZs and the like.
Meanwhile, we’ve taken for granted the hardware-based security built into our consumer devices like smartphones and tablets. But it’s finally reaching the point where that built-in security is making its way into industrial devices.
When Bedrock Automation introduced controllers and I/O with built-in security, the company set the stage for a shift in how industrial control systems are designed. The embedded, secure hardware, designed within industrial automation components from the get-go, has caused other industrial automation suppliers to take notice.
Competitors have been scrambling to incorporate such changes in their own controllers and I/O devices, but, because they have to design with their own legacy systems in mind, they find themselves playing catch-up in the industry they’ve been part of for decades.
Implementing security measures at the network level has traditionally been an easier security fix, with many control suppliers putting their emphasis on hardening the legacy automation system, says Albert Rooyakkers, Bedrock’s founder and chief technology officer. “Mainstream control vendors designed their flagship systems before cybersecurity was an issue, so the only way they can protect them is by bolting on firewalls and other technology,” he says. “We had the luxury of starting with a clean sheet, which enabled us to embed protection into our electronics.” Traditional control vendors must also support decades of legacy systems and build bidirectional integration of legacy systems with new systems, he adds.
It also helps that Bedrock more closely controls the supply of the secure chips that go into its controllers. Semiconductor components are supplied by Bedrock parent company Maxim Integrated or are designed and sourced by Bedrock. Both companies assure chips are secure and will not become obsolete. “When you control the component supply chain, you can control the component lifecycle over decades vs. over years,” Rooyakkers says.
Securing the existing system
Because most control suppliers need to support legacy systems, they are at work on methods to secure their legacy automation systems and design new systems with security in mind, according to a report from market researcher Frost & Sullivan.
Most automation suppliers are addressing cybersecurity challenges by offering external security hardware, protection software and managed security services, according to the report. “Though this approach helps end users resolve issues, they still need to make significant investments over the entire lifecycle of the technology to ensure effective cyber protection,” it says.
For ABB, this hardening of the existing system involves designing and implementing products that follow IEC 62443 security standards, which define procedures for implementing electronically secure industrial automation and control systems.
These standards are broad; they don’t focus solely on the controller, explains Luis Duran, ABB’s product manager for safety and security. “When we do things relative to security, we’re not targeting the controller,” he says. “We’re talking about ways it’s used as a system because that’s typically the way the product is deployed.”
Hardening an individual component is not enough, Duran adds. Rather, ABB describes best practices for designing security into industrial control systems (ICSs), such as building in access control that ensures users have the right to be on the system, and protecting components and networks with passwords.
ABB controllers are, of course, tested before they’re released to ensure they meet safety standards, Duran says. “Doing all this during design means we can determine whether or not a product is ready to be released based on the security criteria,” he says. “If something doesn’t meet the security guidelines we’ve established as well as international standards, it doesn’t leave development cycle.”
The ABB controllers that are part of System 800xA meet these security standards, Duran says. Features of the system include:
- Digital signature: Users digitally sign aspects of the information; data cannot be changed after approval.
- Access control: Re-authentication and secondary authentication ensures secure interaction, with automatic logout after a period of inactivity.
- Audit trail: All user-initiated actions are logged, including download-to-controllers, operator interactions, configuration changes, batch recipe editing and execution, and server start and stop.
Honeywell Process Solutions also puts its products through internal security reviews before release, says Seth Carpenter, Honeywell cybersecurity technologist. The company is also active in creating and maintaining IEC 62443 standards.
Part of that standard dictates that controllers continue to communicate vulnerabilities after they’ve been deployed in the field. “Pretty much every industrial control vendor has a dedicated team to respond to customers around the clock,” Carpenter says.
Honeywell recognizes that companies and organizations could deploy a controller for a long period of time. Even if an industrial user plans to upgrade controllers within the next two or three years, a number of security vulnerabilities could be introduced within that time, Carpenter says. “So my group is about coming up with things we can apply to those legacy systems right now to prevent vulnerabilities and lock down the system.”
These types of security procedures include regular patches and installation of firewalls that protect against vulnerabilities until the system can be patched.
“There are technologies that work well in the IT space, like patching servers, so we’re not trying to reinvent the wheel,” Carpenter says. “We’re working with leaders to adapt their use to the industrial environment. We have offerings and services around getting patches and making sure users can get security updates without disruption to their processes.”
Security vulnerabilities are usually reported via system users. But control systems that are critical to the nation’s infrastructure are also reported via the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the U.S. Department of Homeland Security. The team helps ICS vendors and their customers identify security vulnerabilities—including within the controllers themselves—and develop mitigation strategies, Carpenter says. “Our preference at Honeywell is to communicate vulnerabilities directly with our customers,” he adds.
Across the network
Nonetheless, ICS cybersecurity is still about 25 years behind the kind of IT security seen within corporate systems, contends Galina Antova, co-founder of Claroty. The reason, she says, is because controllers and SCADA equipment can’t be easily upgraded and have much longer lifecycles than office equipment.
ICSs can’t be easily taken offline, even for a few minutes, for security upgrades without losing invaluable production or monitoring time. Often, systems can’t be offline long enough to be patched, Antova maintains.
Though security vulnerabilities still exist on ICS devices such as the controllers themselves, those vulnerabilities are the least of the overall system’s security issues, Antova says. “Many of the controllers now in use were designed 10-15 years ago, when vendors didn’t have secure coding practices that have been introduced now,” she says. “Given the long lifecycles of those machines, it’s not practical to have those upgraded every few years even if vendors are coming up with new features.”
Though Bedrock was able to design controllers from scratch, others don’t have that luxury. “They have legacy systems they need to upgrade,” she says. “Also, expensive and expansive control systems are not upgraded nearly as often as IT systems.” As a result, they can be in place for 20 years or longer, she adds.
Claroty provides a platform that offers visibility into security issues across complex, multi-vendor ICS environments. It also provides real-time monitoring of critical control systems.
Still, control suppliers are doing a better job than ever of designing security into their components, Antova says. She expects that trend will continue, though the overall ICS can never be upgraded with the regularity seen in the corporate IT world.
“We’ll never be at a point where we’ll be able to say my end points are so secure there’s no need to monitor to see what’s going on over the system,” she says. “Because now there are so many other ways of attacking those networks and getting into them. An attack of a medium scale doesn’t have to exploit a known vulnerability within the controller to get into the system.”
Add that to the fact that manufacturers use controllers and equipment from several different vendors. So simply employing a very secure controller on part of the system won’t make the entire network secure, Antova says. And because every manufacturing and processing company uses automation system components from numerous suppliers, “controller vendors know they can’t fix the entire ICS security system themselves,” she says.
The Claroty platform employs a passive, real-time monitoring approach, that monitors all communication within an industrial control network to identify high-risk changes and potentially malicious activity that could pose an operational safety, security or process integrity risk, Antova says. It inspects a large number of industrial control protocols, with support for both open and proprietary protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell and ABB.
“There are so many practical considerations that go beyond controller security to bear in mind when thinking about security of those networks,” Antova adds.
But Joe Weiss, ISA fellow and author of Protecting Industrial Control Systems From Electronic Threats, insists the only truly secure way to protect an ICS is to embed security in the foundation—in the controller itself—which requires a complete rethinking of how to architect and build control systems. “Based on my review, Bedrock has rethought the architecture from a clean sheet of paper and embedded the security,” he says.
What is clear in this evolving stage of ICS cybersecurity is that system vendors are undertaking a number of methods to ensure ISC security—by building security into controllers, hardening controllers already in use and designing platforms that continually test for network vulnerabilities.
