Chris Evans explains why cyber security should be regarded as a journey, not a destination
Cyber security has been a hot topic since the Stuxnet worm incident in 2010. Previously it was thought that securing the ‘top end’ of an organisation was an adequate solution, but this incident and others like it, completely changed the security landscape and highlighted vulnerabilities in the de-facto automation architecture that previously had not been considered.
It shifted the problem to the automation domain, which had often operated under the radar and outside the remit of IT. Engineers suddenly started to reconsider their cyber security arrangements. We saw the realisation that many people may want to bring a plant to its knees - for political or commercial reasons, because they hold what they see as a legitimate grievance, or simply to see what will happen.
Scenarios were imagined where drinking water became contaminated or supply interrupted, power plants shut down, or road, rail and air traffic management compromised. In the industrial world it was realised that control systems were potentially vulnerable, often due to out-of-date or poorly maintained operating systems and CD drives or USB ports that had not been locked down. It did not take a lot of imagination to work out that the more critical a control system, the more likely a target it would be to cyber-attack and the more damage that could be done.
Cyber security is an arms race of escalating capabilities, so ‘defenders’ of vulnerable assets must see it as a journey rather than a destination, constantly reassessing the situation and implementing new defences whenever necessary. This is against the background of developing technologies and requirements that mean control systems are always becoming bigger, more complex, more distributed and increasingly open.
Most larger control systems have many points with potential for unauthorised access. Therefore layers of protection must be built into the system at the network, hardware and software levels. For instance, future programmable logic controllers (PLCs) will include multiple embedded features such as hardware security keys and multi-layer password structures.
Each PLC will be capable of hardware security key authentication to prevent programs from being opened or edited on unapproved personal computers that have not been ‘bound’ to the security key. Furthermore, programs will be written so that they cannot be executed by PLCs that do not have a registered security key. Thus the integrity of embedded technologies and intellectual property will be protected from compromise. Additionally, an IP filter can be used to register the IP addresses of devices approved to access each PLC. Thus unauthorised access, whether for operational reasons, hacking or implantation of malware, will become much more difficult.
Although end users will want maximum security, they will also continue to insist on simplicity of operation. Some of these automation security measures, all of which are optional, could be argued to complicate operations and that is why a holistic view of security needs to be taken, considering all aspects of the operation. It may be that in some areas, certain measures can be relaxed for the sake of continued operations - and this is fine provided that the risk has been assessed and counter measures are implemented elsewhere to elevate the threat. As with everything related to cyber security, the consideration has to be probability and risk, and security and operational systems should be designed around these important criteria.
It is probably an unchangeable aspect of the human condition that some people will always seek unauthorised access to control systems. Therefore control engineers must build security measures into their products and systems - and recognise that these are surmountable hurdles rather than impregnable barriers, so must be constantly renewed and redeveloped.
Chris Evans is with Mitsubishi Electric Europe.