Back to the Future Cyber Security

Transcription

1 Back to the Future Cyber Security A manifesto for Cyber Security and the Industrial Legacy

2 Introduction Industrial facilities and infrastructure form the core of our economy and society. These advanced facilities require significant investments which need many years to generate return on investment and are build to last for decades. Automation of these facilities and their equipment are part of the modernization since Industry 3.0 and continue to advance with Industry 4.0. Behind this automation are Industrial Control Assets, mostly deeply integrated into the equipment they control. Industrial Control Assets include Programmable Logic Controllers (PLC), micro controllers, industrial modular computer systems (IPC), robot control units, SCADA systems, and various other devices which combine software and hardware to control and automate processes. Cyber Threats are increasingly causing significant damages to companies and organization around the globe. With the increasing connectivity in industrial facilities and infrastructure, the Industrial Control Assets become more exposed to Cyber Threats than ever before, and Cyber Threats continue to become more advanced at a continuously increasing pace. The main focus on Cyber Security is on IT Infrastructure. It is however crucial that Cyber Security for the Industrial Control Assets becomes a top priority for companies and organizations to avoid damages to industrial facilities and infrastructure. This is a 10 points strategy to implement Cyber Security and Cyber Resilience for Industrial Control Assets in industrial facilities and infrastructure.

3 Own and manage Cyber Security for Industrial Control Assets (ICA) at the highest level of the organization. Embrace the principals of the Charter of Trust and implement a matching policy. Create and maintain an ICA inventory, including all devices which connect to a network, are connected to a device which connects to a network, or could be connected to a network. Implement and test a full ICA backup, recovery and Disaster Response Plan. Create appropriate depreciation plans and maintenance budgets for all ICA based on the life cycles of these systems.

4 Allocate sufficient budgets (CAPEX and OPEX) to implement ICA Cyber Security measures as top priority. Schedule (semi-) annual penetration testing of all ICA and ensure implementation of its findings. Implement a semi-annual ICA Cyber Security education plan. Develop Cyber Security standards and procurement requirements for all ICA purchases, projects and maintenance. Ensure Continuous Improvement by focusing on the weakest link in ICA Cyber Security and resolving the issues.

5 Own and manage Cyber Security for Industrial Control Assets (ICA) at the highest level of the organization. Industrial Control Assets are deeply integrated into the equipment and infrastructure controlled by these devices, and in most cases are understandably seen as part of the equipment and infrastructure. With the growing connectivity and digitization of our society, infrastructure and industrial facilities, most of these Industrial Control Assets have gradually been integrated into networked infrastructures to collect data, monitor processes or automate controls. The wind sensors at the airport which are connected to the network and provide important but harmless information, can easily become an critical pawn to attack the airport infrastructure when under the control of hackers. The PLC that controls a melting furnace and can be administered through the network connection can cause serious risks for the operators and damage to the furnace when the wrong instructions are pushed from the network. To recognize the true risk of cyber exposure of the Industrial Control Assets, it is important to change the mindset that Industrial Control Assets are part of the equipment they control. Cyber Security and Cyber Resilience for Industrial Control Assets need to be anchored with the Boards and Executive Leadership of all companies and organizations that own or manage equipment and infrastructure to ensure continuous priority on implementation of adequate protection.

6 Embrace the principals of the Charter of Trust and implement a matching policy. The Charter of Trust, an initiative of Siemens AG, was introduced during the 2018 Munich Security Conference and offers baseline standards for Cyber Security. The Charter of Trust recognizes that the digitalization of our society, factories and infrastructure must evolve hand in hand with Cyber Security. The Charter of Trust offer 10 pragmatic strategic principals and commitments to achieve Cyber Security in the digital and highly connected world. Each company and organization will benefit from embracing these principles and implementing a matching Cyber Security policy. For example, the Charter of Trust requires that companies must offer updates, upgrades, and patches throughout a reasonable lifecycle for their products, systems, and services via a secure update mechanism. A matching policy would require the selection of suppliers which fulfill this requirement. As the network of partners committing to the Charter of Trust continues to grow, companies and organizations can improve their Cyber Resilience by selecting vendors and service providers which either signed the Charter of Trust as partner, or commit to the principles of the Charter of Trust. Resource: rporate/ cybersecurity/charter-of-trust-e.pdf

7 Create and maintain an ICA inventory, including all devices which connect to a network, are connected to a device which connects to a network, or could be connected to a network. Cyber Security and Cyber Resilience start with a full understanding of the assets which could pose a risk through cyber exposure, followed by regular assessment of their Cyber Exposure and level of Cyber Resilience. In most cases, the Industrial Control Assets are not fully included into the Network Device Inventory and Cyber Security evaluation beyond an initial registration of the assigned IP addresses of the first nodes connected to the network infrastructure. Various Industrial Control Assets provide connectivity options and protocols which go far beyond the IT view of networked connectivity and Cyber Exposure. It is crucial to create and maintain complete Industrial Control Assets inventory by the subject matter experts from the perspective of the available connectivity. This inventory should include all active and inactive connection options, including those physical connections which are used to update programs and settings of the devices. Special attention needs to be paid to those devices which have physical connections without the option to monitor modifications of programs and settings. Regular evaluation of the potential Cyber Exposure and Cyber Threats based on the Industrial Control Asset inventory should lead to setting of priorities to increase Cyber Resilience and Cyber Security.

8 Implement and test a full ICA backup, recovery and Disaster Response Plan. Industrial Control Assets typically consist of hardware, operating system or firmware, software or programs, and settings or recipes. Each of these components contribute to the capabilities to control or monitor the equipment. On the other hand, without either of these components, the Industrial Control Assets cease to be able to perform their functions. Hardware components can be kept in stock or purchased on demand, provided that they are available when required. Even when kept in stock, it is important to monitor future availability to avoid issues once the stocked components are depleted. Unique or shared sets of operating systems, firmwares, software, programs, settings and recipes can by kept on backup infrastructure in the same way this is commonly done with IT Infrastructure. Special attention needs to be paid to programs and settings which are installed through physical connections which have no exposure to the IT Infrastructure. It is crucial to have a detailed Disaster Response Plan available which documents the procedures to restore Industrial Control Assets after breakdown or malicious activities to ensure a rapid return to normal operations. This Disaster Recovery Plan must include not only the technical details, like storage location of the recovery files, but also Safety Instructions for the personnel responsible for the recovery operations.

9 Create appropriate depreciation plans and maintenance budgets for all ICA based on the life cycles of these systems. Most Industrial Control Assets are managed as component of the equipment or infrastructure they are integrated with. This leads commonly to depreciation planning and maintenance budgeting of the Industrial Control Assets based on the expected life cycle of the equipment and infrastructure. The equipment and infrastructure can have life cycles which expand into decades. The life cycles of the Industrial Control Assets on the other hand are significantly shorter, especially from a Cyber Security perspective. Although most Industrial Control Assets are just as reliable as the equipment and infrastructure they control, they still need regular updates, upgrades and patches to keep up with the high pace and advancement of Cyber Threat developments. Vendors and suppliers of Industrial Control Assets set end of support timelines for their products and it is crucial to plan the depreciation and replacement of Industrial Control Assets against these timelines as ultimate maximum lifecycle, even if the devices themselves would still function flawlessly. As soon as updates, upgrades and patches are no longer available there is no opportunity to respond adequately to Cyber Threats and the risk of malicious attacks increases significantly.

10 Allocate sufficient budgets (CAPEX and OPEX) to implement ICA Cyber Security measures as top priority. Industrial Control Assets require appropriate maintenance and Cyber Security activities, which should include at least updating, training, penetration testing and evaluation, and timely replacement of devices which have reached end of life or end of support. In addition these activities could include specialized Cyber Security consultancy services. To avoid restrains in fulfilling these requirements to implement and maintain Cyber Security and Cyber Resilience for the Industrial Control Assets, it is important that these activities are budgeted separately in capital expenditure and operating expenses, or at least separated from the equipment and infrastructure maintenance budgets. When Cyber Security budgets are available for the IT infrastructure, the budgets for Industrial Asset Controls Cyber Security can be brought under the same responsibility to ensure a company or organization wide implementation of appropriate Cyber Security and Cyber Resilience. Special attention needs to be paid when budgeting initial corrective actions in those cases where Industrial Control Assets have exceeded the regular lifecycle. Additional costs can occur when for example existing programs are not compatible with newer versions of equipment, or when additional components need to be replaced for the same reason.

11 Schedule (semi-) annual penetration testing of all ICA and ensure implementation of its findings. With established awareness of Cyber Threats for Industrial Control Assets and the implementation of Cyber Security and Cyber Resilience to protect equipment and infrastructure, the risk of a false sense of safety can easily be established. New and more advanced Cyber Threats arise with increasing pace, and a sense of being fully protected will lead to lack of attention and priority on continuously increasing Cyber Resilience and Cyber Security. As demonstrated in IT, regular professional penetration testing and evaluation of response and recovery plans, are important measures to determine the effectiveness of the current Cyber Security measures and required corrective actions to further increase Cyber Resilience. The most effective method of objectively establishing the real effectiveness of defenses, response and recovery plans is the RED TEAM method. In those cases where regular professional Information Technology infrastructure penetration testing and evaluations are already established, it is recommended to add Industrial Control Asset experts to the team and scope to ensure that adequate expertise about the specific connectivity and protocols is available. Vulnerability findings of such penetration testing and evaluations should be scheduled to be resolved with the highest possible priority. Resource:

12 Implement a semi-annual ICA Cyber Security education plan. The majority of cyber crime is enabled by users of systems and applications. Unawareness and lack of understanding of one s own responsibility are the main contributors to malicious access by criminal hackers. A false understanding that the IT Department is solely responsible for Cyber Security combined with lack of understanding of the risks are the common denominator among user of digitized services and systems, including Industrial Control Assets. Without recurring Cyber Security Education, the users will continue to be the weakest link in all Cyber Security and Cyber Resilience efforts. This applies in the same extend to Industrial Control Assets as it does to Information Technology Infrastructure, especially in the process of digitalization where these segments increasingly become interconnected. Educated personnel will not only understand the do s and don ts, they will also be able to identify unwanted and potentially harmful activities by others. Especially the ability to identify unwanted activities has proven positive impact on Cyber Resilience. Since Cyber Threats continue to develop and become more advanced at a staggering high pace, it is important to regularly repeat Cyber Security Education. This Education should reflect on new developments as well as on implemented methods and standards since the last training sessions.

13 Develop Cyber Security standards and procurement requirements for all ICA purchases, projects and maintenance. The entire Supply Chain of Industrial Control Assets needs to accept the responsibility of ensuring that the minimum requirements of Cyber Security are fulfilled with each purchase, approved project and maintenance activities. This must include green field activities, repairs of existing Industrial Control Assets and retrofitting Cyber Security to the installed base. Purchase Departments validate offers and order based on the available standards and requirements in collaboration with the responsible departments. In the same manner as for example environmental requirements are documented and validated, it is essential that Cyber Security requirements and standards for Industrial Control Assets are documented and validated from offer to order. In the field of Cyber Security, there is no moment in time where standards and requirements will not require to be reviewed and updated according to the last developments of Cyber Threats. It is recommended that requirements and standards for Industrial Control Assets are reviewed at least once per year. In this context it is recommended to adopt the principals of the Charter of Trust into the requirements and standards for procurement of Industrial Control assets and all related services.

14 Ensure Continuous Improvement by focusing on the weakest link in ICA Cyber Security and resolving the issues. The majority of the Cyber Threats are executed around the basics of the digital infrastructure and focus on the weakest link to gain access before aiming at the high prize targets. By infecting the weakest link with malicious software or unauthorized access, the criminal hackers penetrate the lines of defense and work their way up to the real target. The Industrial Control Assets have multiple weaknesses in most manufacturing and infrastructure settings. First weakness most Industrial Control Assets have in common is single line of defense of the network connection which is solely controlled by a firewall for external access to the production network, and therefore becomes a single point of failure once an Industrial Control Asset gets infected or exposed. Another highly common weakness is the lack of active monitoring of modifications and access to Industrial Control Assets, especially the physical connections which allow modifications of settings and programs without network connection. Even though the less critical weakest links might appear to be of lowest priority, they are most likely the most vulnerable to malicious activities. Cyber Resilience can only be achieved by continuously improving the weakest links in the chain of Cyber Security.

15 Contributions and resources: Ludmila Morozova-Buss is an advocate of Systems Thinking and recognized as top influencer for Cyber Security. Ludmila presented the Charter of Trust and its impact on the industry during the 5th Edition of Free and Safe in Cyberspace. Ludmila has a strong background in finance, communication and educational marketing, and advices global enterprises in these fields. The Charter of Trust, an initiative of Siemens AG, was launched during the 2018 Munich Security Conference and offers baseline standards for Cyber Security. Siemens AG and the eight founding partners have been joined by several global vendors and the network continues to grow. orporate/ cybersecurity/charter-of-trust-e.pdf Micah Zenko, author or RED TEAM How to succeed by thinking like the enemy. Micah is a writer, researcher, red team consultant, and Whitehead Senior Fellow at Chatham House. In his book RED TEAM, Micah shows the importance of this very special kind of critical thinking, and the challenges companies and organizations have faced during implementation and execution of Red Team testing.

16 Back to the Future Cyber Security A manifesto for Cyber Security and the Industrial Legacy By info@johannesdrooghaag.com About the author:, promoted in Applied Information Technology, Operations Management and Manufacturing, has a strong background in Industrial Automation, Process Improvement and Cyber Security. Besides various publications on these topics and contributions to the state funded technical research project Revista, Dr. ir Johannes Drooghaag has a long track record of successful implementations, coaching and consulting in Manufacturing, Industrial Automation, Operations Management and Cyber Security.