PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK

Transcription

1 PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK INCREASING THE SECURITY OF INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS By Matt Jakuc Product Group Manager, Cybersecurity Technical Lead CSA Group The rise of cyber related attacks on Internet of Things (IoT) and the Industrial Internet of Things (IIoT) infrastructure has made it increasingly vital to have cybersecurity protocols in place to support functional safety and safety-related solutions in commercial or residential buildings and industrial processes. As building and process automation increasingly involves linking equipment together in an open network architecture, the safety and security risks created by Internet connectivity should be a foremost concern of stakeholders such as product design professionals, building managers, owners and system integrators. Functional safety verification is essential in equipment that responds to operator inputs because an automated, safety-related device or control system that responds incorrectly may create a hazard. A cyber-attack on the integrity of a controller can jeopardize the functional safety of a device or control system in an open network architecture. A cyber-attack can compromise the safety function of a device (or control system) in a one or more ways: The device could be jammed so it will not activate and perform its safety function when needed creating a high-level risk condition. An attacker could hijack the device to make it appear to be functioning properly when it is not, disguising a serious vulnerability. A hijacked safety function can also be manipulated to trigger false positive alarms or inappropriately engage the safety function (e.g. close and open valves, turn lights on and off and activate sirens). If the manipulation seriously abuses the system it can damage equipment and potentially endanger lives. Even if the compromised device or system can still perform its safety function, it could be rendered inaccessible or raise false alarms that require service attention. To mitigate these risks, the Functional Safety Design Lifecycle and testing & certification of critical functional safety features must be extended to also encompass evaluation of security features. To achieve fully integrated network security, each individual IoT and IIoT device or control system must be designed within the framework of a Security Development Life Cycle and tested and evaluated against accepted and applicable cybersecurity standards. The Emerging Internet of Things Advantages and Vulnerabilities Commercial and residential building systems, as well as industrial control systems, increasingly include online capabilities to enable operators and service providers to remotely monitor, control, and analyze system safety, security and performance.

2 The creation of intelligent buildings and industrial processes utilizing open network architecture is driven by the concept of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) which sees manufacturing utilizing IoT technologies for quality control, sustainability and overall process improvements with a multitude of individual devices and control systems supporting overall system connectivity. The advantages of fully integrated online or cloud-based systems to operators and other stakeholders are significant: System performance can be monitored continuously. System operation can be more easily controlled to optimize efficiency and cost-savings. Preventive diagnostics can be performed to predict failures and improve scheduled maintenance routines. Faults can be immediately detected so root causes can be identified and addressed quickly, minimizing disruption or potential damage to the system. Robust system data can be compiled and analyzed to identify opportunities for future system and operational improvements. The market for connected devices for Industrial Automation Control Systems (IACS), as well as commercial and residential Building Control Systems (BCS) is expanding rapidly. Data compiled by IHS Markit and reported by the Continental Automated Buildings Association (CABA) predicts that, by the year 2025, there will be approximately 70 billion IoT-connected devices with an estimated 18 billion devices shipped per year. 1 This rapid growth and clear advantages and opportunities of intelligent buildings is not without significant security and safety risks, and vulnerabilities that must be addressed. An October of 2016 Distributed Denial of Service (DDoS) attack in the U.S. dramatically demonstrated the impact of a malicious attack on unsecured Internet-connected devices. In this extreme case, vulnerable household IoT devices were infected with malicious code or malware known as a botnet. Hackers coordinated those devices to send an overwhelming volume of traffic to servers operated by an important Domain Name System (DNS) provider, disrupting much of America s Internet and legitimate traffic to many of the most popular Web sites. While unprecedented in its scale and overall impact on U.S. Internet infrastructure, the October attack illustrates the potential vulnerability of intelligent building and automated industrial control systems based on IoT devices. Assuring Functional Safety and Security The adoption of open networks and IoT devices increases vulnerability to cyberattack, underscoring the importance of assuring the full integrity of functional safety across a networked building or industrial process system. To achieve this goal, extensions of the Functional Safety Design Life Cycle and Functional Safety Testing & Certification must be considered for each connected device. This can include the implementation of a Security Development Life Cycle and potentially the addition of a Cybersecurity Product Evaluation. The goal is to establish a level of confidence in the security features of the IoT device through an established and reliable quality assurance process. 1 CABA Intelligent Buildings and the Impact of IoT, Key Trends in IoT and Commercial Building Technology Markets; IHS Markit for the Continental Automated Buildings Association; Continental Automated Buildings Association, 2016.

3 While operators and the service providers who support them must be concerned about a host of negative consequences of cyber-attack, including Breach of data security Interrupted operations Loss of revenue Unplanned recovery expense Liability or legal action for negligence Tarnished reputation a cybersecurity breach poses no greater threat than the loss of functional safety, which can place workers, residents and communities at risk of injury or even death, while also threatening property and the environment. Vulnerabilities Are Widespread The potential for cybersecurity attack exists across a wide range of devices currently used in intelligent building and industrial control systems. By exploiting the vulnerability of an unsecure controller or other device, attackers could take control of all connected equipment on a network. The potential risk can be magnified if the initial breach exposes weaknesses in equipment that was not designed to operate in an open network environment. Design Weaknesses May be Exposed A simulated cyber-attack on an electrical power generator connected to a substation dramatically demonstrated the risk created when appropriate security measures are not incorporated in an original equipment design. Although conducted in 2007, the results of the simulation continue to be a point of reference in industry and governmental discussions of power industry security needs. During the simulation, which was conducted by the Idaho National Laboratory, researchers targeted a vulnerable programmable device to gain access to and control of protective relays on the generator. Because the equipment design did not include measures to prevent the relays from being abused, the researchers were able to open and close the breakers rapidly and out of sync, creating extreme torque conditions. The generator bounced and vibrated violently, eventually throwing parts up to 80 feet before it was destroyed. 2 In an actual attack, serious injury to operators, or even death, could have occurred. Improper Implementation Can Undermine Secure Technology Even when the technology used in a product is inherently secure, failure to implement suitable security measures during the product design process can leave connected equipment and networks vulnerable to attack. Wireless protocols widely used in intelligent building and smart home devices are one example, affecting millions of devices worldwide. Researchers in 2015 and 2016 reported finding security flaws in many building automation devices using the Z-Wave and ZigBee wireless protocols, which are incorporated in the designs of smart door locks, alarms, detectors, light bulbs and lighting controls, motion sensors, switches, HVAC systems and valve actuators and other IoT devices. While the protocols themselves are secure, investigation revealed the product manufacturers did not always utilize secure encryption keys when they were implemented in product designs, leaving devices vulnerable to attack. 3, 4 In one case involving the Z-Wave protocol, compact fluorescent light (CFL) bulbs without encryption were damaged by attackers who cycled them off and on using specific timings. The resulting thermal stress destroyed the bulbs within hours. Loss of facility lighting or another networked system can disrupt building operations and compromise security and safety. A similar attack on a connected thermostat under cold winter conditions could cause building water pipes to freeze and burst, resulting in significant damage, disruption and property loss. These examples demonstrate the importance of implementing a Security Development Life Cycle to support the design of secure IoT devices from the beginning of the product development process, similar to the Functional Safety Design Life Cycle. It also reinforces the importance of verifying the implementation of effective security through Cybersecurity Evaluation, conducted as part of Functional Safety Testing and Certification. By making security an integral part of the design process and conducting the appropriate testing to verify proper security measures have been implemented, manufacturers and their customers can be confident that devices support the ultimate goal of fully integrated security and safety across the entire intelligent building or industrial control network. Supply Chain Mandates Stakeholders in the intelligent business supply chain who are key to driving business forward including system OEMs, Tier 1 suppliers, system integrators, contractors and other downstream participants are increasingly demanding evidence of a Security Development Life Cycle and rigorous cybersecurity evaluation. All supply chain participants are expected to take measures 2 Aurora Generator Test, Wikipedia. Retrieved January 17, ShmooCon 2016: Z-Wave Protocol Hacked with SDR, Hackaday, January 16, Retrieved January 17, Researchers exploit ZigBee security flaws that compromise security of smart homes, Network World, August 11, Retrieved January 16, 2017

4 to ensure that devices systems support the security requirements of end users or their service partners. The impact of these mandates is widespread, spanning diverse industry supply chains including HVAC, fire control, access control, lighting, industrial controls, IT/AV, and more. However, requirements within these vertical supply chains are based on the overarching technology horizontal requirements defined within the IEC Series cybersecurity standards. Supply chain mandates may include requirements that products be suitable for use in of SIL-rated systems. SIL refers to the Standard Integrity Level that is assigned during functional safety evaluation to confirm the requirements of the IEC standard are met. IEC is the international standard for safety-related systems associated with electrical, electronic and software-based technologies. Similarly, supply chain requirements may include achieving a specific security level defined in the IEC Series cybersecurity standards. The close relationship between cybersecurity and functional safety evaluations is further described below. IEC Cybersecurity Standards IEC Series cybersecurity standards were developed as technology-horizontal control system standards with broad industry applicability. This series of standards covers component technical requirements, system technical requirements, product supplier development lifecycle practices, integrator practices, and onsite end user management and operation of a cybersecurity program. While not deliberately industry-specific, the IEC Series standards reflected the initial input of industrial Automation Control Systems (IACS) participants in the standards development process. However, the standards are also accepted as technically applicable to building control systems and could be used to assess cybersecurity in intelligent building systems. The IEC Series Includes: IEC Security for industrial automation and control systems Technical security requirements for IACS components IEC Security for industrial automation and control systems System security requirements and security levels IEC Security for industrial automation and control systems Product development requirements At the end of 2016, only the IEC standard pertaining to control system security requirements and security levels had been approved and published by IEC. Standards for technical security requirements for components (IEC ) and product development requirements (IEC ) are expected to be approved and published in Cybersecurity Evaluation CSA Group offers cybersecurity analysis and testing as part of the Functional Safety Testing and Certification of IoT and IIoT products and systems. The Cybersecurity Evaluation process provided by CSA Group includes the rigorous analysis and testing called for under the IEC Series standards and other cybersecurity frameworks required by supply chains and end use customers. An Extension of Functional Safety Evaluation: Cybersecurity analysis and testing should be performed by qualified third party testing organizations as part of the overall product functional safety evaluation, which helps assure that an automated, safety-related device or system operates correctly in response to its inputs, protecting operators and/or property and the environment from any hazard. For example, a sensor that measures the temperature of electric motor windings and de-energizes the motor before it overheats provides functional safety. In contrast, insulation material that helps protect the motor and its surroundings against the same overheating does not provide functional safety because it does not respond to inputs. 5 IEC is the international standard for safety related systems associated with electrical, electronic and softwarebased technologies. The principles of the standard can also be extended to assess mechanical elements if they are used in the safety function. The IEC standard defines requirements for determining level of risk using Risk/ Process Hazard Analysis (PHA) and identifying the relative level of risk reduction required: the Safety Integrity Level (SIL). It also describes the lifecycle process for ensuring that systems are designed, validated, verified, operated and maintained to perform a specific function or functions and assure that risk is kept at an acceptable level. Cybersecurity Evaluation parallels the Functional Safety Testing and Certification process, using specific security frameworks and the IEC Series and other applicable 5 The adequacy of insulation or other product design elements should be evaluated for conformance with the requirements of the applicable industry standards for safety or performance during the product testing and certification process.

5 ADDRESSING CYBERSECURITY RISK IN THE DESIGN OF CONNECTED DEVICES FOR INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS standards. The evaluation process first identifies and assesses applicable risks and the necessary SILs. The effectiveness of security measures is then evaluated, taking into account any related design considerations. The overall Cybersecurity Evaluation includes assessment of the security of the product development process as well as the implementation of security measures in the product itself. Analysis and Testing The Cybersecurity Evaluation process typically includes the following analyses and tests: Gap Analysis and Risk Assessment Analyses of the supplier s Information Security Management System (ISMS) and Security Development Lifecycle (SDLC) are performed to identify strengths, weaknesses, and recommend any procedural and policy changes that should be addressed in order to support a secure SDLC process and demonstrate supplier due diligence in mitigating security risk. This analysis and the resulting recommendations are designed to identify and address security threats early in the product life cycle, before devices enter production. Vulnerability Identification Testing (VIT) The objective of VIT is to ensure that connected devices are free from known vulnerabilities. Security weaknesses are defined and detected and the effectiveness of proposed countermeasures is forecast so actual effectiveness can be evaluated upon implementation. Vulnerabilities are analyzed to determine their impact on applicable functional safety requirements, which are established as part of the overall Functional Safety Testing and Certification process. Penetration Testing Penetration testing evaluates the security of a connected system by attempting to exploit potential vulnerabilities. This internal testing of the system, network or software helps identify security weaknesses so they can be fixed before being exposed to an actual attack. Effective penetration tests are designed to simulate an attack involving a specific objective. The test findings reveal how security was breached so appropriate preventive counter measures can be adopted. Communication Robustness Testing (CRT) CRT evaluates product resilience when subjected to network stress testing, identifying network-based security vulnerabilities. The test provides a measure of the extent to which networkbased protocols can defend themselves against incorrectly formed messages and inappropriate sequences of messages used to attack the system. CRT identifies the presence of common programming errors and known denial of service vulnerabilities specifically for networking protocols, which impact the robustness of embedded devices that use those protocols. Conclusion The widespread adoption of IoT technology in networked infrastructure has increased the potential for cyber-attacks that can compromise safety-related devices and control systems. Around the world, cybersecurity breaches are increasingly occurring and contrary to popular belief, they cannot be solely attributed to savvy hackers or aggressive cyber-attack strategies. Insufficient knowledge of reliable mitigation processes including the critical role of functional safety testing and evaluation of security features is equally responsible. Products and systems used in intelligent residential and commercial buildings, as well as automated industrial processes, that are designed and evaluated to ensure they meet strict requirements of both functional safety and cybersecurity standards can help to mitigate these risks. Ensuring your devices and components are suitable for SIL-rated systems are now commonplace for participants across diverse supply chains. By integrating the CSA Group Cybersecurity Evaluation with Functional Safety Evaluation into the certification process, device and system controller suppliers can potentially out-pace rapidly expanding cybersecurity threats and help provide assurance to key stakeholders that their products provide a higher level of resilience to cyber-attacks. About CSA Group CSA Group is a global testing and certification service provider offering widely recognized and accepted CSA certification marks that appear on billions of products around the world. CSA Group is accredited by international technical authorities, including the U.S. Occupational Safety and Health Administration (OSHA) as an NRTL, the Standards Council of Canada (SCC), the United Kingdom Accreditation Service (UKAS), and more. CSA Group is a world leader in providing Cybersecurity Evaluation along with Functional Safety Testing and Certification, including evaluation services for products for the intelligent building, industrial automation, HVAC, lighting, electrical, IT/AV, plumbing, safety and security, and other industries. The CSA Certified advantage helping manufacturers get the market access they need for over 95 years. Contact CSA Group to obtain more information about our global Cybersecurity Evaluation and Functional Safety Testing and Certifications services. Contact Us certinfo@csagroup.com