Santa’s Toy Factory and IEC 62443

Nixu has a long history of working with Santa Claus and the elves to help them secure a happy Christmas for everyone. This year, we worked with Santa to assess his toy factory according to the IEC 62443 series of standards. The standards are aimed at measuring and improving cybersecurity in the industrial context. This makes it the perfect standard for the toy factory – after all, it’s grown to be quite the facility over the years.

You might not know this, but Santa is a front runner in Industry 4.0 adoption. How else would he be able to manufacture and deliver presents to millions of children across the globe within one day? During our interviews, one of the elves mentioned that things used to be so much tougher before all the automation and digital services came into the picture. Just think about how hard record-keeping was – not to even mention the process of making the toys in just the right configuration and color options. There were stacks and stacks of paper, notes, and all sorts of ways to keep track of everything.

The Assessment

IEC 62443 audits usually start with a pre-assessment. It focuses on identifying potential gaps in compliance. Since Santa wasn’t exactly sure if his operation would be compliant (“Ho ho ho, it’s a mystery” was his exact statement), this was the right approach to take. With informal pre-assessments, the focus is on giving guidance and recommendations. When auditing, the focus is purely on deciding if everything is compliant and, if so, awarding the certification stating that. Audit only makes sense when there is reasonable certainty that things are already in order. With Santa, this wasn’t the case.

The assessment itself required several trips to the toy factory for interviews with Santa and the elves. Document review was also conducted to determine whether the processes and guidance were properly documented. It’s not uncommon for the documentation to not correctly reflect how things are done in practice. Mrs. Claus was particularly welcoming and ensured that hot drinks and biscuits were available for the auditors during their stay at Rovaniemi.

Niki Klaus (no relation to Mr. Claus), Head of Nixu Certification, was tightly involved in overseeing the case. He had the following to say regarding the project:

"On behalf of Nixu’s team, I want to thank both Mr. and Mrs. Claus as well as the elves for their hospitality and help in the assessment. We explained to Mr. Claus that we are not naughty but as auditors we cannot accept gifts from the auditee."

How did Santa fare?

Santa gave Nixu permission to share some of the details from the assessment – after all, cybersecurity of his operations are of vital importance to children everywhere. Here are some of the key findings made during the review.

2-series: Policies and Procedures

2-series of the standard focus on policies, procedures and documentation. It mainly applies to the party that operates the industrial site in question. In Santa’s case, he, together with the elves, are the ones performing the work. We asked Santa if he had any third parties involved in operations given the size of what they do. He smiled and stated that “maybe when he gets older.”

We must say that the documentation related to processes wasn’t entirely complete. More accurately, the documentation was written on several pieces of paper by the elves. Whenever they needed to make a note or write down instructions, they would do so and stick a piece of paper next to the appropriate equipment. While this created a beautiful atmosphere in the factory (“serene, and very analog” stated one auditor), it wasn’t exactly what the standard required. Much of the process was also in the heads of both Santa and the elves. Strangely enough, while work looked quite chaotic from the outside, somehow the elves made it work, and presents came out in orderly fashion. That said, a finding was made to improve the documentation to a more acceptable level.

Asset management was also somewhat lacking. While the toy factory was full of all sorts of equipment, Santa wasn’t entirely sure what was where and what kind of equipment they had to begin with. Elves were very proactive in sourcing new kinds of machines that could produce this year’s favorite toys but weren’t always systematic in documenting them. Machines from last year – or maybe last few years – were all around the place in no particular order. The elves seemed to know which were which, but nobody could provide a list when asked. There was also a concern that patching wasn’t done correctly, given the huge number of machines. Elves mentioned that they try to do patching whenever possible, but since they are so busy with making toys, things slip through here and there.

It was quite clear that the maturity level of the operation was at best on level ML1 – Initial, which is characterized by ad-hoc ways of working. Yet, somehow things seem to work out in the end despite all the apparent chaos at the factory floor.

3-series: Systems

3-series focuses on the interconnected set of components and the connections themselves. Primarily, here we looked at Santa’s toy factory as a whole. Although you might not think of it, the toy factory has a massive amount of network cabling and satellite links to allow Santa to communicate to everywhere on the globe in real-time. Gone are the days when everything was analog – pen, paper, and wooden mallets.

A typical issue in 3-series audits the lack of proper risk assessment that identified what can go wrong and, if so, what the consequence is. Santa, the eternal optimist, was sure that nothing would go wrong. However, we identified some areas of concern that could endanger Christmas for millions of children and leave them without presents. Santa’s optimism was trumped by his desire to bring Christmas to children everywhere, and thus he was very eager to make changes to increase the resilience of his operation further.

One area where multiple findings were made was network segmentation and networking in general. Since the factory had machines for making all the hit toys from different years, it had been gradually increasing in size and complexity every year. Elves were hopeful that the same toys would be popular again and often kept the machines around. This resulted in the network becoming one monolithic mess of cables and routers everywhere. If there was a network architecture at some point, it had long since outgrown any documentation that might have existed. When asked, elves mentioned that they just kept adding things as needed, and “things usually work out fine.” We did not press much further on this point but noted it as an area of concern.

Identity and access management was also noted to be an area of improvement. None of the machines identified the elf who was using it at any given time. Alabaster Snowball, the elf in charge of the system that keeps track of children’s “naughty or nice” status, mentioned that elves don’t have credentials, and everything works on honor principle. Nobody wants to get on the naughty list, and thus they operate the machines responsibly. While we trust that this is the case, it doesn’t entirely align with the principles in the standard.

4-series: Components

Finally, 4-series of the standard focuses on individual components – or in this case, different kinds of machines that make and package toys.

As mentioned before, the factory is full of all kinds of machines from various sources. Santa and the elves make most devices themselves, but some are also sourced from the popular toy companies. For the machines made internally, we focused on the process and requirements. This turned out to be more of a challenge than we thought.

Bushy Evergreen, the elf responsible for the machines and the process behind making them was somewhat evasive when we asked for details. His explanation for how the machines came to be was “Christmas magic”. It turns out that the standard doesn’t adequately deal with Christmas magic as a way to design machines. We were able to identify that there are gaps in the security controls implemented in many of the machines. For one, no formal security requirement set could be located. Like with identity and access management, much of the operations seemed to work on honor principle, and elves were expected to behave themselves. Any misuse would land them on the naughty list for the year – something that no self-respecting elf would ever want.

Bushy did have an impressive test automation setup in place for validating that everything works with the machines. Again, it could have used more security tests and tooling, but we were quite impressed by the level of quality control in place. Elves were clearly serious about ensuring a joyful Christmas with toys for children everywhere.

One machine, in particular, was highlighted in our assessment. It was made quite some time ago – evident by it running on what looked like a steam engine of some sort. Legacy technologies are often a challenge as they were made well-become cybersecurity became important. Retrofitting these otherwise perfectly functional devices is a particular challenge for many. Bushy mentioned that this machine is responsible for many of the classic wooden toys that are still a staple of Christmas, despite being quite old in design.

Wrapping things up

All in all, Santa’s operation wasn’t quite ready for passing an IEC 62443 audit in time for Christmas eve in 2019. However, that’s not at all uncommon, and the primary reason why such pre-assessments are carried out. Together, we created a roadmap for Santa to make improvements over the coming year. Hopefully, by the time Christmas comes around in 2020, everything will be running smoothly as butter and children everywhere can be confident that presents will arrive safely on time.

Nixuans involved in the assessment would like to thank Santa, Mrs. Santa, and the elves for their co-operation, hot drinks, and cookies. We also wish everyone a happy, cybersecure Christmas!

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.