Professional Documents
Culture Documents
Cybersecurity
in Industrial
Automation
PREFACE
In the environment of a specific project (onsite) the The technology dimension is covering the function-
scope of the consideration is an IACS, e.g. an instal- al security capabilities realized in the automation
lation in operation. The process dimension is about solution based on the requirements of ISA/IEC
the operational policies and procedures as well as the 62443-3-3. The organizational measures include the
processes which have to be applied in the integration evaluation of the processes implemented by the
and the maintenance phase of the IACS. People are integrator when designing and deploying the
the personnel involved in all activities to operate the automation solution (integration policies and
automation solution, the persons who have designed procedures) as well as the processes used to operate
and deployed the automation solution (integration and maintain the auto-mation solution. ISA/IEC
activities) as well as the personnel responsible for 62443-2-1 and ISA/IEC 62443-2-4 provide the
maintenance of the IACS. The technology dimension framework for the evaluation of the orga-nizational
is about the functional capabilities provided by the measures. The competency of the involved
project specific automation solution. personnel (people dimension) should be included in
the evaluation of the organizational measures
• ML 4: automation solution
Improved - Process measured, controlled, and • If the ML is below three, then a value of the pro-
continuously improved tection level cannot be clearly defined
The result will be a value of ML between one and four 4 PLs are clustered in Security control
and will be the entry of the vertical axis of a 4 by 4 ma-
classes (SCC) and Views
trix. A protection level value between one and four is
assigned to each field of the matrix so that each com-
Protection levels will be reflected in values combin-
bination of SL and ML will result in a value of PL.
ing the evaluation of the technical measures based
on the requirements of part 3-3 with the evaluation
Considering the maturity level of the organization it
of the organizational measures based on the re-
should be noted that for ML equal to one or two there
quirements of part 2-1 and 2-4. It could be possible
is no assurance that the personnel is acting accord-
to include all requirements in one protection level.
ing to the policies and procedures or even that the
As security includes many - often independent -
processes are defined. Due to the lack of document-
dimensions, the significance of that value could be
ed processes or educated personnel the protection
questionable. A better approach is to group related
concept can have heavy weaknesses independently
requirements into slices. A slice includes related
of the level of security capabilities in the automation
requirements of part 2-1, 2-4, and 3-3 and addresses
solution. Considering that the processes have to be
one security dimension. The protection value of a
matched to the security level of the automation solu-
given slice reflects how good the IACS is protected
tion, the PL will be at least equal to SL. The matrix
regarding the security dimension of the slice.
can be described by the following rules:
Considering the complexity of security and the many
• If ML is equal or above three, then the protection dimensions to be addressed, the number of possible
level equals the achieved security level of the slices, e.g. the number of PL values might be fairly
repeatable way to define security targets for solution classes as a methodology to differentiate the level of
providers, e.g. in request for quotation document. On risk reduction provided by a security control class,
the other side, asset owners will use protection levels e.g. how effective are the measures in a given security
to evaluate capabilities of solution providers (pro- control class in the specific application? Asset
cess capabilities and technical capabilities) during owners and solution providers will use the views to
procurement. provide a consistent and repeatable way to evaluate
the achieved security posture (i.e. the achievement
During the integration / commissioning phase of of PLs). As depicted previously this will be an
the IACS lifecycle, protection levels will be used by iterative process till one of the following is reached:
asset owners to provide a consistent and repeatable
• the achieved protection levels match the target
way to define security targets for solution providers
levels
preferably by using the views. Solution providers will
• the achieved protection levels don’t match the target
base these targets to specify a protection concept.
levels and the asset owner accepts the residual risk
They will use the protection levels in security control
During the operation and maintenance phase of tion bodies and auditors will use protection levels to
the IACS lifecycle, protection levels will be used by provide a verdict for rating the protection of an IACS
asset owners to provide a consistent and repeatable in support of business processes.
way to evaluate the current security posture (i.e. the
achievement of PLs). As the security environment 6 Product suppliers use PLs in a Holistic
may change during time asset, owners will use pro-
Security Concept (HSC)
tection levels to reassess the current security posture
either periodically, after a modification of the auto- Product suppliers primarily focus with the first four
mation solution, after a maintenance phase, or after levers - Security features, Improve process, Handle
a change of the threat situation. Asset owners will incident, Enhance Awareness - on the enhancement
also use protection levels to provide a consistent and of the quality of their products. On one side, they aim
repeatable way to demonstrate security posture to to offer cutting-edge security features in the products
governments, regulators, insurance companies, and to support integrators in the development of techni-
other authorities. Finally, experts will use protection cal measures in automation solutions as part of a ho-
levels as a methodology to evaluate the level of risk listic defense-in-depth strategy. On the other hand,
reduction provided by the measures in the security the development process has to integrate security
control classes to verify that the protection concept in all phases from specification, design, implemen-
still matches the agreed levels. tation, and testing. Security requires also providing
integration and hardening guidelines. An important
Regulators (governments, insurance companies, or aspect is those product suppliers have a process for
other interested authorities) will use protection levels managing vulnerabilities and handling incidents.
as a consistent and repeatable way to define target Finally, awareness is, like for any stakeholder in the
levels for various industries and installations, e.g. for game, an important lever for improving the security
critical infrastructures. Regulators as well as certifica- maturity in the organization.
In addition, a fifth lever – IT infrastructure - will stations to the production machines. And here the
complete the overall strategy with the objective that product supplier is in the role of the asset owner of
the software that is in the products is exactly the one its production lines and will use protection levels as
which has been developed. The focus here is on the described above.
integrity of the products. The IT infrastructure in the
development areas and in the production sites must Asset owners and system integrators can trust in
be protected against manipulation of the software products from product suppliers which have imple-
along the whole chain from the developer’s work- mented a Holistic Security Concept.
"
software business development. Dr. Rudolf studied Industrial
Engineering and Management with special focus on production
If you go out technology at the Technical University of Darmstadt and Berlin.
Parts of this curriculum, he completed at the University of Cal-
and look on the ifornia Berkeley and the Massachusetts Institute of Technology.
Afterwards Dr. Rudolf received his PhD at the Technical Univer-
shop floor at sity of Munich where he led a research group on Digital Tools in
implemented, The discussion began with an the field and look on the shop
sometimes observation I made that many
companies appear to take the
floor and what has been imple-
mented sometimes the lack of
the lack of position that they have not been protection and preparedness is
impacted by cyber threats in the really shocking.” Dr. Rudolf went
preparedness past and, because of this, have on to talk about his personal
a difficulty justifying the invest- experience with cybersecurity
and protection ment of time and money for cy- attacks, “I have spoken to a cou-
is really
"
bersecurity now. Dr. Henning ple of customers that have been
responded, “Everyone is talking affected by ransomware attacks
So, it is not enough to just buy equipment from After this stage, the implementation is complete -
leading vendors, with security built into their prod- and here it is clear that the decision does not come
ucts. It must be installed and configured properly by to implement “protection concepts” or “detection
solution partners and then maintained by the asset concepts” – these tools need to be in sync. Some ba-
owner/operator to reach the maximum protection. sic hygiene protection concepts like patching policy,
hardening of devices and network segmentation
Question: What are the different cybersecurity from office and production network must always be
stages and topics to consider? in place.
In addition, antivirus solutions must be updated with Another thing with industry 4.0 – a lot of people be-
signatures to stay current, these signatures are only lieve that everything needs to talk to everything. This
available during the lifecycle of the OS - maybe may be true in an academic concept, but we believe
that the communication should still be configured
"
focused on the evaluation of the protection of installations in
operation and is chairman of the working group to generate
Holistic the ISA/IEC 62443 part addressing this concept.
Security is not Dr. Pierre Kobes describes the overall concept of holistic
protection is based on a defense in depth strategy that must
only about include three dimensions: technology, processes, and people.
The scope of the protection levels is the onsite environment,
controllers, e.g. installations in operation. The concept of protection levels
recognizes the fact that organizational and technical measures
network have to be related and that the evaluation of the protection
devices, and against cyber threats has to be integrated with technical and
organizational measures. Protection levels provide an integrat-
other technical ed evaluation of the fulfillment of technical and organizational
measures. They use the framework of the technical require-
solutions, it ments of ISA/IEC 62443-3-3 and their mapping to security
levels SL 1 to SL 4 as well as related organizational measures
is also about using the framework of the requirements of ISA/IEC 62443-2-1
"
for the operational policies and procedures. In addition, the
processes. framework of the requirements of ISA/IEC 62443-2-4 is used for
the integration and maintenance activities. The maturity of the
organization to document and implement the organizational
requirements will be evaluated and rated from ML 1 to ML 4.
Lever 4 - security features: implement cutting-edge First, we have to explain that a comprehensive
features within the products against cyber attacks. cybersecurity program is all about technology,
processes, and people. The ISA/IEC 62443 standard
Lever 5 - addresses the surrounding IT infrastruc- addresses the three legs of the triangle for all
ture protecting the physical and digital environment stakeholders involved in the protection against
against any manipulation of software that is within cyber threats: the product suppliers, the system
the product throughout the lifecycle. integrators as well as the asset owners.
"
In Connectivity & Edge Devices Systems and Processes bring the
Digitalization. we define how all products and
solutions will become intelligent
latest IT technology into the OT
domain. Another very important
and connected, in Simulation research area is mobility, where
and Digital Twin we ensure full research is focused on the topic
and consistent alignment of the of Connected (e)Mobility. And
physical world with its digital we also explore the potential of
Specifically, Siemens offers Plant Security Services, Siemens also developed and applies the Industrial
which include the assessment of security risks in Holistic Security Concept to themselves, which cover
factories and production plants as well as the imple- the following major processes.
mentation of security measures for our customers.
These may include the implementation of Antivirus Product Lifecycle Management (PLM), Supply Chain
software, security trainings, firewall management, Management (SCM), and Customer Relationship
well as technical measures to protect networks and 3.1 Physical access protection
systems against unauthorized access, espionage and
manipulation. Protection at multiple levels and the The following points can be covered here:
combined effect of different protective measures
provides a high degree of security, reducing the risk • Measures and processes that prevent unauthorized
of successful attacks and ultimately improving plant persons from entering the vicinity of the plant.
availability and productivity (Figure 1).
• Physical separation of different production areas
with differentiated access authorizations.
3. Plant security • Physical access protection for critical automation
components (for example, securely locked con-
Plant security puts in place the conditions necessary
trol cabinets)
to ensure that the technical IT security measures im-
plemented cannot be circumvented by other means. The guidelines pertaining to physical access pro-
Plant security measures include physical access tection measures also have impact on the question
protection infrastructure, such as barriers, turnstiles, of which IT security measures are required and in
cameras and card readers. Organizational measures what strength. If, for example, access to a particular
include most notably a security management process area is already strictly limited to selected authorized
to ensure the security of a plant. persons, the network access interfaces or automa-
tion systems do not need to be secured as robustly (Figure 3). Failure to conduct a proper risk analysis
as would be the case in generally accessible areas and ascertain security objectives is more than likely
(Figure 2).
Special security services can assist operators in many The next step is to implement the measures
respects with the design of secure production en- proposed to close the gaps identified. Resources
vironments. This assisted process extends from an encompassing both hardware (such as firewalls)
analysis of the risk (assess security) and the design and software (such as antivirus, whitelisting and
and realization of a secure production operation (im- anomaly detection) are available for this
plement security) to the continuous monitoring of purpose. Also included are clear instructions and
the plant security status (manage security) (Figure 4). guide-lines on IT security. Ultimately, security
solutions can only work properly if employees
have been
Figure 4: Siemens Plant Security Services provide assistance with risk analysis, the implementation of mea-
sures, and the continuous management of the plant
within this area. The systems installed within the and to increase security. Network segmentation
DMZ are shielded from other networks by firewalls involves protecting elements of a network, such as
that control access. This separation makes it possible an IP subnet, with a security appliance that separates
to provide data from internal networks (for example them from the rest of the network for technical se-
the automation network) on external networks with- curity purposes. The devices within a segmented cell
out having to admit direct access to the automation are protected against unauthorized access from out-
network. A DMZ is typically designed so that it also side without the need of any compromise in terms of
does not permit access automation network, which real-time capability, performance or other functions.
means that the automation network remains protect-
ed even if a hacker gains control of a system inside The firewall is able to control access attempts to and
the DMZ (Figure 6). from the cell. It is even possible to stipulate which
network nodes are permitted to communicate with
4.2 Network segmentation and cell each other and, where appropriate, which protocols
protection concept they are allowed to use. This means that unauthorized
access attempts can be blocked, first and foremost,
The segmentation of the plant network to create and also makes it possible to reduce the load on the
separated automation cells protected by technical network, as only those communications that are ex-
security mechanisms helps to minimize risk further plicitly desired and permitted are able to proceed.
The division of the cells and the allocation of the plants via mobile networks (GPRS, UMTS, LTE). This
devices reflect the communication and protection is done to enable remote maintenance, use remote
requirements of the network stations. Data trans- applications, and also to facilitate monitoring of ma-
mission to and from the cells can, in addition, be chines installed all over the world.
encrypted by the security appliances using a VPN to
protect against data espionage and manipulation. Securing access is particularly important in this
This comprises the authentication of communication context. Attackers can find unsecured access points
participants and, where applicable, authorization of easily and inexpensively using search engines, port
access attempts. The cell protection concept can be scanners, or automated scripts. It is therefore very
implemented and the communication between the important to ensure that communication nodes are
cells can be protected by using components such authenticated, data transmission is encrypted, and
as the Industrial Security Appliances SCALANCE S data integrity is protected, especially in the case of
or the security communications processors for the critical infrastructure plants. Incidents such as intru-
SIMATIC S7 automation system (Figure 7). The In- sion by unauthorized persons, the escape of confi-
dustrial Security Appliances SCALANCE S provide the dential data and the manipulation of parameters or
possibility to define and protect network cells flexible control commands can result in enormous damage,
on the basis of VLANs. including to the environment and endanger even
personnel.
4.3 Secure remote access
VPN mechanisms, which provide the very functions
It is becoming increasingly common to connect (authentication, encryption, and integrity protection)
plants directly to the internet and to link up remote required, have proven to be particularly effective in
Figure 8: Secure remote access to plant units without direct access to the plant network with three-port
firewall.
Figure 9: SINEMA Remote Connect is a management platform for efficient and secured remote access to
globally distributed plants and machines.
thorized attempts to access the company network to 5.1 Protection of PC-based systems in the
which the plant or machine is connected can thus be plant network
prevented. The allocation of rights for access to ma-
chines can be controlled centrally via the manage- PC systems used in the office setting are typically
ment platform’s user management facility. The fact protected against malicious software and have any
that the connection is only ever set up from the plant weaknesses detected in their operating system or
to the server and only when actually required further application software rectified by the installation of
enhances security, as there is no need to permit in- updates or patches. Equivalent protective measures
coming connections to the plant (Figures 9 and 10). can also be required for industrial PCs and PC-based
control systems, depending on how they are used.
5. System integrity Protective mechanisms familiar from the office
environment, such as anti-virus software, can also be
The third pillar of a balanced security concept is used in industrial settings in principle, although it is
system integrity. The systems whose integrity is to essential to ensure that they have no adverse impact
be protected in this context comprise control com- on the automation task.
ponents and automation, SCADA and HMI systems.
These require protection against unauthorized Whitelisting solutions can be used in addition to
access and malware or have to meet special require- antivirus software. Whitelisting involves the creation
ments in areas such as the protection of expertise. of approved lists in which the user explicitly specifies
Siemens supports the protection of industrial PCs Safeguarding intellectual property is another matter
and PC-based systems in its capacity as an industrial of growing concern: machine builders invest heavily
software vendor by testing its software for compati- in the development of their products and they can-
bility with virus scanners and whitelisting software. not afford to see their proprietary expertise compro-
mised. The know-how protection and copy protec-
The numerous integrated security mechanisms pro- tion functions provided by the Siemens controllers
vided in the Windows operating systems are of course give users convenient and straightforward support in
also available for use in hardening systems to the this area as well.
extent required. These include not just user manage-
ment and the management of rights, but also options The know-how protection function enables highly
such as finely differentiated settings using security specific protection of program modules to prevent
policies. Siemens provides support here too in the access to their content and the copying and modifi-
form of thorough guidelines. cation of algorithms.
Figure 11: User management in the TIA Portal with assignment of roles and rights
A security by design approach is increasingly being The benefits of a holistic security concept extend to
required of product manufacturers. This means to the portfolios of both security products and standard
consider security aspects as part of product devel- products. Security products such as the Industrial
opment and production (see Security Standard ISA/ Security Appliances SCALANCE S, the Industrial
IEC 62443). An automation product shall be tracked Router SCLANCE M, or the communications proces-
and embedded in a holistic security concept (HSC) sors for SIMATIC with integrated firewall and VPN,
from creation to production to use. Assets in this and others address specific security requirements.
context can include source code, IT processes and Standard products contain several integrated security
produc-tion machines. The security requirement functions available in the TIA Portal Engineering tool,
pertaining to assets and organization, with respect to SIMATIC S7-1200, and SIMATIC S7-1500 controllers.
processes and methods, grows progressively more These standard products can reduce risk for the end
difficult user thanks to the vulnerability testing, risk analyses
as the desired security level increases. The product and associated design optimization work carried out
owner is responsible for specifying the security level in the course of development.
to be applied to the product and associated assets
(Figure 12). 8. Summary: Industrial security for
production plants
Security requirements are particularly high when
developing and manufacturing automation products Even just a few years ago, security for production
that have security functions. The security keys used plants was very much a peripheral issue. The threats
must be reliably protected against unauthorized ac- seemed rather abstract and theoretical and few man-
cess in storage. In the event of a security breach, for ufacturers and operators had much of an interest in
example, generating and distributing new keys would the issues involved.
be a very laborious operation. Delays in detecting the
in its capacity as a vendor and single-source supplier offers a capable portfolio of security products and
of industrial automation and communication sys- services as well as an effective industrial security
tems. Risks can be successfully minimized by taking concept (Figure 13).
security factors into account during the design, de-
velopment and production phases by implementing
a holistic security concept to create correspondingly
robust components equipped with effective security RESOURCES
functions.
But engineering and technology alone can never Download Siemens White Paper
suffice. Processes and organizational measures must
be implemented and the relevant specific Siemens Industrial Security:
requirements adapted. Siemens can assist here if https://www.siemens.com/industrialsecurity
necessary, with its security services.
Siemens Industrial Security Services:
Armed with expertise in both automation and securi- https://www.siemens.com/iss
ty, Siemens is a strong partner for machine builders,
integrators and operators of production plants and
• PCS 7 PowerControl – integrated process and • User management and access protection
energy automation • License management
• Management Console – plant-wide, central, • Safeguarding of intellectual property
standardized software administration and
• Increase of the plant availability
overview of the PCS 7 software and hardware
components
ProductCERT’s three-step approach consists of prevention, early identification, and professional treatment of security vulnerabilities.
Industrial infrastructures are increasingly connect- and combat the effects of a growing cyber skills gap.
ed to the internet and to each other. This develop-
ment means that the control and surveillance of Billions of devices, technical equipment, and ma-
production facilities is much easier than before. chines are now connected in the growing “Internet
of Things.” Departments such as product develop-
However, every connected device can pose a risk to ment, production, and logistics have become united
the whole company, if they are unprotected, they under the banner “industry 4.0.” Permanent and
can be leveraged by hackers to infiltrate IT systems. quick availability of data is essential for companies to
Consequences range from theft of intellectual prop- keep their business running and maintain profitable
erty to cutting off the supply of vital goods such as productivity levels.
water and electricity. It is absolutely essential that
companies start prioritizing the protection of their However, the more we rely on data and connectivity,
industrial facilities. the more attractive cybercrime becomes for crimi-
nals. With the potential for a successful cyber attack
That’s why Siemens and the leading cybersecurity to result in serious rewards, cyber criminals are using
company McAfee have teamed up to develop auto- more and more sophisticated measures to exploit
mated security solutions for an effective protection any possible vulnerability.
Executive Summary
Effective cybersecurity management is essential for smaller companies might have difficulty implement-
all organizations, regardless of size. There are many ing much of the available guidance.
standards and guidance documents available to help
organizations determine a way forward. Standards and practices are often based on the as-
sumption that engineering and operations resources
This document is intended to provide a starting point are available to define, implement, and monitor the
for small- and medium-businesses (SMBs), partic- technology, business processes, and associated con-
ularly those that manage industrial processes and trols. Unfortunately, this is often not the case. Smaller
employ some level of automation. Specific examples operations are typically not staffed to include such
include SMBs in the chemical and water and waste- roles. It is more common to have broadly defined staff
water treatment sectors. roles, with support and operation of IT systems as
only part of an individual’s responsibilities. Smaller
While it is generally accepted that Operational Tech- companies may not even be fully aware of the risks
nology (OT) system security requires different or ad- they face or that they can contract for cybersecuri-
ditional measures than general-purpose Information ty-related services. This guide is intended to identify
Technology (IT) system security, it is also true that the essential controls that need to be established.
There are two broad categories of systems and equipment: Information Technology (IT) and Operational Technol-
ogy (OT), each with their own characteristics, as shown in the table below.
Cybersecurity-related risks are evaluated using a process that: systematically identifies potential vulnerabilities to
valuable system resources and threats to those resources; quantifies loss exposures and consequences based on
probability of occurrence; and (optionally) recommends how to allocate resources to countermeasures to mini-
mize total exposure. In simple terms, risk can be defined as a function of threat, vulnerability, and consequence.
Each of these elements must be assessed in order to gain a full understanding of the situation.
Common threats
When considering cybersecurity threats, many consider only deliberate, targeted attacks from professional hack-
ers. As a result, some dismiss the risk to their facilities.
The table below shows that SMBs are subject to numerous types of threats, both deliberate and otherwise. Cyber-
security incidents can arise as a result of accidents or unintentional actions by authorized individuals (employees,
vendors, or contractors). Many threats are often non-targeted and SMBs can be impacted as collateral damage.
In all of the examples below, SMBs could be impacted indirectly, simply because they have equipment similar to
the primary target.
A vulnerability is a deficiency that can be exploited by a threat to create an incident. The deficiency can arise from
technical (such as a software error), procedural (a lack of policy or standard), or people (lack of training) issues.
A mitigation is an action or solution that is implemented to: reduce the likelihood of a vulnerability being exploit-
ed or offset the adverse effects of an incident should that vulnerability be exploited.
There are many cybersecurity vulnerabilities, and each organization possesses different ones depending on the
equipment they use and the policies and procedures they have in place. As noted previously in this white paper,
SMBs can be impacted by a non-targeted attack, simply because they utilize equipment similar to that used by
the primary target. The table below provides a list of common vulnerabilities found in all organizations to some
degree, along with key mitigations that should be implemented to control these vulnerabilities.
These key mitigations are essential for all SMBs to provide a basic level of cybersecurity management. It is highly
recommended for SMBs to consider additional mitigations. Further guidance is available from several sources,
including:
• International Society of Automation (ISA). The ISA/IEC 62443 standards (Security for Industrial Automation and
Control Systems) provide detailed guidance on how to create a cybersecurity management system for OT environ-
ments. These standards are also available internationally as IEC 62443
• The US Chamber of Commerce [6], Department of Homeland Security (DHS) [7], US Small Business Administra-
tion (SBA) [9], National Institute of Standards and Technology (NIST) [10], as well as many business and technolo-
gy websites [5], [8]
• The Center for Internet Security (CIS). CIS produces the Critical Security Controls [2], which identify the top 20
mitigations that reduce the likelihood and/or consequence of a cybersecurity incident. These controls are refer-
enced in the Key Mitigations table below as CSC“xx” where “xx” is 1 to 20 (for example, CSC17)
The potential consequences of a cyber incident will depend on the organization, but the following table outlines
the most common consequences for IT and OT equipment and systems.
Numerous standards and guidance documents are available to help SMBs implement proper cybersecurity man-
agement.
The US Cybersecurity Framework, produced by the National Institute of Standards and Technology (NIST) [1], is
an excellent starting point for SMBs. The Framework identifies five core functions that encapsulate cybersecurity
management. The Framework then further defines all the activities that may need to be undertaken for each func-
tion and identifies relevant standards to help identify how to implement these activities.
The table below identifies the essential cybersecurity activities that should be undertaken by all SMBs. These are
described in more detail below the table.
This step is essential for all SMBs. Proper cybersecurity management is impossible without a definitive under-
standing of the assets involved. Organizations that fail to identify equipment or systems leave themselves vulner-
able to cyber incidents due to a lack of protection or monitoring.
Additionally, some organizations identify equipment location, owner, and other useful information.
Once an SMB understands what it is protecting from a cyber incident, it must conduct a risk assessment to identi-
fy what risks exist.
Risk assessments require the involvement of all key stakeholders (to ensure accuracy) and should identify the like-
ly threats and the vulnerabilities in the asset base. From this, the organization should identify the potential conse-
quences, e.g. loss of confidential information, loss of revenue, environmental impact, injury or death, and so on.
SMBs should rank their risks using a common methodology to allow the identification of risks in priority order.
• The processes and procedures required for operational activities and to reduce cybersecurity risks
• The expectations of employees (e.g. appropriate use of IT equipment, use of personal devices, etc.)
• Physically locking or disabling all equipment inputs to prevent unauthorized use, including smart device
charging
• Using only dedicated devices that are kept secure, with anti-virus software scanning before and after use
• Using a quarantine area to check incoming removable devices of unknown provenance and transfer files
to dedicated, known devices
• Only allowing a transfer of files from removable devices under strict supervision and in compliance with
anti-virus checks
• Applying recommended patches to operating system and application software in a timely manner
• Limiting external access to equipment and networks to only those authorized to access them
• Keeping confidential information secure (e.g. in locked cabinet or safe) and disposing confidential infor-
mation in a secure manner (e.g. shredding)
• Being aware of who is around you and taking care to avoid disclosing sensitive information
• Making sure you don’t click on links or open attachments unless you are certain the sender is trustworthy
• Making sure you do not download or install anything after following a link in a suspicious email
• Making sure a supervisor or trained expert is available for advice before individuals take any action
• Maintaining physical and electronic security to ensure that only authorized persons have access to the equip-
ment they require in performing their role
• Securing equipment in locked rooms or cabinets and monitoring access
• Providing temporary external access as required, supervise during use, and remove once complete
Detect
Having established an understanding of its asset base and the risks to it, the SMB must then have methods to
monitor for incidents, so that it is able to respond promptly and effectively to minimize the impact.
In addition, all employees should receive awareness training, be instructed to be vigilant for signs of a cyber inci-
dent, and be trained to report any type of cyber incident.
Identify improvements
Cybersecurity is an ever-changing situation. Threats, vulnerabilities, and risks change and SMBs need to be able
to adapt. In the detect function, SMBs must regularly review their monitoring methods and adjust them to suit
changing circumstances and according to incident experiences.
The respond function comes into effect when an incident occurs. However, preparation is essential to a successful
response, and so an organization must take actions well in advance of any incident.
Identify improvements
SMBs will need to update their incident management plans in response to changes in the cybersecurity land-
scape, and also as a result of their incident response tests.
Recover
While the respond function comes into effect when an incident occurs, the recover function comes into effect
once the respond function is completed. As with the respond function, preparation is essential to a successful
recovery, and so an SMB must take actions well in advance of any incident.
Key to a successful recovery from a cybersecurity incident is having the right backups in place. Having the right
backups in place requires an SMB to:
• Determine back-up frequency based on operational requirements (How long can you operate without a working
system? How much data can you afford to lose?)
• Store clearly labeled backups securely on-site and off-site, preferably in a fireproof safe
External classroom and online training courses are recommended for SMBs to give their employees a clear un-
derstanding. Internal resources, such as assessment (surveys, tests) and awareness (videos, posters, emails) tools,
should be used to complement external courses and provide a constant reminder to employees.
Effective cybersecurity management should be a high-profile business objective that is reported on by manage-
ment so that employees are constantly reminded of its importance.
The International Society of Automation (ISA) provides training courses and certificate programs based on the
ISA/IEC 62443 (Security of Industrial Automation and Control Systems) standard [4].
The International Society of Automation (ISA) has produced a survey that SMBs can take to self-assess their cur-
rent cybersecurity posture (as well as re-assess it after making changes).
Third-party assessment
For a nominal fee, ISA can review an SMB’s survey responses. ISA utilizes a pool of international cybersecurity
Subject Matter Experts (SMEs) to provide this service. This third-party assessment will provide a more compre-
hensive, and independent, review of the SMB’s cybersecurity posture, with advice on how to proceed.
Continuous improvement
Effective cybersecurity management requires continuous improvement. The essential activities outlined above
are only the beginning.
• Network and equipment monitoring can be a The Cybersecurity Framework, National Insti-
manual activity in its simplest form, but SMBs can tute of Standards and Technology (NIST)
purchase speciality software to assist
Critical Security Controls, Center for Internet
• Third-party organizations can provide assessment Security (CIS)
services, including penetration testing, to validate
the effectiveness of cybersecurity mitigations IEC62443 Security For Industrial Automation
and Control Systems, International Society of
The degree to which SMBs should go will depend
Automation (ISA)
on the level of risk they perceive, and this may vary
with time.
IEC62443 Training Courses and Certificates,
In addition, cybersecurity is continuously evolv- International Society of Automation (ISA)
ing, with new vulnerabilities, exploits, and threats
arising all the time. SMBs must continuously review 5 Reasons Why Small Businesses Need Cyberse-
their risk and adapt their mitigations to suit this curity, Tech.Co,
changing landscape.
Ten Cybersecurity Strategies for Small Business-
es, US Chamber of Commerce
Figure 3-1 summarizes the important issues listed in One important starting point in incorporating these
Table 3-1 and emphasizes some of the common areas modifications is education. In general, most univer-
between IT and automation and control sities and certification programs addressing comput-
systems. er and network security have been heavily focused
on IT security. Automation and control systems,
The lesson to be learned from these comparisons is which are typically sitting on isolated networks and
that traditional information system security knowl- are relatively few in number compared to IT systems,
edge and methods provide a solid basis for address- have not been considered to be interesting targets.
ing industrial automation and control system securi- With the advent of the terrorism threat, this situation
ty, albeit with deliberate, appropriate, and intelligent is no longer the case. In addition, SCADA and plant
modifications required to address the unique charac- process control systems are now being connected to
teristics of automation and control systems. large networks and the Internet.
In order to secure an IACS, there are specific issues • Remote access into automation and control sys-
that have to be addressed that take into account the tems via older modems or newer wireless devices
differences between IT systems and IACSs. These poses a serious threat to security.
issues include the following:
• There is a trend to apply protocols used for IT sys-
• Accountability, authorization, and computer forensics tems to industrial control and automation systems
have not matured and have not been implemented because of their wide availability, their lower cost,
widely in IACSs as compared to IT systems. and the existence of trained personnel. However,
in most instances, these protocols were not de-
• Ethernet to serial line paths provide a means of signed for deterministic process control systems,
injecting malicious commands into a control network. and they are vulnerable to many existing attacks.
This data is plotted in Figures 3-2 and 3-3 for antennas The sample electromagnetic emanations collected
1 and 2, respectively. Note that the digital electronics illustrate the necessity to ensure electromagnetic
generate more peak radiation generally and more at compliance (EMC) when equipment upgrades are
high frequencies compared to the analog equipment. made to plant control systems. These actions will
These peak emissions have the potential to interfere serve to protect against interruptions of control
with control system signals and cause malfunctions if systems’ operation due to electromagnetic emissions
proper shielding and isolation are not applied. from digital systems.
Security Program,⁶ will be used to illustrate the major ital signatures, compliance, and business continuity
concerns of automation and control system security. planning are among the areas considered critical for
IT systems that are not emphasized in automation
In each document, there are common areas ad- and control system standards. Conversely, for auto-
dressed by both standards and other areas addressed mation and control systems, the significant domains
by one standard and not the other. Figure 3-4 sum- not covered include security architecture analysis,
marizes the main characteristics of each standard quantitative and qualitative analysis, information
and identifies common areas addressed by both, as security management, and information security
well as topics that are addressed mainly by one docu- testing. Areas of common emphasis include informa-
ment and not the other. tion security policy, risk assessment, training, media
physical security, remote access, event logging, and
Figure 3-4 shows that topics, such as change man- protection against malware.
agement, email security, access control policies, dig-
By Patrice Bock, with the participation of Jean-Pierre Hauet, Romain Françoise, and Robert Foley
Three power distribution companies sustained a cy- • applies this methodology; presents and discusses
berattack in western Ukraine on 23 December 2015. the estimated SL-A; reviews this SL-A per the
As the forensic information is extensive from a tech- foundational requirement (FR); and derives
nical point of view, it is an opportunity to put ISA/ conclusions and takeaways
IEC 62443-3-3 Security for industrial automation and
• evaluates the security level (SL-T) that should be
control systems Part 3-3: System security require-
targeted to detect and prevent similar attacks
ments and security levels to the test with a real-life
example. Several sources were used for this purpose
that, overall, provide unusually detailed information. Kinematics of the cyberattack
This article:
Although the attack itself was triggered on 23 De-
• reviews the kinematics of the attack using the cember 2015, it was carefully planned. Networks and
available reports and reasonable assumptions systems were compromised as early as eight months
based on our experience of cyberattack scenarios before. Keeping this time frame in mind is essential
and of typical operational technology (OT) systems for a proper understanding of the ways and means
and vulnerabilities that should be used to detect, and eventually pre-
vent, a similar attack.
• introduces a methodology for assessing the
Security Level - Achieved (SL-A) by one of the Our analysis of the cyberattack is threefold:
Ukrainian distributors (corresponding to the best
documented case)
As displayed in figure 2, during step two, a large When the local operator attempted to regain control
amount of network activity took place. The re- of the supervision interface, he was logged off and
mote-controlled malware scanned the IT network, could not log in again, because the password had
detected an open connection from an IT system to been changed (figure 3).
• FR6 (timely response to events): The very exis ones are missing. The weakest link drives the overall
tence of detailed forensic information is the security effectiveness down. The fact that advanced
• The lack of strong authentication (two-factor) or As a mandatory first step, power distribution utilities
local (OT) approval of remote connections made should aim for SL-T=2, ensuring at least minimal
it possible to frequently connect from the IT to the requirements about detection (SR 6.2) are met.
OT network without detection over several months.
• The lack of OT network intrusion detection To have several layers of defense, prevention, de-
allowed extensive OT network scans, vulnerabil tection, and time for reactions in anticipation of
ity detection, and mobile code (malware, the most sophisticated attacks, it is best to aim for
exploits) transfer restrictions. SL-T=3.
When deploying security controls, it is essential to In any case, it is essential to set up security con-
apply requirements in a consistent way across all as- trols in a consistent way to ensure that all FR have
pects of security: detection, prevention, and achieved the same SL-A before aiming for a higher
reaction. It is best to use a well-designed standard SL-T. Otherwise the efforts are useless, as demon-
such as ISA/IEC 62443-3-3. Do not aim for SL-T=2 or strated by the example at hand.
3 on some FRs if the SL-A is still zero on other FRs, as
this would likely be useless.
RESOURCES
Which SL would have been required to
prevent the attack?
Analysis of the Cyberattack on the Ukranian
Looking at the issues listed previously, it appears that Power Grid
raising the SL-A to level 2 would have allowed detec-
tion of the activity during step two, thus preventing “Utilities look back to the future”
the cyberattack. Plenty of time was available for the
post-detection reaction. Additional controls, such as BlackEnergy and Quedagh
strong/local authentication, anti-malware, and SL
2 requirements would actually have prevented the “Hackers attacked the U.S. energy grid 79 times
specific attack kinematics. this year”
The fact that setting the SL-T at level 2 would have Cybersécurité des installations industrielles
been enough to detect and prevent the attack with
several layers of defense may sound surprising to the “Basecamp for serial converters”
reader, as this was (quite certainly) a state-sponsored
By Don Dickinson
With the increasing prevalence of high-profile cyber- breaches in 2015 revealed that “exploit kits evolved to
attacks and security breaches, these events may seem stay one step ahead of security systems, with greater
unavoidable. The consequences, however, come at a speed, heightened stealth, and novel, shape-shifting
tremendous cost to businesses and consumers. More abilities.”
alarming is that the intent of cyberattacks has gone
beyond stealing personal and financial data and now Protecting critical infrastructure
includes extortion, destruction of intellectual proper-
ty, and damage to critical infrastructure. In the U.S., the potential for a cyberattack on criti-
cal infrastructure is a growing concern. In February
Cybercriminals are becoming more aggressive and 2013, the White House issued Presidential Policy Di-
sophisticated in their attacks. As noted in the 2016 rective (PPD)-21 – Critical Infrastructure Security and
Dell Security Annual Threat Report, a review of Resilience. The directive states, “The nation’s critical
“A well-defined business case for auto- When analyzing the business rationale, execu-
mation cybersecurity is necessary for tives may find economic benefits similar to those
management buy-in to ensure long- of worker safety and health programs. Each year,
term allocation of resources.” workplace deaths and injuries cost U.S. businesses
tens of billions of dollars. The Occupational Safety
The business rationale for cybersecurity is based on and Health Administration reports that employers
the potential impact that a cybersecurity event can save $4 to $6 for every $1 invested in an effective
have on public health and safety, the environment, safety and health program.
Executive Summary
As more and more significant security breaches are • What risk exposure does my company have and
discovered, the protection of information and control what are the consequences of that exposure?
systems is becoming an important executive man-
agement and insurance issue. A company’s Board of • What is the maximum damage that might be done
Directors and executive management must contin- if one of these breaches occur?
uously and meticulously identify, categorize, and
mitigate risks to the organization’s success resulting • What specific security deployments protect each of
from cyberattacks. In many cases the largest risk to our assets?
the well-being of your company, your people, your
processes, and your profits may be the compromise • If our systems have cybersecurity vulnerabilities,
of your Industrial Control System—not a data breach. how do those vulnerabilities impact our safety-re-
lated goals and initiatives?
Ask yourself the following questions about your
company’s exposure to Industrial Control Systems • Who in our organization is responsible for these
Cybersecurity vulnerabilities: security measures? Are our IT and Operations
teams coordinated and working together to secure
• What opportunities exist for breach? our systems?
This white paper addresses these and other questions • Programmable Logic Controllers (PLCs) that
in the context of the following objectives: control individual processes
• Introduce the unique characteristics and vulnera- • Remote Terminal Units (RTUs) that act as data
bilities of Industrial Control Systems; concentrators
• Explore the key differences between an IT and an • Field devices—such as sensors that measure the
operations perspective on cybersecurity; process (pressure, temperature, fl ow, etc.); analyzers
that monitor chemical constituents; drives that
• Detail potential impacts of attack on critical infra- open and close valves; etc.
structure and manufacturing processes;
Essentially, an Industrial Control System is a system
• Identify standards, training, and compliance made up of other systems, designed to monitor and
programs to aid companies in their approach to control physical processes and ensure safe oper-
these challenges; ations within specific known engineered states. It
carefully manages transitions to control risk between
• And offer some additional information on incidents operational states. These controlled states and transi-
that have already taken place. tions are defined to protect against random occur-
ring failures of a component or a few components.
In order to create and maintain secure systems, we However, focused logical attacks to push a system
have to first ensure that our processes and the into known dangerous states are not commonly ex-
communication between them is secure; Industrial pected or compensated for in the normal operational
Control Systems need to be targeted for more de- parameters of Industrial Control Systems.
tailed review on a consistent basis. Second, we need
to make sure that our operations staff have expertise “Focused logical attacks to push a
in Industrial Control Systems Cybersecurity and are system into known dangerous states
closely coordinating with our IT staff to protect our are not commonly expected or com-
systems and processes. Third, we need to make sure pensated for in the normal operational
our equipment is inherently secure and addresses parameters of Industrial Control Sys-
known vulnerabilities by leveraging industry stan- tems.”
dards and conformance programs.
Differentiating between IT Cyberse-
Introduction curity and ICS Cybersecurity
Industrial control system (ICS) is a general term that Malicious cyber-related incidents are occurring, or
encompasses several types of control systems used being identified, on what seems like a weekly basis.
in industrial production. Several of these terms are Almost all of these are data breaches, compromising
often used interchangeably, or generalized as SCADA: the confidentiality of supposedly private informa-
tion. However, the consequences are not confined to
• Distributed Control Systems (DCS) that monitor data breaches and compromises of personal data.
and control large centralized facilities such as
power plants and refineries Industrial Control Systems that are used in the critical
Developing the Industrial Control proper support of these devices also requires Opera-
Systems Cybersecurity Expert: Why tions expertise.
it Matters
Traditional cyber attacks often focus on the general
IT personnel generally have Computer Science back- purpose information systems—using zero-day vul-
grounds with minimal engineering backgrounds, nerabilities, buffer overflows, cross-site scripting, or
whereas Operations personnel come from engineer- other vulnerabilities. These attacks generally pursue
ing backgrounds with minimal security training. the capture of valuable data or aim to create deni-
There is a gulf between the IT and Operations organi- al-of-service incidents. Attacks targeting Industrial
zations—and it is the responsibility of senior execu- Control Systems can be built on top of these—but
tives and boards to break down these organizational take aim at the physical process, exploiting legiti-
divides. mate product or system design features.
An Industrial Control System includes a Human-Ma- “There is a gulf between the IT and
chine Interface (HMI), a software application that Operations organizations—and it is
presents information to an operator or user about the responsibility of senior executives
the state of a process, and allows the system to and boards to break down these
accept and implement the operator’s control in- organizational divides.”
structions. HMIs are generally designed to operate
on common commercial operation systems (e.g., The typical IT security function is focused on Ad-
Windows) that are understood by IT. However, the vanced Persistent Threats (APT) and traditional