The industry 4.0 is flourishing, bringing its fair share of threats... But also misconceptions. How can we guarantee overall security in an area which increasingly combines industrial systems, the Internet of Things, the Cloud and Big Data? Spoiler: it’s not all about sensors.
You’ve probably heard the story of the web-connected coffee machine which resulted in ransomware being introduced in an industrial petrochemicals business. This story illustrates the challenge of protecting an increasingly connected industry 4.0 – namely that of securing an ever-increasing attack surface. It’s a bit like trying to track down draughts in a building in which ever more doors and windows are constantly being opened. The gradual introduction of smart sensors and/or Cloud links has created new connections with the outside world. These are all potential breaches in an industrial sector which is already significantly targeted by cyberattacks and which is certainly not safe from internal errors.
A multi-layered technological environment
In practice, industrial systems are comprised of physical items of equipment within the factory (motors, pumps, valves and sensors), managed by control systems, whether remotely or otherwise, (PLCs and SCADA applications) and IT systems (for data analysis). “What we today refer to as 4.0 is a concept based on the digitalisation of industry with the aim of achieving continuous improvement, stresses Thierry Hernandez, Stormshield Account Manager and industry specialist. This concept is based on several factors including changes in tools and resources (robotics, AGVs, augmented reality software, etc.) and technologies (telecommunications protocols, sensors and connected items to supply data). All of this is interconnected throughout the factory. The end purpose is to feed data to a cloud or edge computing system hosting solutions offering extensive calculation capacities based on state-of-the-art algorithms. Its main role is to offer operational excellence through energy efficiency, time reductions, reduced material consumption or predictive maintenance”.
Production is now optimised, flexible and more fluid as a result. Thanks to predictive maintenance, it can even anticipate breakdowns, therefore maintaining throughput.
“Put simply, production is organised into four layers, explains Thierry Hernandez. The first layer is comprised of the PLCs, which run all of the actuators and all of the valves. The second is the SCADA (the supervision and acquisition software based on the data supplied, to ensure that everything is going well and that the tanks are being filled properly for example). The third layer is management with the MES, which handles all of the production tracking and planning processes. Finally, the fourth layer is the ERP system, which among other things issues production orders”. These software packages make it possible to manage all of the company’s processes, making them an essential factor which should not be overlooked as part of the overall cyber-protection strategy.
If we add the cloud and 5G into this, it’s clear that a 4.0 factory is a multi-layered technological environment with a complex architecture, operating in accordance with its own rules and codes.
Designing industrial cybersecurity
Although it’s in the process of taking shape, cybersecurity for industrial systems must contend with a certain degree of inherited “baggage”. And this can be precisely the problem. “In France, an industrial system has a life expectancy of around 15 years on average. This is the average age of the production machinery. For trains and metro systems, these life expectancies stretch out to 30 or 40 years. And if we examine even more critical systems such as the nuclear sector, the power stations have a life expectancy of 60 years. Naturally, these systems, which are sometimes very old, are vulnerable”, adds Jean-Christophe Mathieu, Head of Cybersecurity Orange Cyberdefense.
“Historically, this infrastructure has often been introduced haphazardly. In other words it’s been designed and automated on an ongoing basis according to requirements, with people wiring things up however they wanted (or however they could!), explains Stéphane Prévost, Product Marketing Manager Stormshield. As a result, all of these automated systems have been installed on a “flat” network. To secure them today, it’s necessary to compartmentalise them”. The segmentation of the IT system has therefore emerged as one means of isolating the most sensitive assets from the others and protecting them. The result is that cyber threats are contained and performance is optimised for the different items of equipment. At a time when increasing numbers of sensors, machines and production flows are being interconnected in factories, segmentation offers an essential bulwark for industry 4.0.
An “OT first” approach
These “4.0” problems are no longer only managed by the factory’s operational staff. What’s now required is a skilful combination of disciplines to ensure successful IT/OT convergence. And these two worlds must come to understand one another. “We are still finding that in far too many companies the IT and OT teams are still not communicating effectively with one another. Significant cultural differences persist and petty squabbles still occur. However, it’s impossible to achieve an overall approach to security if people are not talking to one another and not working together”, Jean-Christophe Mathieu points out.
For the IT activities, this means adapting their cyber approach to encompass the challenges of OT. “The OT people have one key obsession, and that’s to keep everything running. It’s therefore important to find the right balance between the protection system and the need to ensure production and business continuity”, explains Thierry Hernandez. This means that a firewall is okay on condition that it doesn’t obstruct anything down in the factory.
Another words, IT protection should not be achieved to the detriment of production. “Security must be guaranteed in a manner which ensures the availability of the system and keeps it running”, stresses Stéphane Prevost. This key requirement has led to a new approach including the emergence of industrial cybersecurity, which is well on the way to becoming a discipline in its own right. With increasingly specialised cyber service providers, including Stormshield, who can propose transparent solutions for the existing system. “This transparency must be available during the integration phase but also later, should hardware faults occur, to avoid penalising production, adds Stéphane Prevost. Our industrial firewall solutions are all equipped with several guarantees to underpin operational security, with bypass or safe mode features, the notion of equipment clusters or redundant power supplies”.
Cloud and Edge computing, new factors to be considered
Data feedback is a key component of industry 4.0. “It’s important to ensure the perfect integrity of the information arriving from the PLCs and sensors, and for this data to be quickly forwarded to the ERP and the Cloud, explains Thierry Hernandez. Protecting the lower layer of the operational network is an initial key objective, which makes it possible to secure this information at source, before it is used further up the line”.
This is before we even begin to consider the applications and the information transiting via the IoT. “Edge computing, including everything related to the calculation of energy consumption, is fed back at a point located as close as possible to the operational network, which is directly connected to the Cloud infrastructure, adds Stéphane Prevost. This adds further interconnectivity, making the operational system more vulnerable to cyber threats”.
Industry 4.0 must therefore have a comprehensive overview of its security. With the identification and mapping of sensitive assets, segmentation (or even micro-segmentation for the IIoT) to isolate each part from the others and to avoid an attack spreading, in addition to securing PLCs and control stations, industrial cybersecurity now seems to be maturing. But in Jean-Christophe Mathieu’s view, this presupposes that everything works in a highly organisational manner. “We need to know who’s doing what, when and how, accompanied by extensive traceability. To prevent anyone accessing the system. Or, when someone accesses it, to be able to know exactly who this is and what they’re doing there”
And the security solutions deployed in the factories must be able to track this. “At Stormshield, we go as far as inspecting the messages issued by the command and control system to the machines, explains Stéphane Prévost. When an engineering workstation submits a change of settings to a PLC, it must be possible to check that it’s the right workstation with the right person logged in, and that the command being sent is authorised”. This message control function also makes it possible to check that the values being sent to the PLCs are fully compliant with the operational process. “We can tell whether a value exceeds a certain level, in a manner likely to compromise or break an item of equipment or even pose a threat to the whole production system”.
Industry: a prime target for hackers
As is often the case in the cybersecurity field, standards provide an important guide for the deployment of “safety nets”. In the case of industrial systems, the IEC 62443 standard is the reference in this field. Each sector then proceeds according to its own specific characteristics, particularly in industries classified as OSE (operator of essential services), which require very high security levels. The Clusif, a French association for IT systems users, has produced an overview of the standards in the field of cybersecurity for industrial systems. And at around fifty, there are many of them!
Despite these standards, industrial systems nevertheless remain vulnerable. Particularly because physical equipment (PLCs, controllers, regulators, etc.) whether connected or not, are used for vastly different purposes and occupy a central role in many systems. As an example, we find the same types of PLCs being used to handle the management of a building (heating, ventilation, air conditioning) or on a production line for making cars, for example. Once a vulnerability is discovered on one of these widely used items of equipment, all of these systems must then be considered at risk. “We find a great deal of analogy between the different industries, notes Thierry Hernandez. A cosmetics company can be compared to one in the pharmaceutical sector as the infrastructure and architecture used can be similar. But the level of security will be dependent on governance.” And therefore to a certain extent on awareness of cyber threats.
And these threats are very real. Over and above data theft and industrial espionage, the hackers’ targets now include PLCs and security controllers, threatening the production system with a major ransomware event. This also risks bringing about disasters such as operating incidents or the stoppage of production, all seen as harmful risks. “Whatever the consequences of a malicious act or internal error, the greatest threat comes from a stoppage of production. There’s a huge economic cost”, adds Thierry Hernandez. The shipping company AP Moller-Maersk put a value of 300 million dollars on the cyber-attacks it suffered in 2017.
Attacks can target supply chains, which are becoming increasingly complex, extensive and interconnected. For example, a sensor which has been “reconfigured” by a cyber-criminal may allow a valve to open more than it’s supposed to. In the case of a water tower, this could result in the whole area being flooded. Or cause a serious operating incident. In November 2020, Israeli researchers even suggested a scenario in which it would be possible to create a biological virus from a computer virus. Scary stuff.
As we have seen, IIoT solutions and industrial systems are insufficiently prepared for operation in a connected environment, more exposed to cyber-attacks. The information which these connected items collect and pass on should not directly interact with the core system. “However, if it does, it must be sufficiently filtered in a unidirectional manner to ensure that it only heads towards the exterior, towards these famous connected items, and not to the heart of the system, warns Jean-Christophe Mathieu. It’s important to ensure that the system core is insulated from the rest.” And to manage the architecture effectively from end to end.
