Network Vulnerabilities Keep Automation from Living Up to Full Potential
| By: Winn Hardin, Contributing Editor
The granddaddy of industrial viruses, Stuxnet targets industrial systems running specific Siemens control software on Windows-based networks.
Gauss, discovered in 2012, steals passwords and cookies from browsers to enable remote network access.
Flame, which like Gauss was built on the Stuxnet code, comes with all the bells and whistles, including using an infected computer to capture audio and video recordings, utilizing built-in Bluetooth modules to gather information from any nearby portable device, and much more.
Duqu just sits quietly looking for industrial network access information to send back to a central server for later use.
"I think there is a world market for maybe five computers.”
-- Thomas Watson, chairman of IBM, 1943
“If we built our buildings the same way we build our software, the first woodpecker to come along would destroy civilization.”
-- Anonymous programmer joke
Stuxnet. Flame. Gauss. Duqu. You don’t have to be a computer science major to know those names. But if you are a CIO of an industrial company, there’s a good chance you’ve woken in the early morning hours in a cold sweat with one of those names on your lips.
And it’s not just that each of those viruses was designed very specifically to infect operational technology (OT), specifically industrial control systems (ICS). Or that each virus has found its way into supposedly secure, closed networks. Or that an IHS survey found that 30% of engineers use mobile devices such as smart phones and tablets to access their industrial equipment, and that half of those mobile devices were owned by the engineers, meaning they can put any software on them they want.
When you put those facts together with a rising tide of activist and state-sponsored hackers, it’s time to turn on the light and wait for the shakes to go away.
Industrial cybersecurity threats have grown so numerous that the U.S. Senate voted to advance the Cyber Information Sharing Act (CISA), designed in part to encourage companies to share information on computer hacks and cyber threats. This follows a Cybersecurity Framework (CSF) developed last year by the National Institutes of Science and Technology (NIST) to help companies access their cybersecurity readiness and develop response plans.
As cybersecurity concerns spread beyond consumer identity theft to to the level of industrial and national espionage, it’s affecting the developers of industrial automation solutions, including machine vision suppliers and system integrators. In some cases, security concerns will limit the level of service integrators can provide for system support.
Security Concerns Trump Efficiencies
“The threat of an attack on industrial controls has a negative impact on both integrators and manufacturers,” says Brian Durand, owner of machine vision integrator i4 Solutions, LLC (St. Paul, Minnesota). “Mostly this is an opportunity cost — we are not able to fully realize gains in productivity that would otherwise be possible. Many of our customers will not permit remote access to any of their control systems. They don’t even want to discuss the efficiencies that could be gained from enabling remote access. Engineering and IT managers are keeping their heads down and do not want to be held accountable if there is ever a problem. And I can’t blame them.”
According to Durand, each customer typically has its own security policies. I4 Solutions strives to contribute to and comply with these policies. In some cases, those policies include customer-built industrial networks that give suppliers such as machine vision integrators remote access to related equipment. In other cases, customers have taken advantage of commercial-off-the- shelf (COTS) solutions such as Cisco’s AnyConnect and Identity Services Engine (ISE).
“Using Cisco AnyConnect, we can sign in to our customer’s plant-floor network through a web browser using credentials they provide, which are typically only valid for a few days,” Durand says. “Through the browser we can access only our vision systems and view our application software running. Just seeing camera images lets us understand any issues they are having, or may soon be having. We can take control of the remote mouse and keyboard, enabling us to help new users. We may or may not be given rights to access the file directory to upgrade applications and adjust computer settings. Our customer maintains complete control over what we can and cannot do. It works surprisingly well. From our office in Minnesota, we have been successful viewing live camera images from a site in Switzerland. That said, comprehensive solutions like AnyConnect require considerable expertise to deploy correctly. So that is something we leave up to experts.”
Meanwhile, Cisco’s ISE hinges security on specific devices and cross-references with the device’s location. The platform builds a profile of the device user and their location. “If I know that person is in front of the machine, I will give them full control capabilities, if they have that right,” says Doug Bellin, global senior manager of manufacturing and energy at Cisco. “But if that person is at a remote location, they only can view the machinery. That’s a huge safety capability.”
Hard Shell, Soft Core
No matter how secure the gateway or the field device, any security system is only as good as the weakest link, according to Ragnar Schierholz, head of the Cyber Security Process Automation Division at ABB Inc.
“In general, a combination of hardware and software is a preferred solution to build security features into controls,” says Schierholz. “Some features can only be implemented reasonably in software. Think of security event management or access control and permission management. These are predestined for a software implementation. However, others such as cryptographic algorithms or key storage lend themselves for hardware implementation or at least hardware-supported implementation.”
However, one of the strengths of embedded industrial systems is also its weakness when it comes to security. According to Schierholz, while the lifecycle of office equipment may last four years and enterprise servers six years, industrial field equipment often remains in operation for 15, 20, or even more years. “Obviously, the cybersecurity landscape will evolve in that time frame, and a sustainable solution has to be evolvable as well. A future-proof design thus has to include an option for upgrade in the field. It is obvious that a software upgrade in the field is still a big effort, but if well designed it can be significantly less effort than a hardware upgrade,” says Schierholz.
For companies looking at how to best to secure their front- and back-office networks in a sustainable way, one of the best places to start is NIST’s Cybersecurity Framework. The CSF begins with a framework core that includes the latest industry standards, guidelines, and practices. It then guides the user through the definition of five key cybersecurity functions within their enterprise: identify, protect, detect, respond, and recover. Additionally, the framework helps the user evaluate current state and future goal states and suggests ways to achieve future security goals.
While machine vision suppliers and integrators do not need to secure an entire plant, they will need to stay abreast of security features that are going to be increasingly designed into automation control systems and components if they are going to protect their clients’ interests while maintaining the highest level of system design and support.