- February 17, 2014
By Bill Lydon, Editor
Cyber-attacks of automation systems are increasing while the industry is broadening the attack surface with more IP-based Ethernet networks. The need to integrate information from controllers with business systems and the implementation of cyber security defenses are working against each other.
By Bill Lydon, Editor
Cyber-attacks of automation systems are increasing while the industry is broadening the attack surface with more IP-based Ethernet networks. The military world understands that they are always open to attack. So when the bad guys are not attacking, the military’s focus is to place assets under cover as much as possible in an effort to reduce the attack surface. In the IT industry, the attack surface of a system is considered the sum of the different points, also known as the attack vectors - where an unauthorized user, the attacker, can try to enter data, extract data, or take control. The same is accurate for an automation system. By adding more IP-based devices, we appear to be making the attack surface larger for predators.
The industry seems to acknowledge that the risks of cyber-attacks on production environments have increased dramatically, including unintentional breaches, industrial espionage, or state-sponsored attacks. These attacks can result in unscheduled downtime, interruptions in equipment availability, and production disruptions.
The IT industry is acknowledged to be more advanced than industrial automation systems in cyber protections. This is in part because the software operating systems and platforms deployed are more uniform and COTS (Commercial-Off-The-Shelf) technology, including Microsoft, Linux, and SQL, so that cyber protection investments can be shared over a broader base. Industrial controllers that are based on a wide range of operating systems and software each require unique protection mechanisms. When IP-based Ethernet protocols are implemented by suppliers in controllers and sensors, they reside on non-standard operating systems that require unique cyber protection methods.
Every additional standard Ethernet connection point in an automation system increases the cyber-attack surface of the system for attackers to exploit. The basic strategies of attack surface reduction are to reduce the number of entry points available to untrusted users.
The idea behind the defense-in-depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and implement electronic security. Defense-in-depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense-in-depth measures should not only prevent security breaches, but also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
By relying on non-Ethernet industrial automation networks for real-time control and automation, we provide a layer that is more obscure to the bad guys and where there are fewer software tools available for hacking. If the only access to communicate with the automation and SCADA controller is through a PC, then we have more protection methods and software available to protect the system.
The need to integrate information from controllers with business systems (to improve efficiency and productivity) and the implementation of cyber security defenses (to protect operations) are working against each other. The vision of direct standard Ethernet communications between business systems and automation devices - including controllers, sensors, drives, and actuators - needs to be accomplished in a way that systems are protected from cyber-attacks. Designed-in cyber security protection for IP-based Ethernet for industrial automation controllers, SCADA, drives, sensors, and other devices is going to take some time. It seems to me that by adding standard IP-based Ethernet to our systems, we appear to be making the attack surface larger for predators.
- Cyber Security Lessons from a Military Leader
- Windows XP Cyber Time Bomb set for April 8, 2014
- Ethernet Infrastructure - Is IPv6 another Y2K?
- Industrial Cyber Security Compliance & Enforcement
- Industrial Ethernet Growing but Fieldbuses Remain Dominant
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe