Embedding end-to-end trust and security
The history of industrial automation fascinates me. Continuous innovation and new technologies have taken manufacturing processes that originated in the Industrial Age and catapulted them straight into the information age. Just as productivity seemed to be topping out, the Internet helped boost productivity and efficiency to previously unimaginable levels. Unfortunately, as industrial automation roared into today's data-driven, Internet-connected world, it sped past digital security without taking its foot off the accelerator.
Welcome to the digital age, where an anonymous hacker in some virtual landscape can throw a wrench into industrial automation systems. How do we secure these systems while still meeting the needs of corporate stakeholders? Operational technology (OT) teams still demand high resiliency and availability. Information technology (IT) teams demand interconnectivity, enterprise security, and compliance. And both of these teams must accommodate the new kids on the block: data analysts who require real-time data capture, sharing, and analysis for every decision in the business.
This article discusses the current state of industrial automation system security, the technological and organizational challenges of improving it, and a dynamic model for embedding end-to-end trust and security into industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Crime and conflict have a new address
Physical break-ins and attacks on SCADA and ICS systems are largely a twentiethcentury phenomenon. The overwhelming majority of attacks today are carried out by wellresourced, highly motivated attackers who are often accomplished software engineers working for cybercrime syndicates on other continents. Business competitors and nation states are the latest cyberwarfare participants, as the battleground has expanded to include manufacturing facilities, entertainment companies, and critical infrastructure. Here are a few noteworthy examples:
- The most notorious attack on an industrial automation system was in 2010, as the Stuxnet computer worm attacked industrial programmable logic controllers within an Iranian nuclear enrichment facility, subtly manipulating the feedback data of centrifuge units. This is believed to be one of the first attacks carried out by a nation state, although the source of the attack was never authoritatively identified.
- In December 2014, a German federal agency confirmed that a German steel plant was targeted by a malicious email that allowed hackers to cross over into the production network. The plant's controls system was compromised, preventing the furnace from being shut down. The result was the first time that "massive physical damage" to the production system was experienced; it catapults us into the new age of cyber-physical attacks with safety threats for humans.
- In December 2014, a leading industrial automation system provider patched a series of flaws in its remote terminal unit controllers used in oil and gas pipelines. The flaws included hidden functions, an authentication bypass, and hardcoded credentials, which could allow remote exploits of the devices. Although no breaches have been reported to date, the existence of vulnerabilities like this could cause extremely dire consequences.
Sadly, these types of security events continue to increase both in terms of damage and frequency. For a current list of alerts, advisories, and reported attacks, visit the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) website (https://icscert.us-cert.gov).
Data capture and analysis is today's competitive weapon-generating analytical insights that refine and optimize processes in every area of business. It is not uncommon for manufacturers to invest hundreds of millions of dollars to achieve a 10 to 20 percent efficiency increase. The efficiencies come from data-driven decisions gained through insights from customer use and demand, purchasing, supply-chain optimization, manufacturing production processes, predictive planning, and more.
By hacking and subtly manipulating data, attackers can de-optimize a company's processes without anyone even knowing. Even the most subtle data manipulation in any of these areas can cripple a business that is on razor-thin margins.
Security myths and misconceptions
A number of myths and misconceptions have hindered the evolution of industrial automation system security. The most common include:
- "Our OT systems are still safely airgapped because our manufacturing line isn't connected to the Internet." This is a popular and very dangerous misconception. Since 2010, it is highly unlikely that any manufacturing control system is truly isolated. Just one user who can access the production system while logged on to the Internet, or who connects to the system with a notebook or tablet, creates security vulnerabilities. Remember the Iranian nuclear enrichment facility and the German steel plant? Enough said.
- "We are running a 20-year-old proprietary system that isn't vulnerable to modern-day attack tools and techniques." The vulnerability in legacy proprietary systems is sometimes in the communications and protocols, rather than just in the systems themselves. Security through obscurity does not work anymore. Moving from a physical world to a virtual/ data-driven world powered by software poses entirely new security challenges. If there is value in data, hackers will find a way to access it.
- "Security vendors will deliver a magic box that will protect our operating technologies in the same way that firewalls and intrusion-detection systems protect our IT systems." There is no silver bullet to guarantee security throughout Internet-connected ICS systems.
Security deployment model
Establishing a perpetual chain of trust
Current client-server industrial automation systems have moved to an edge-to-cloud architecture for cost and flexibility. They have security challenges that result from today's interconnected world. Regardless of application, ensuring security begins by establishing a chain of trust between devices, data, and systems. Everything within the trusted system must be authenticated and validated to ensure trusted interoperability and integrity at every point.
Of course, availability requirements and the legacy nature of industrial automation systems add challenges. Preserving existing investments in ICS infrastructure is paramount. Therefore, a viable security model must work with both existing and new systems. In ad- dition, security is a dynamic process, because security needs, policies, and threat detection methods change over time. Therefore, any viable solution must be adaptable and updatable.
The embedded security deployment model establishes and ensures trusted interoperability that is essential for industrial automation interconnectivity. This model has three core requirements:
- Hardened devices (embedded security protecting "things")
- Secure communications ("things" need to talk to each other)
- Security monitoring and management (responding to changes and events)
Establishing the chain of trust begins with validating the identity of the device. Previous approaches to validate device identities, such as using IP and media access control (MAC) addresses, are untrustworthy: IP addresses change routinely and can be very easily spoofed by hackers, while MAC addresses can be easily reset. Therefore, device authentication must start at the physical level- the processor within the hardware.
Device hardening may use trusted execution technology, which leverages an embedded security coprocessor (a dedicated microprocessor designed to store cryptographic keys in a tamperproof hardware container). This allows the chip itself to perform cryptographic operations such as measuring the level of trust in the boot process, an operating system, a virtual machine, or an application. A key aspect of this process is precise measurement of code, data structures, configuration, information, or anything that can be loaded into memory. Measurements consist of a cryptographic hash using a secure hashing algorithm, which allows integrity validation and detection should any measured code, configuration, or data be altered or corrupted. This is applied to software residing on the disk to determine whether or not it has been tampered with before loading the software into memory and executing it.
The chain of trust continues to be built up and verified through the complete software stack, including during the boot process, and across the entire system-even as data is encrypted and transported into the cloud.
Execution of trusted devices and data is essential given the prevalence of machine-to-machine communications driving industrial automation. For example, trusted devices can digitally sign data received by trusted industrial control sensors. Should a hacker manipulate data, the data signature will be inaccurate and be flagged by the monitoring system. In this case, the untrustworthy piece of data and the machine or sensor where it originated will be clear.
Trusted transaction spaces are logical zones that allow authorized business communications. The devices must ensure the trust and integrity of data within each zone. Two embedded security innovations allow communications between trusted zones of the past and the present/future: intelligent security gateways, which enable users to securely aggregate, filter, and share data from the edge to the cloud; and trusted execution environments, which allow secure and trusted execution of application data anywhere.
Intelligent gateways: linking the past with the future
There is a reason legacy systems are so prevalent in industrial automation: they work. In fact, some have been refined for decades. New classes of intelligent gateways (some as small as two inches by two inches) are critical to extending legacy systems by connecting them to next-generation intelligent infrastructure. These gateways physically separate legacy systems, production zones, and the outside world, limiting the attack surface of an industrial automation system. The gateway can secure a device, or devices, without modifying the device in any way, making it an attractive initial security solution to create a consistent level of security within the environment.
As with any hardened device, security gateways must boot securely, be authenticated on the network, and then perform any number of security and communications tasks on behalf of the devices behind them. They can be provisioned to link trusted transaction spaces by validating integrity calculations, verifying certificates, applying cryptography, and establishing trusted communications links. Gateways can also include protocols to manage the production systems they are attached to, which can extend the life of these systems, allowing repair and updates without a physical field visit.
Trusted execution environments: security and privacy anywhere
A trusted execution environment enhances security by preventing any device from executing malicious code. It uses virtualization and encryption technologies to create secure containers for applications and data that are only accessible to approved devices. These environments are secure, trusted zones that ensure tamperproof protection of data, making data and applications invisible to third parties who may transport, store, and process sensitive information.
Even within a virtual machine that is being operated by unknown entities, the trusted execution environment can validate data authenticity and create a digital signature to attest to its integrity later. For example, production data from an industrial automation system that a cloud services provider, such as Amazon Cloud, stores and processes can be maintained securely to ensure that the data has not been secretly altered.
Security monitoring and management
There is an old axiom in IT: you cannot manage what you cannot monitor. Effective oversight of distributed industrial automation systems requires the ability to centrally manage devices through an enterprise management console, as well as the ability to monitor, collect, and analyze event information on all devices for end-to-end situational awareness of the entire system.
Enterprise security management consoles
An enterprise management console allows IT staff to manage complexity and have global visibility of highly distributed environments. The management console is where IT remotely provisions, manages, and updates software on devices, as well as defines and refines policies and pushes those policies to devices. For example, embedded devices may include whitelisting policies, which define appropriate applications, data, communications, and other functions the device is allowed to perform.
A company's enterprise management console should be tightly integrated with its security information and event monitoring (SIEM) solution and other security modules. A word of caution here: levels of integration differ considerably between vendors and security management components. A higher level of integration can greatly simplify complexity, accelerate accurate situational awareness, and reduce management time and expense. In addition, scalability becomes a critical capability for SIEMs and enterprise management consoles.
Security information and event monitoring
SIEM solutions gather, consolidate, correlate, assess, and prioritize security events from all of the managed devices that touch an industrial automation system. The SIEM combines situational and contextual awareness of all events through a process of baseline trending, anomaly detection, and alerting. Behavioral capabilities help differentiate between normal and abnormal operational patterns and refine policies to minimize false positive alerts and responses. SIEM data is also essential for conducting forensics to gain greater insight into a security incident or device failure.
Building an ecosystem
Given the distributed, interconnected nature of today's industrial automation systems, achieving end-to-end security must be a multivendor effort. To address this challenge, industry collaboration is underway, as manufacturing and critical infrastructure original equipment manufacturers (OEMs) are actively forming consortia with enterprise security vendors to ensure interoperability, set open standards, and define application programming interfaces. New systems and industrial control devices are being built secure from the ground up and designed with security technologies that ensure backward and forward compatibility.
Words of advice: Tips, tricks, and critical insights
No two businesses are the same-each has unique security infrastructures, operational technologies, and processes. Some have made considerable progress in creating converged IT/OT security solutions, while others are in the early stages. Regardless of where an organization resides on this continuum, here are some general guidelines to keep in mind.
- Establish a task force. Make sure it includes both IT and OT staff. Seek out key players in your manufacturing and industrial system controls groups, and include them in briefings and activities. Tour the factory or manufacturing facility and speak to supervisors and front-line personnel.
- Plan in phases. Target core functions that are achievable and measurable in reasonable time frames. For example, start by deploying intelligent gateways on key devices or production zones in one facility, and use that site as a pilot for event monitoring, management, and policy refinement.
- Select capable vendors who work well with others. Are potential vendors part of a proven ecosystem that includes system integrators, security experts, and manufacturing OEMs? Given the formidable complexities of securing industrial automation systems, there is no such thing as a single-vendor solution or technological silver bullet. Is security their core competency? Do they have expertise in embedded security and critical infrastructure? Lastly, can they deliver more than slideware or vision papers (i.e., do they have a reference architecture and customer references, and can they provide clear architecture designs and integration plans)?
- Insist on scalability. Make certain management and monitoring technologies scale to handle potential merger and acquisition activity, as well as what will certainly be a dramatic increase in Internet-connected devices and related security events as a company or utility grows.
Moving forward, consider how to use these core concepts to build higher levels of embedded security, secure communications, and manageability into industrial automation systems. After all, these days, no one can be too secure.
- Interconnected industrial automation systems face new security challenges such as hacking, industrial espionage, and sabotage.
- Securing these systems requires a perpetual chain of trust that spans all devices, data, and systems.
- Architectural requirements include hardened devices, secured communications, and consistent security monitoring and management.
A hostile takeover through data manipulation: A hypothetical example
It is a tough world out there. Unscrupulous players will use any means to improve their own prospects by harming competitors-including hacking, industrial espionage, and sabotage.
Consider this theoretical example: a major chemical conglomerate wants to take over a competitor who has no desire to be bought out. By hacking the competitor's production systems, manipulating inventory orders, or slightly altering material specifications, it could negatively affect product quality. This lowers customer satisfaction, reducing sales and driving down profitability, likely without ever being detected. The resulting shareholder dissatisfaction could create an acquisition opportunity and a favorable purchase price.
Industrial automation systems are particularly vulnerable to this attack trend because many of these systems are now Internet-connected without adequate protection. And, given the prevalence of automated systems, many daily decisions are made by machine-to-machine interactions, making them difficult to trace without proper security considerations.
Although cyberwarfare is clearly a morally bankrupt business decision, it is hard to debate its economic value.
By hacking and subtly manipulating data, attackers can de-optimize a company's processes without anyone even knowing.
Two embedded security innovations allow communications between trusted zones of the past and the present/future: intelligent security gateways . . . and trusted execution environments.
ISA Security Compliance Institute
ABOUT THE AUTHOR
Sven Schrecker (sven_schrecker@mcafee. com) is the chief architect of Intel Security's loT Security Solutions Group. He co-chairs the Security Working Group for the Industrial Internet Consortium, where he works on open, standards-based platforms to enable end-to-end security across both existing (brownfield) and new (greenfield) technologies.
View the online version at www.isa.org/intech/20150401.
Copyright International Society of Automation Mar/Apr 2015
This article was written by Sven Schrecker and Sven Schrecker from InTech and was legally licensed through the NewsCred publisher network.