The challenges around remote access have been known, addressed and managed for what feels like ages. In spite of this, there are regular intervals, new inserts or stories where the remote accesses to critical infrastructure control systems are misused or just poorly managed. So why is remote access to critical infrastructure, or industrial control systems in general hard to achieve?
What is your factory’s safety plan? How to get started
July 4, 2019 at 12:45
The Industrial Internet of Things (IIoT) is gaining a stronger foothold as a solution for industrial environments. Some industrial facilities have been using IIoT or similar techniques for more than a decade—longer than the term itself has existed. However, information security has failed to keep abreast with the technological advances in industrial environments.
Data is the new oil
In an industrial environment, information can be collected from numerous sources, particularly from devices connected to the internet. In the past, a factory’s operations or automation design were the main reasons for connecting factory equipment to the internet. These days, the requirement for network connection is more commonly set by equipment suppliers, partners, or business operations. However, these parties are usually not responsible for the facility’s risk management or uninterrupted operations; instead, the responsibility falls on the client, i.e. the factory.
It is often the case that parties responsible for the factory’s maintenance or information security only have restricted access to or authority over the devices connected to the IIoT. Despite this, they may contribute considerably to overall security through their work. When equipment and related connections come as an extra supplied by a subcontractor, the client should make sure it knows what these add-ons are used for.
How safe is safe enough?
Devices connected to IIoT are usually designed to operate independently and to be used for a certain purpose, and therefore their information security features are often based on technical solutions. So how can you know whether the device is safe to install in your production facility? There are numerous minor factors that affect information security but just knowing a few basic points can have a huge impact:
- How does the device in question function?
- Is it connected to the facility's control systems? How?
- What information does the device gather?
- How does data transfer take place, are cloud services used? Is the data protected during transfer? How?
- Does the device need to be controlled from outside the environment? How?
- How is authentication realized?
- How are software updates for the device delivered and installed?
These may seem like trivial questions but considering them is essential for risk analysis and technical implementation. In addition, the cloud’s information security plays an important role—but let us leave this topic for another blog post.
Quick risk assessment
The goal of risk assessment is to identify the type and level of information security measures that must be implemented to guarantee a sufficient level of security. I recommend that the primary risk assessment be carried out from the perspective of functionality: start by analyzing how the solution will impact the production process. This way, information security requirements are based on business impacts.
A good way to kick off the process is to answer these questions:
- Are decisions made on the basis of the data collected?
- Is the function controlled or optimized on the basis of this data? Or does the function gather data for another purpose, such as guidance of the subcontractor’s operations?
After this, the next step is to consider technical implementation or to create an implementation plan. The goal of this plan is to describe how the solution might be used as an attack vector for gaining access to the production environment’s other systems.
- Is the device part of the control network or separate of it?
- Is the device connected to the process network that performs control functions via another interface? How is the device connected to the network?
The significance of the data being collected must also be taken into account:
- How valuable is the data being collected?
- Can it be used to draw other conclusions? For example, if the data being collected by the IIoT solution encompasses usage information pertaining to a critical device (how and how much the device is used), can an outside party use this data to garner information on the factory’s production or other businessrelated matters?
When using an IIoT- or cloud-based system - even if it is produced as a service - you must also consider continuity:
- What happens if the connection to the cloud is disrupted or the cloud service does not function appropriately?
- How does this affect the production process?
On the basis of these points, you can assess whether the smart functions of the service should be located in the terminal or the cloud, whether back-up connections to the cloud are required, and so on.
A solution delivered by a subcontractor
If a solution connected to the network is supplied by a subcontractor, the client may not have much say in the technical implementation. However, the client always has the option of not installing the solution in question, albeit at a financial cost.
Depending on what functions the device has, local effects can be limited to a certain extent. For example, if a limited quantity of data needs to be transferred to the cloud service, a contact interface to the control system can be created via a digital or analog I/O. This way, the service can’t influence the process. If, however, some control functions are required, the control signal can be connected via a digital or analog I/O, in which case signal verification or restriction can be performed at the recipient’s end. This does not prevent the inappropriate control of the control system, but it suffices to restrict access to the environment.
Using your own network
In addition, I recommend using the company’s own network as the transfer media. In this case, the solution should be segmented in the network and a proxy service used for data transfer. Using the company’s own network enables you to monitor traffic and information security.
These measures contribute to the management of information security. However, they do not fix the problem if an IIoT solution connected to the internet is not protected by information security measures at all. No step taken at a later stage can compensate for neglecting information security at the design stage. Because of this, information security must be paid attention to from the get-go.