Closing the Gap between Cyber Security and Operational Safety

  • April 15, 2016
  • Feature

By Barak Perelman, CEO, Indegy

Both external attackers and internal threats put the safety of industrial control systems (ICS) and critical automation controllers at risk. Unauthorized access and compromise of these systems can lead to operational disruptions and physical damage. Let’s examine the biggest challenge that companies face in trying to secure their ICSs and maintain their safe operation.

The primary reason for the gap between cyber security and operational safety can be traced to the fact that most industrial networks were implemented long before external threats existed. As a result, security wasn’t a consideration in their design.  An ‘Air Gap’ was maintained to separate the industrial network from the corporate IT network. In many cases, this ‘Air Gap’ is no longer a feasible option. So while industrial networks are now generally “reachable” by external attacks, they remain without the necessary defenses needed to protect them.

External threats are not the only risk ICS networks face. Malicious actions by disgruntled employees, and even human error, can cause just as much damage. Since third party consultants, integrators and vendors often perform sensitive  maintenance work on critical control devices, they can also pose security risks.

Lack of visibility into Control Layer

In light of these threats, the chief security challenge in operational environments is lack of visibility into control-layer activities. More specifically, into engineering activities that may alter the process logic maintained by industrial controllers. The main reason for this blind spot is that operational technologies (OT) use several different protocols to communicate between components in process automation systems.

HMI/SCADA applications use standard OT protocols like Modbus and DNP3, while a different set of vendor specific protocols are used by engineering workstations to make controller configuration changes, code updates and firmware downloads. To make matters worse, each OT vendor has developed their own proprietary implementation of  IEC-61131 compatible engineering protocols (sometimes more than one) for which little, or no documentation often exists.

This makes it very difficult to monitor these protocols. As a result, most ICS security tools can only monitor HMI/SCADA network traffic, but are unable to “see” administrative changes made to control devices.

In addition, organizations need to consider the fact that many maintenance processes on programmable logic controllers (PLC) are still performed directly on the physical devices. Therefore, these cannot be detected using network activity monitoring. Maintaining the integrity of controllers requires the ability detect changes, both authorized and unauthorized, regardless of the access method used to make them.

Now What?

There’s a growing consensus among security professionals that many ICS networks may have already been infiltrated and that we need to protect them from within. Any initiative to protect critical infrastructures from external threats, internal threats and human error must start with a comprehensive understanding of the existing network and its operational assets.

The first step is to perform an automated discovery of all controllers on the ICS network to establish a comprehensive asset inventory database that documents the configurations for each controller including their firmware. This will enable faster recovery in the event of a security incident and operational disruptions.

Once the scope of the ICS network is fully documented it is important to monitor all access and changes to controllers in order to ensure their integrity. Finally, rule-based policies can be enforced to prevent unauthorized changes and protect against internal and external attacks. 

Fortunately, new technologies that can monitor proprietary communication protocols and capture on-device changes, both authorized and unauthorized, are coming to market.

About the Author: Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..