8 minute read
Taking industrial cybersecurity seriously
Steve Hanna, Co-Chair of the Industrial Work Group at Trusted Computing Group (TCG), US, describes how to protect the digital future of pipeline operations.
Across the energy sector, Internet of Things (IoT) equipment is helping drive a digital transformation. From the equipment used in oil and gas extraction, to the monitoring tools assessing an end user’s consumption, the entire supply chain is becoming more connected.
In particular, the use of industrial IoT (IIoT) is on the rise, with the market predicted to reach US$124 billion this year. This kind of connected equipment allows energy companies to provide and employ more sophisticated techniques such as data mining and deep learning – functions that the cloud can provide by performing analysis on data. While there are many practical benefits of implementing IIoT, industrial cybersecurity must be taken seriously to avoid significant consequences.
An enabler for innovation IoT technologies that are enabled by lightweight sensors, cloud intelligence and greater connectivity offer many benefits to operators. For example, they offer the ability to tune the operation of their plant or facility to meet the needs of the moment, whether that is to support increased energy production, or to help create individualised products. Operators can also carry out predictive maintenance to recognise when a particular device or system is likely to fail and address it beforehand. This is more effective than preventative measure where you simply replace a piece of equipment every three years, just in case. Recognising the signs of early failure means operators don’t have to replace equipment so often which helps to reduce costs and increase uptime. For pipeline infrastructure, many parameters can be tracked that may be early indicators of potential failure. Pressure is the most significant variable, but sensors of varying types such as magnetic, ultrasonic, and electromagnetic acoustic can be used to detect
structural abnormalities before they become a problem. Acoustic sensors can be used to detect formation or growth of cracks, and electromagnetic sensors can be leveraged to detect corrosion or other flaws. With the help of IoT devices like remote terminal units (RTU) connected to sensors and data collectors along a length of pipeline, this data can be collected and analysed in real-time. Valves and other actuators can also be remotely controlled via IIoT connections, reducing the need for on site visits.
Real risks to real operations Thanks to these numerous benefits, there is a business imperative to adopt IoT. However, there is some risk that comes associated with that – the risk of hacks and cyberattacks. The attack on Iran’s nuclear enrichment facility known as the Stuxnet Attack was a welldocumented malicious piece of code that infected the software of at least 14 industrial sites in the country. Since then, there has been many ‘copycat’ attacks, in Germany, Ukraine and across the world.
In 2017, Triton malware shut down critical infrastructure in the Middle East by attacking the safety systems of a gas pipeline. If an overpressure situation had occurred, the safety systems would not have been able to kick in, causing a tremendous risk to lives. Costs of cybersecurity attacks are also growing – whether that is ransomware, e.g. the Colonial Pipeline attack, or actual physical damage to equipment such as the attack on a German steel mill in 2014. Even indirect attacks where business systems are hacked can have an impact on earnings and the ability to keep systems up and running.
How do these attacks occur? At each layer in the architecture attackers can infiltrate, with the opportunity to target individual pieces of the supply chain, like a programmable logic controller (PLC) or RTU. If they can compromise the network, attackers can monitor and access confidential information or even change data and commands as they’re going through the network if the data and commands are not authenticated and integrity protected. If an attacker can successfully gain access to a server that has control over a large number of devices, the impact of the attack will be much greater.
The main risks to operators are costs in the form of equipment repair and replacement, and remediation – but also safety. The effects of an attack could be more than monetary, depending on the environment. In the most extreme scenarios, attackers could shut down the entire operation or cause an overpressure situation by controlling pumps and valves. This could result in a leak, or even an explosion.
The role of industrial cybersecurity Industrial cybersecurity is vital for maintaining the reliability, safety, and cost of systems. Sufficient cybersecurity measures empower operators to maximise a whole host of things, such as uptime, reliability, and quality of operations, and as a result customer satisfaction. While cybersecurity measures are often driven by government regulations, they can also provide financial benefits by reducing costs, protecting private and confidential data, and avoiding damage to reputation as well as possible expensive lawsuits. In summary, operators can gain a competitive edge through maintaining efficient operations with minimum downtime.
Industrial cybersecurity inverts the traditional triad of security values for IT security: confidentiality, integrity, and availability. In operational technology, or industrial control systems (ICS) security, availability is most important, integrity is essential, and confidentiality is less of a concern. For example, in a conventional IT system, if someone doesn’t know a password they may be locked out. That’s not an acceptable choice when the password is needed to perform a safety function and the person needs to get in and adjust the system if they are authorised to do so.
Additionally, IT security equipment typically rotates every three to seven years, but in industrial equipment it is normal to have equipment installed for 20 - 30 years. While newer equipment considers the current technology and threat landscape relevant to the intended industry, older equipment can be outdated, posing a higher security risk.
How can operators protect their industrial IoT?
Supply chain authentication Device parts and accessories purchased by an operator might not be authentic, which could lead to system downtime and revenue loss, malfunctioning or safety problems. With the current shortage of supplies and parts as a result of the pandemic, the risk of counterfeit parts is heightened. In the case of a device, a chip called the hardware root of trust can be used, containing a public and private key pair, and a certificate that can be used to authenticate that hardware.
User authentication Mutual authentication, best based in hardware, can be utilised to authenticate people. For example, via twofactor or multi-factor identification where a member of personnel must use their mobile phone in order to verify identity. This ensures the person gaining access, is none other than the intended user of the equipment.
Secured communication Secured communication ensures anyone with access to the network can’t necessarily see what is going on and can’t modify commands in transit. To do this, you must authenticate the two components and any people, but also encrypt, and protect the integrity of data in transit. Secure communications protocols like transport layer security (TLS) or datagram transport layer security (DTLS) provide these protections. Encryption may be skipped in some cases but mutual authentication and integrity
protection are essential to prevent network-based attacks. These secure protocols should be supplemented by secure elements protecting the private keys on either side so that if the software on a machine does become infected, nobody can steal a copy of that machine’s private keys.
Secured software update If systems are working as expected, operators can be reluctant to update the software on their industrial control system since updates can lead to problems you didn’t anticipate. However, software becomes increasingly vulnerable over time without an update. Attackers can find vulnerabilities in software to take advantage of to infect the system. Therefore, software needs to be updated not to add new features, but to fix security flaws that have been discovered. But it is vital to authenticate the software and check its integrity before installation, since the last thing operators want to do is load malicious software.
Implementing standards Standards have been developed over the last few decades to improve industrial cybersecurity. IEC 62443 is the international standard for cybersecurity, to be used not only by customers but also vendors to make sure they are implementing best practices for industrial cybersecurity. The standard is required in Japan’s critical infrastructure programme and is likely to be required more broadly in the future. Other countries have similar national standards. While there are more than a dozen different parts to this standard, there is training and certification for devices available to simplify this. This standard recognises there is no one size fits all approach for industrial cybersecurity and the more safety critical the system is, the stronger level of protection you need for it.
There is a new technical document (bit.ly/3fwOQA3) on the landscape, offering guidance for securing industrial control systems by Trusted Computing Group (TCG). This document is shorter and simpler than IEC 62443 and covers the common security use cases: device identity, access control and securing secrets as well as more unusual use cases like physical attacks, equipment as a service and handling legacy systems.
A more secure future for industrial cybersecurity While even more rapid adoption of IIoT seems to be in the pipeline for coming years, it is time for operators to make cybersecurity a priority. This is how they will reap the benefits of connected equipment and a digitally transformed business, while minimising the risk to operations, and also the safety of personnel. By implementing specifically developed standards to protect IIoT, pipeline operations can be made smarter and more efficient, with the correct protection against attackers looking to exploit vulnerabilities in connected equipment.
QP Industrial Painting Accreditation Improves Your Business
New Jersey American Water: We had a lot of failures because the contractors that we were using in the past weren’t accredited and they were cutting corners and it ended up costing us close to $17M.
– Kenny Jaros, Tank Maintenance Coordinator, New Jersey American Water
