Cyber attacks no longer focus only on stealing credit card numbers from banks. Disruption of core business processes via industrial control systems at manufacturing sites is also on the hacker agenda. For example, numerous articles have been written surrounding the 2014 cyber attack on an un-named steel mill in Germany. The short version of the story1 is that the attackers were able to leverage a successful hack of the office network as a pivot point to gain access to the steel mill’s control system. Once in control, they were able to impact the blast furnace and cause serious damage to the mill’s production systems and equipment. While the extent of the damage and monetary losses were not disclosed, it’s safe to assume that a massive and costly recovery effort was required to return the steel mill to normal operations.
When it comes to protection from cyber attacks, most of us think of firewalls. However, firewalls are only one aspect of what now needs to be a comprehensive defense in depth and breadth cyber security strategy for the Operational Technology (OT) environment. Cyber security is now evolving from a set of simple tools used to fend off attacks from hackers to a more formal approach of managing business risk.
Cyber security is about cyber resilience
At the core of cyber security is the broader business philosophy of risk management. Much in the same way that Six Sigma Quality initiatives began to infiltrate core businesses processes 30 years ago, risk management is beginning to assume a similar “embedded” profile. The National Institute of Standards and Technology (NIST), in collaboration with the private sector has developed an excellent tool which provides standards, guidelines and practices to use in managing an OT system’s cyber security: The Framework for Improving Critical Infrastructure Cyber Security.
Under the risk management context, the term “cyber security” is becoming a misnomer. A more accurate way to describe the effort would be “cyber resilience”, since achieving absolute security is always more of a goal to be managed to than a reality that can be achieved. In the OT world, uptime, accurate processes and functioning equipment are top priorities; in other words, it’s about reliability. In the cyber world, it’s all about resilience. Being cyber resilient means more than just addressing protection and prevention. The concept encompasses monitoring and early detection coupled with the ability to recover quickly and seamlessly when attackers (or other disasters) strike.
Consider how cyber resilience impacts a manufacturer’s product development life cycle. Security testing now works hand-in-hand with traditional product functional testing. The product developers look for any vulnerabilities that might have been created during development, so that an early catch and fix can be applied before the product is released.
Here’s an example of how this process works at a company like Schneider Electric, a major global manufacturer of control systems and power infrastructure devices. Schneider incorporates a process called the Secure Development Lifecycle (SDL) into their product development process. From the very beginning, the product developers take the customer/end user view of the security requirements. Secure architecture reviews are performed, threat modeling of the conceptual design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help to “harden” products, making them more resilient against cyber attacks.
Variations of SDL exist in the marketplace. The SDL approach has been applied successfully at Microsoft for quite some time. Implementation of SDL for their SQL Server product resulted in a 91% reduction in SQL Server vulnerabilities (this analysis covered the three-year time span between the release of SQL Server 2000, which was before SDL implementation, and the SQL Server 2005 release, during which time SDL was implemented2.)
In the case of Schneider Electric, the emphasis is on Operational Technology (OT) products as opposed to Information Technology (IT) products. Thus, the security priority list is slightly different from that of the IT world. In IT security, the emphasis is on confidentiality of information first, then integrity of information and, finally, availability of information. In the OT world, availability of the operational process and assets becomes the first priority followed by the integrity of the operational process and its assets. Taken together, these first 2 items address reliability. Confidentiality of the information used in and generated by the operational process and its assets, although critically important, is the third leg of the OT security triad.
Safe and reliable solutions are the goal in control system environments. Proper risk management, one aspect of which is cyber security, is a core discipline to help achieve that goal.
At Schneider Electric, security is not regarded as a checkbox, but as a way of doing business. Schneider Electric partners can help end users by performing critical infrastructure systems security assessments and by identifying communication paths and potential external access points that present cyber security vulnerabilities. For more information, please download our free white papers,”Enhancing Cyber Security in Industrial Control Systems and Critical Infrastructure with Dynamic Endpoint Modeling,” and “Defending Against Cyber Threats to Building Management Systems.”
1.Cyber Attacks on a German Steel Mill. (2016, May 31) Retrieved from https://www.sentryo.net/cyberattack-on-a-german-steel-mill/
2.Benefits of the SDL (n.d.) Retrieved from https://www.microsoft.com/en-us/SDL/about/benefits.aspx