Designing Security Features into Industrial Assets
Winn Hardin | September 01, 2015The emerging Internet of Things (IoT) promises to give organizations unprecedented insights into optimizing their operations, thanks to the ability to collect, analyze and act upon data. However, as more industrial assets with embedded sensors exchange data, the risk of a cybersecurity breach also rises. Sectors such as manufacturing, process industries, utilities and infrastructure need a multilayered strategy to protect the information generated by increasingly interconnected industrial systems.
A critical part of this multilayered strategy involves designing security features directly into devices such as industrial controls. Doing so gets device makers thinking about cybersecurity from the very start of product development while giving end-users confidence that their assets are as protected as possible. This approach comes with a series of challenges, all rooted in the pressure to stay ahead of potential threats to machines, components and systems.
From the outset, the process of integrating security into products “requires a deep understanding of the assets’ use cases and deployment scenarios, and the resulting operational requirements such as availability, interoperability and performance,” says Ragnar Schierholz, head of CyberSecurity for the Process Automation Division at ABB.
Effective product design needs to incorporate security into both software and hardware. Although software security in industry has matured, “hacking techniques simultaneously have grown to such a level where [implementing] protection into software alone is not good enough,” says Vihang Sapale of electronic product design house Embionics Technologies.
That places a priority on hardware protections, which can be a difficult task. Less research has been performed on integrating security into hardware development compared to software, says Matt Neely, director of strategic initiatives at SecureState, a consulting firm focusing on information security.
Another concern may come from the engineers responsible for designing the physical asset. That is because their focus is on “making the device functional rather than figuring out the ways someone could tamper with it or attack it,” Neely says.
Security as a Process
To resolve this problem, industrial component manufacturers need to build security into their entire development process, not just design. The first phase of product development, specification, typically includes threat modeling. Addressing both the software and hardware aspects, threat modeling assesses factors such as who is likely to target the device, what information they are seeking and what their capabilities are.
This process helps the product development team to determine the appropriate levels of protections. Neely cautions about trade-offs that occur when adding more security features. These could include impacting the device’s usability and convenience, not to mention the additional costs of implementing unnecessary protections.
For their part, end users have to determine if the liability justifies the expenditure on security. For example, an IoT-based application that monitors temperature/humidity of a simple process will be less likely to be attacked than a production-critical application, Sapale says.
Essential to the specification stage is ensuring that engineers have enough time to perform a threat assessment and account for these risks in their design. Neely has seen that when a product starts to fall behind its deadline for manufacturing delivery, security often is one of the first features to go.
Once engineers have designed the device, a third-party consultant or an in-house group should confirm that security requirements outlined during the specification phase are built into the device, and if not, engineers have designed in the proper controls. These include support for individual login ID and complex passwords, robust event logging and administrative network access over encrypted connections.
If this security design and architecture review finds a mistake on the hardware side, consequences could include anything from redoing the fabrication process to retooling the manufacturing line, says Neely.
Meanwhile, if someone spots a software design flaw, a patch would likely fix it. Patches are not always simple to create, but implementing them at the outset saves the time, cost and other headaches associated with rolling them out once the product has hit the market.
However, software patches may be inevitable given an inherent challenge to industrial cybersecurity; the need to account for “the long lifecycle of assets like industrial control systems in combination with the fast evolution of cybersecurity technology and threats,” ABB’s Schierholz says.
A future-proof design thus has to include an option for software upgrades once an asset is in the field. Schierholz acknowledges that performing these upgrades takes some work, “but if well designed, it can be significantly less effort than a hardware upgrade.”
A “well-designed” device also needs to undergo functional testing to verify that it meets specifications, along with the final security review and a penetration test to identify new weaknesses. Neely also advises design engineers to ensure that any small changes made in the manufacturing stage do not impact the device’s security.
Equally important, device makers must consider the ease and quickness with which the asset and subsequent updates are deployed. However, no matter how much planning and testing go into an industrial device, “the one guarantee is there are always flaws to be found,” Neely says.
Defense Goes Deep and Wide
Although a critical step, designing security features into products is but one layer in an industrial cybersecurity strategy. Defense-in-depth architecture takes a holistic approach by addressing not only the device, but also the application, computer, network and physical security, says Tony Baker, security leader of hardware at Rockwell Automation.
Defense in depth provides a foundation upon which users can determine whether to secure their legacy systems or modernize their plant with new hardware that has more security capabilities built inside, Baker says. A risk assessment, typically performed by an asset’s manufacturer or vendor, evaluates each layer of security and outlines the biggest security threats to the customer.
In assessing each layer as part of the defense in depth, customers “derive a high level of confidence that a machine can be protected as long as they don't rely only on technology,” Baker says.
It is up to the customers to prioritize the risks depending upon what they believe will have the most significant impact on their operations, safety and production, and then update those assets accordingly should users choose to maintain their existing systems.
Baker also points out that a plant or factory’s risk profile will change over time, meaning that customers “will have to reprioritize projects so they can continuously mitigate or address risks as they become more apparent.”
Government Guidance
On a national scale, the U.S. federal government has recognized the need to assess and manage security risks in critical infrastructure, which includes utilities, transportation, healthcare, food and agriculture and key manufacturers. In 2014, the National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) in response to President Obama’s 2013 executive order titled “Improving Critical Infrastructure Cybersecurity.”
The CSF is a set of industry standards and best practices to help organizations better understand, manage and reduce their cybersecurity risks. The voluntary guidance also assists in determining the most important actions to assure critical operations and service delivery.
Among the target of many threats is network-connected operational technology (OT) such as industrial control systems. In the past, organizations deployed OT networking without full security features or configurations. This practice relied heavily on compensating controls—protections that live outside of the OT asset itself, according to Matt Barrett, program manager for the CSF. The result, “America’s OT is not as well-protected as it should be,” he says.
In 2014, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) assessed sectors such as energy, water and government and commercial facilities to identify common vulnerabilities. The top three were boundary protection, information flow enforcement and remote access.
As end-users develop a strategy to address vulnerabilities and mitigate risk in industrial controls and other key areas, the CSF serves as a tool to facilitate communications across an enterprise and “help determine gaps between the organization’s initial assessment and their desired security state to better protect operations,” Barrett says.
Despite the challenges of specifications, hardware updates and long asset lifecycles, integrating security into device design will remain a critical piece in the industrial cybersecurity puzzle. “In the next era of OT, we will achieve a greater protection of our infrastructures and enterprises by designing security features into physical assets like OT,” Barrett says.