Why Technology Alone Will Not Solve Industrial Cyber Security Threats
Introduction
Know your adversary – this is surely one of the essential steps in any program to improve security? If you don’t understand the nature of the threat, whether it is a human threat such as warfare or, more topically, a natural threat such as the novel coronavirus, then you are not going to understand how to protect yourself adequately. More importantly, you will not know whether you are adequately protected! It is the same for industrial cyber security, also referred to as OT or ‘Operational Technology’ security. So, who is our biggest adversary in OT security, and how do we defend against them?
Healthy paranoia
It was Joseph Heller who used the line “just because you’re paranoid doesn’t mean they aren’t after you”. Recent incidents such as the Tricon safety controller compromise ‘TRISIS’ have received much attention, and quite rightly so. The TRISIS attack was targeted and highly sophisticated. Much has been written about the sequence of events that allowed the would-be attacker(s) to gain a foothold inside a safety-critical controller, the potential impact should the exploit have been successful, and the steps that would have prevented the intrusion from happening. The evidence suggests that this was a clear case of external actors gaining access to the corporate network (probably through a phishing campaign) and eventually pivoting down through the industrial network to compromise a Tricon controller’s logic on the programming terminal.
But what if our adversary is not an external attacker, or not even an intentional attacker? Any defensive measures designed to prevent external access would be far less effective; they could even be useless! Analysis by the SANS Institute for their 2019 State of OT/ICS Cybersecurity Survey found that “internal threats, although accidental, are the second highest overall threat category”. It also found that external threats from the supply chain and hackers / nation states were collectively ranked third and fourth. In reality, then, the organisation needs to understand the nature of both the insider and the external threat. It also needs to defend against both of them!
Security in Depth
The IEC 62443 set of standards “Security for Industrial Automation and Control Systems” describes the concept of ‘defence in depth’. Similar in many ways to ‘layers of protection’ in functional safety, the concept requires a series of diverse and independent security measures to achieve a robust security posture. This is because no single security measure by itself is sufficient, and in practice, all security measures can be defeated. The overall approach to ‘defence in depth’ can be regarded as a series of layered or nested measures as represented in the diagram here:
A company’s employees and trusted third party suppliers have privileged access to its control networks. They have security clearance, logon credentials for control systems, and in many cases, legitimate reasons to be working on these systems. By definition, they have the means to defeat some or many of these defensive measures, whether deliberately or not. This implies that even ‘defence in depth’ is not sufficient by itself and our security strategy must also cover all three elements of:
1) Defence in depth – the complete set of measures aimed at keeping intruders out, or at least making their life as difficult as possible,
2) Detection in depth – a series of independent measures to give timely warning that an intruder might be present in the network and
3) Response in depth – the complete set of measures designed to ensure that the organisation is prepared for an attack and can respond in a manner that will minimise the damage and loss to the organisation. Few organisations in my experience are appropriately prepared for dealing with cyber-loss, whatever the origin.
‘Security in Depth’ is the collective term for these three elements. Each is worthy of more detail than I have dedicated in this article, and each will be the subject of a future blog. Yokogawa has long understood the concept of ‘security in depth’, and our Plant Security program incorporates these three elements to deliver a robust security solution for our clients.
How much is enough?
Unfortunately, this question is difficult to answer. Having a documented Cyber Security Management System (CSMS) and a robust process for risk assessment, both as mandated by IEC 62443, is a good starting point. Security is not an absolute, just as safety is not an absolute, and it is worth noting that publications such as the UK Health & Safety Executive’s OG-0086 guidance includes the concept of ‘as low as is reasonably practicable’. The answer lies in a comprehensive strategy that spans all three of people, written procedure and technology, as well as the three areas of defence, detection and response in depth. As an example, the ‘unintentional’ component of the ‘insider threat’ cannot be adequately addressed by host-level security (they probably have bona fide access!) but can be addressed by awareness training and perhaps a program of competence assessment. The ‘insider threat’ is very different, and it needs to be managed differently.
Conclusion
According to Larry Kirchenbauer: “If you’re not paranoid, you’re not paying attention”. Ok, this is slightly tongue in cheek, but I think the message is clear: it is prudent to hope for the best while planning for the worst. This brings us back to the earlier point about ‘healthy paranoia’.
Plant Security eBook – Cyber Security Lifecycle from Enterprise to Endpoint
Download this eBook to learn how to protect your Operational Technology (OT) systems, networks and processes from cyber security attacks. With multiple layers of defence, comprehensive incident response, back-up and recovery plans, this eBook brings together all the information necessary to develop effective plant security.