Cyber Security in the Era of Industry 4.0 and Smart Manufacturing

The revolutionary Industry 4.0 initiative plays a significant role in shaping the smart manufacturing paradigm. This emerging paradigm supports and orchestrates smart factories by utilising the benefits of technologies such as Industrial Internet of Things (IIoT) which enables the interconnection of the cyber (also known as digital) and physical worlds. IIoT creates a smart network that autonomously connects shop floor Industrial Control Systems (ICS) in order to achieve a real-time communication. Thus, continuous alignment between physical and digital worlds is achieved. However, increasing the connectivity makes these ICS more exposed to cyber-attacks the consequences of which can compromise safety, productivity, profit and reputation of the targeted firms. Therefore, there is an urgent need to address the security of smart manufacturing systems.

New Manufacturing Architecture and New Threat Landscape

Manufacturing systems that adapt the Industry 4.0 vision and other similar initiatives follow a new manufacturing architecture, although this proposed architecture differs from the well-known Purdue Model. Unlike the Purdue Model, this new architecture aims to decentralise the ICS in order to create smart and connected machines. Therefore, the integration between the IT and OT via IIoT technologies is achieved throughout the production line.

Adoption of smart manufacturing technologies will enormously increase the attack vector and create a new threat landscape for the ICS environment. Hence, implementing a cyber security strategy at the early design stage can attain greater benefits and eliminate greater risks. Any strategy is required to consider people, processes and technology throughout the ICS lifecycle.

To design a secure ICS within smart factories, threat sources and threat actors need to be addressed and understood accordingly. Cyber-attacks can be launched from different sources through the network layers (IT and OT). However, there are common attacks that should be considered for smart manufacturing systems such as; Denial of Service (DoS) attacks, which aim to deny the availability of the OT assets. Man-in-the-middle attacks, where the adversary sits between the communicating industrial systems, aims to send false information to the operators or to the communicating ICS. Eavesdropping attacks that aim to gain information by passively monitoring the traffic for unsecured industrial protocols. Replay attacks, where an adversary replays false information from a legitimate traffic to the operator. Spoofing attacks that gain access to credentials. Zero day attacks by exploiting unknown vulnerabilities. Ransomware attacks that aim to prevent the accessibility of OT assets and Physical attacks, where the adversary gains physical access and is able to manipulate the OT assets directly.

The Approach

In order to address all of these challenges and the risks associated with Industry 4.0/IIoT technologies, a new strategy and approach for cyber security needs to be considered. This approach has to address the entire lifecycle of the production system, and all involved stakeholders. The cyber security approach for smart manufacturing can be developed in three main phases: Assessment, Implementation and Management. Assessment of plant threats and vulnerabilities by identifying all assets, networks, processes and people. Map them to business processes, conduct a comprehensive risk assessment, and then develop the countermeasures for all identified risks. Implementation of these countermeasures based on the business goals and risk priorities is the second phase of the approach. Finally, Management is required to monitor and update all security measures, and to detect and respond to any new threat or vulnerability.

However, applying this approach on a smart factory is not a simple task. Therefore, Regency IT Consulting has developed a consultancy tool called icsModel to help carry out this task in a systematic manner. Our icsModel consultancy tool simulates the target factory in a graphical representation (BPMN diagram) by modelling the factory’s technologies, processes, and people. The model then simulates all risks that are associated with plant components such as assets, networks, policies, etc. Lastly, the icsModel automatically runs and investigates different scenarios in order to identify the critical assets (or critical paths), prioritise the implementation of the countermeasures and manage these risks. Using the icsModel tool, customers can get the benefit of;

  • Asset Inventory and analysis
  • Vulnerability management
  • Countermeasures implementation roadmap
  • Risk management

To conclude, manufacturing systems in the era of Industry 4.0 are exposed to new risks. Factories are assumed to be temporarily safe due to the lack of experience for the adversaries in this domain. However, this state will not remain for long and manufacturing firms have to consider a long-term deployment for a cyber security programme to protect their manufacturing systems from any potential cyber-attack.

If you have any questions on smart manufacturing cyber security governance or would like to explore how Regency / Airbus CyberSecurity can help your organisation, please contact us on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk

Incident Response Planning

“Plan to Fail, don’t Fail to Plan”

It might be a difficult message for some in our industry to hear, but the reality is that at some point there will likely be a security incident in your OT system. Whether it is some forgotten about remote connection for maintenance that was never properly secured, or an inadvertent (or malicious) operator action that causes an event, the key to whether it brings your process down or is managed and contained in an orderly way will be down to your Incident Response Plan (IRP).

Whilst most businesses will have a response and recovery plan for their IT infrastructure, it does not necessarily follow that this plan can also be utilised in an OT context. There are key differences in the requirements and operation of Industrial Control systems that mean having a dedicated OT IRP will pay dividends when things go wrong.

For example, the loss of a part of your Industrial Control System (ICS) could mean the plant or process will stop, so you will need to ensure that Control Systems engineers and technicians should be on the key contacts list, rather than just IT focussed staff. Also, recovery from an incident can be more difficult because often ICS are within validated systems, so there needs to be some process to manage & revalidate the workstations and databases servers which have been reimaged from backups, before operations can start. Not to mention that Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs) can’t be reimaged in the same way that PCs can.

Another point to note is that if you have an incident, but the systems are still operational, then one can’t simply remove and replace the affected items. Availability is crucial in ICS, so managing the running process is just as much of a concern as managing the security incident.

What are the key considerations you should be looking for when designing your OT IRP?

First, there are lots of good sources of information to help you to get started. Government agencies are typically a good place to start. The US ICS-CERT has published a document with recommended practices (https://ics-cert.us-cert.gov/Abstract-ICS-Cyber-Incident-Response-Plan-RP ).

In the UK, the new NIS Directive has a clear objective (D1. Response and Recovery Planning) to ensure that Operators of Essential Services have put some thought into their Incident Response Planning. The NCSC CAF (https://www.ncsc.gov.uk/guidance/caf-objective-d) has a list of Indicators of Good Practice (IGP) for response and recovery. These recommendations are useful not only for the operators who will be directly affected by the NIS regulation, but are also good advice for any company with ICS looking to develop and mature their own incident response plan.

Key areas to look at:

Planning – Plan the IRP, brief everybody who has a role, and make sure that the plan is tested in a table-top exercise or some other simulated scenario. Understand the most critical areas of your system, so a graded response can be enacted depending on the location of the incident.

Communications – how will you co-ordinate with team members in the event of an incident? If your internal network is unavailable due to the incident, then an alternative to email will be required, such as text messaging, WhatsApp etc. Make sure you have an up to date record of everyone’s phone numbers and other contact details.

One important area to consider as part of the IRP is the collection/storage of the system forensics to allow full analysis of the security event to take place, to understand how it happened which will enable the correct mitigations to be put in place to prevent future occurrence. Dedicated ICS tools are available that can detect these incidents and store all the system logs. Such tools can also push the information into a Security Incident and Event Management (SIEM) system which could be part of a dedicated OT Security Operations Centre (SOC), or a shared Enterprise SOC. (There are lots of additional questions on this topic: whether to go for a combined IT/OT SOC, or dedicated for OT; whether to go in-house or to a manged SOC service provider, etc etc. These will be the focus of a future blog post).

Sharing information within the community – you may be able to find answers to your problems, plus you can warn similar organisations of the incidents you are experiencing, the indicators of compromise etc, to help the community become more robust. In the UK, forums such as the CiSP (https://www.ncsc.gov.uk/cisp) are invaluable for this type of information sharing.

If you have any questions on Incident Response Planning or would like to explore how Regency / Airbus CyberSecurity can help your organisation, please contact us on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk

By Ben Worthy (Security Consultant – OT Cyber Consulting Team)

Cyber Security Monitoring Solutions for Industrial Control Systems

How to Select the Correct Cyber Security Monitoring Tool for Your Organisation

Critical National Infrastructure (CNI) typically relies on Industrial Control Systems (ICS) to provide the core operational function that our society relies upon. Previously, these control systems were isolated and run on special hardware and software, where cyber security was not considered in the design. In time these systems have become more complex, more connected, and use a high level of communication: this can increase their vulnerability and increase the likelihood they become a target for cyber-attacks. A typical industrial control system consists of Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) as well as IT assets such as Windows computers, Historian Databases, printers, etc. ICS are connected via different industrial protocols which were initially designed to achieve the communication task without considering the cyber security requirements.

In recent years, many cyber-attacks have targeted industrial sectors and critical infrastructure such as Stuxnet, BlackEnergy, Industroyer, and TRITON. The result of these attacks led to major impacts on safety, availability, operation, the organisations reputation and ultimately a financial impact. Thus, there is a pressing need to monitor and secure these critical infrastructures.

Many tools (or solutions) are available in the market to monitor the cyber security posture of ICS/OT infrastructure, where alerts are triggered in case of any threat or vulnerability detected. These tools are connected to the OT network using either hardware appliances (such as network sensors), or software agents in order to monitor all network traffic. This enables the tool to detect the anomalous activities and, in some cases, block the traffic to prevent a cyber-attack. However, selecting a suitable solution that meets all requirements for each specific industrial application is a very challenging task due to the wide variety of features and supplier vendors. Also, the way these features can be deployed at customer site to gain the full visibility and resiliency of all critical and non-critical assets requires specialist knowledge and experience.

Many criteria should be considered when selecting a cyber security monitoring tool. Noting that this blog focuses on the technical criteria only, these criteria are:

  • Asset and network discovery,
  • Real time network activity monitoring and threat detection,
  • Vulnerability management,
  • Alerting system, and
  • Tool interoperability.

The selected tool needs to be able to discover all OT assets and inventory passively without affecting the operation of the ICS; identify the network topology and extract the asset artefacts such as: model, part number or serial number, firmware version, OS version, IP or MAC address, open ports, and installed software. Furthermore, some tools can also model or arrange these assets to zones or layers which reflect the actual network architecture.

Additionally, the selected tools should have the capability to monitor and detect all threats and suspicious activities using detection techniques such as signature-based detection, statistical anomaly-based detection, protocol deep packet inspection detection, and operational risk detection. The tool also needs to detect all vulnerabilities for each asset, prioritize these vulnerabilities using a scoring system, alert the operator and provide a remediation recommendation. It should then be able to generate a report for all security measures and provide different Key Performance Indicators (KPIs) tailored to suit different stakeholders’ requirements. Finally, the tool needs to provide connectivity with other tools such as SIEM, backup server, Historian server, SCADA and other third-party service tools.

Regency IT Consulting can provide targeted research to customers in order to support them in selecting the most appropriate cyber security monitoring tool for their environment. Different tools can be recommended according to the industrial application requirements in energy, oil & gas, water and waste water, manufacturing, transportation, nuclear and other critical infrastructure. Regency’s methodology for selecting cyber security monitoring solution follows four phases:

  • Define end customer site requirements,
  • Perform market research and identify all tools (solutions) that fit customer requirements,
  • Conduct evaluation for each identified solution based on research, vendor meetings and test bed deployments.
  • Report the findings and propose recommendations based on the outcome of the study.

In summary, cyber security monitoring tools are recommended to be used to enhance the cyber security posture for CNI, the correct selection and implementation of these solutions can minimise the downtime and increase the overall cyber security resiliency of industrial plants. However, selecting the correct solution and tool is a crucial step to achieve these targets, and ensures the ICS system availability, integrity and confidentiality.

For more information on how Regency can help your organisation, please contact enquiries@regencyitc.co.uk