Sponsored Article

NIS: not just a compliance exercise

01 April 2019

Phillip J Corner discusses some shortcomings of the NIS directive, arguing that, while it focuses on technology, good governance is equally vital to manage security.

Industrial automation and control system (IACS) cyber security is a hot topic that has been further intensified by the Network and Information Systems (NIS) directive which places mandatory legal requirements on companies categorised as operators of essential services (OES). 

The NIS Cyber Assessment Framework (CAF) is an outcome oriented framework which defines four main objectives – Managing security risk; protecting against cyber attack;detecting security events; and minimising the impact of cyber security incidents.

In pursuit of greater efficiency and lower costs, companies frequently centralise or outsource technical resource and look to augment business planning with valuable industrial process data requiring wider network connectivity, sometimes described as ‘convergence’ between information technology (IT) and operational technology (OT). 

But, while the pace of IACS advances and their interaction with wider areas of business is certainly increasing, IT has been integral to control systems since the first introduction of computers and data networks. Perpetuating a belief in incompatible technological differences is counterproductive to effective cyber security - many of the fundamental technological principles involved are, in fact, identical. A systems-oriented approach (business and process), evaluating differences in expectations, requirements, and behaviour will promote a greater clarity and understanding of the risks and will encourage examination of IACS as a ‘system of systems’- assessing each independent sub-system’s effect on the whole. 

Behind the times
Design philosophy is the heart of the problem, IACS design emphasises long component life demanding reliable PLC operation over tens of years and control engineers have an innate understanding of these components. Computer systems for SCADA, etc, are typically not as well understood, but are equally important, which often results in a tendency to apply the same long lifeycle expectations to computers and crucially, to software components. 

However, the longer software remains in use without patching, the greater the number of exploitable vulnerabilities is likely to become. These vulnerabilities are regularly discovered thanks to the hard work of security researchers and are fixed by vendor patches. Operating systems like Microsoft Windows support diverse software ecosystems typically representing the largest attack surface, that is the greatest concentration of potentially exploitable security vulnerabilities, with many different processes running and interacting. So, your SCADA software might be secure but it could be compromised through other vulnerabilities on the same computer. 

Unpatched and obsolete software is common and the patching issue is not restricted to just computers. All configurable hardware will include software of some description. Even control assets are not immune, running on even the most reliable PLC will be firmware which can, and in many cases does, contain exploitable vulnerabilities. 

This requires a shift toward decoupling of hardware and software lifecycles and managing patching. Enterprise patch management isn’t new, Microsoft has offered Windows Server Update Services for nearly 20 years for managing patch deployment on multiple computers and more vendor agnostic alternatives are available. However, testing of patches has always been a crucial concern for operators who are naturally averse to changes with potential to disrupt plant stability. 

Virtualisation – technology which runs multiple logical operating systems on a single physical server – is the mainstay of corporate data centres and is gaining popularity in process systems too. The ability to quickly clone ‘guest’ virtual machines is ideal for software patch testing, exact duplicates can quickly be created, patched, and tested. Simple and rapid backup, duplication, and recovery options can dramatically reduce the patching risk providing change management assurance. 

What is secure? 
Industrial assets are designed and tested for high reliability and long mean-time-between-failure (MTBF), but reliability, even in high-integrity systems, is based upon the quantifiable probability of random failure. Conversely cyber security incidents are socially driven and cannot be modelled to determine probability. 

The requirement to exhibit real-time deterministic behaviour necessitates efficient programming dedicating resources to the primary role. Unlike computers, these devices typically lack the capacity for advanced endpoint protection such as firewalls and are not especially capable of mounting a defence against malicious interference. Common industrial network protocols such as Modbus TCP were not designed for security and generally accept valid commands from any source which is exploitable for process disruption. 

Historically, it was believed that process systems were inherently secure through their ‘air gap’ isolation from other networks. However, isolation alone offers only marginally effective militation against compromise and provides no mitigating factor to restrict the spread of any malware that does occur.  Modems, wireless devices, and links to business infrastructure can often be found in OT systems where operators think they are ‘air-gapped’. As technology and the strategy of those seeking to exploit this develops, threats from social engineering, removable devices, portable engineering laptops, and supply chain weakness make air-gapping increasingly superannuated. 

Segregation is a key component of the ‘defence in depth’ strategy, protecting against initial compromise and the lateral spread of a breach between assets. The IEC 62443 standards offer effective guidance, expanding the Purdue system ‘levels’ model further into logical ‘zones’ and ‘conduits’. Assets are grouped into levels based on their type (i.e. Level 0 – Sensors and Actuators), then into zones based upon role, (e.g. safety controller zone). Finally, conduits are defined which detail the method and type of data exchanged between zones. 

Industrial protocol aware security appliances, endpoint protection, and software firewalls control communication within and between each zone and level, enforcing the minimum baseline for correct plant operation. Designing this level of security is challenging – particularly in existing systems – but it does offer robust protection. 

With each layer of security supporting the whole, but usually acting independently, can you have confidence in them? As with safety management, gauging cyber security effectiveness and understanding residual risk is important. Continual review and monitoring will help ensure that the security strategy reflects changing internal or external influencing factors. Monitoring technologies complement manual technical and procedural review and help improve detection security incidents. 

Logs store a wealth of information, not only on firewalls but also the plethora of other system components. All of this should be collected into analysis systems which can help detect indicators of compromise (IOCs), and alert key personnel. Such systems can also be a boon for preventative maintenance strategies by monitoring adverse system health; temperature, power, etc. 

Additional intrusion detection systems (IDS) work by continually monitoring network communication for IOCs and their updates for vulnerabilities are often available some time prior to patching of the vulnerability by the OEM. Again, IACS specific variants interpret industrial network protocols and can detect deviation from established normal behaviour. 

While NIS provides targets to improve understanding and identification of shortcomings, its real value comes from encouraging honest objective assessment by operators, so it is important to avoid a compliance exercise approach. It is not immediately important if an objective is not achieved, what is important is that operators assess the underlying risk that the objective addresses and work toward reducing or removing that risk. While not a panacea, the rationale, methods, and technologies discussed can help in that journey.

Phillip J Corner is project manager – Industrial Cyber Security at Cougar Automation.

Contact Details and Archive...

Related Articles...

Additional Information...

Print this page | E-mail this page