Implementing industrial-grade cybersecurity

03 April 2023

For industrial automation systems, seamless data connectivity is now as important as basic control functionality. Platforms providing built-in, defense-in-depth cybersecurity provisions are the best way to defend these highly connected solutions, argues Steve Rawlins.

Closer integration of OT and IT, combined with widespread use of Wi-Fi mobile devices, make data more accessible than ever before but also provide opportunities for bad actors.
Closer integration of OT and IT, combined with widespread use of Wi-Fi mobile devices, make data more accessible than ever before but also provide opportunities for bad actors.

Industrial automation platforms have moved beyond delivering basic functionality and are now being tasked with significant Industrial Internet of Things (IIoT) data aggregation and analytical functions. Every device is becoming smarter and more interconnected and the available data is valuable – but it must be available where and when it is needed. To realise maximum value, seamless and transparent connectivity is needed from the plant floor to the cloud. The Internet and higher-level enterprise computing resources are instrumental in transmitting and processing data.

However, increasing capability and connectivity generate greater cybersecurity concerns. Industrial-grade operational technology (OT) digital devices may be built to withstand physical extremes better than their IT counterparts, but IT has a significant head start for providing cybersecurity measures. Internet connectivity and the adoption of Wi-Fi on the plant floor opens doors for bad actors to access all types of OT digital assets. Whereas the availability of industrial digital devices has traditionally been paramount, today confidentiality and integrity play equally important roles.

Proper cybersecurity simply can’t be added on – it is essential for automation platforms to offer built-in defense-in-depth. 

How we got here
Cybersecurity concerns surrounding industrial automation systems are exacerbated by the intersection of many past decisions. While digital assets have been implemented within industry for over three decades, only recently did cybersecurity become an equal or greater concern than basic functionality. In fact, when the earliest devices were deployed there really were no cybersecurity practices in place. The greatest protection considered at that time was to isolate these devices, creating islands of automation that were relatively difficult to access from a physical perspective, and lacked widespread accessibility via networking. This was a secure design approach at the time based on available technologies, but is unacceptable for meeting modern business needs.

While newer installations and retrofits have some opportunity to use more secure digital devices, the reality is that many older and insecure assets remain in service for decades, without any security updates, and sometimes without any available support. Meanwhile, cyber-threats have accelerated in both quantity and sophistication. With wireless networks and USB devices, physical isolation is no longer feasible. It is in direct conflict with the need for comprehensive legitimate access to all types of industrial digital devices, especially as these devices gain significant intelligence and can supply valuable data.

Recognising the need for cybersecurity, but simply adding it to existing devices is not a complete answer, it is a bit like adding a locked steel door to a cardboard box to keep unwanted intruders away from the contents. Because many protocols and devices at the very fundamental levels of OT systems were designed without security in mind, and they lack the most basic of cyber defence mechanisms, no amount of patching can fix them. Cybersecurity provisions must instead be built-in in the proper manner to provide the necessary defense-in-depth.  

Problematic schemes
Efforts to incorporate cybersecurity have progressively improved over the years. Sometimes suppliers have used their own tactics, but because the commercial IT arena maintained a significant head start in the field, most of the best approaches have trickled down from this sector. In fact, custom or proprietary measures can be less secure than those based on open standards, which typically originated in IT.

In some cases, device vendors have implemented cybersecurity using a proprietary chipset associated with their own firmware. Proprietary elements are not open to easy inspection by industry experts and remain at ongoing risk of being compromised. And once in-house companies develop cybersecurity firmware, they must commit to continually curating and updating this firmware so that affected products remain secure. This means they must shoulder all the burden of finding vulnerabilities and fixing issues, without the community verifying solutions and providing assistance. Outdated hardware is nearly impossible to remedy without complete device replacement, and running with old firmware also introduces unacceptable vulnerabilities by failing to address the latest types of attacks.

Another more nefarious issue regarding proprietary cybersecurity provisions is that the provider must also establish protective measures around how security updates are deployed. Even if the cybersecurity hardware and firmware plan is viable, attackers with sufficient skills have sometimes developed ways to create their own modified firmware, which becomes deployed and opens the door for hacking. In some cases, users are unable to trust any future firmware upgrades, but upgrades are needed to provide protection against newer threats.

Although it may seem non-intuitive, open standards provide a more secure approach.

Open standards reduce risks
While some industrial suppliers have pursued proprietary hashing algorithms and other methods, a better solution for industry is to follow the proven best practices of the commercial IT sector – which has a far larger installed base of digital devices than the industrial world. OT designs can leverage the best of what the IT world has developed, and also learn from their mistakes.

For example, a few industrial suppliers offer all firmware and software applications via a curated repository, so qualified users have easy access. Each of these software packages is digitally encrypted and signed using industry standard strategies and open standards, including public and private keys. In this way they are utilising proven secure methods to deliver important updates to customers, leveraging the best of what has proven to work.

Building upon open standards and proven industrial protocols, Emerson products and platforms such as PAC Security center help users create and maintain cybersecure installations.
Building upon open standards and proven industrial protocols, Emerson products and platforms such as PAC Security center help users create and maintain cybersecure installations.

With open tools placed in the user’s hands, design and support personnel are set up for success. They can always download the latest software, confirm it is digitally verified, and install it to the target device or their computer. It is also possible to confirm the proper digitally verified version is on a target device like a PLC/PAC or an edge controller, so users can audit their site, instead of continuing to run on outdated versions for years because they fear updating their system.

Note that there is a difference between encryption and cybersecurity. Encryption in this case involves the delivery method, which serves to ensure the right firmware/software is obtained. Once the proper firmware/software is in place, users can install it and benefit from having the latest secure version in operation. Cybersecurity is a much wider topic, with encryption a subset. But this example shows an adoption method that can be applied across cybersecurity principles and specific needs.

More defence layers
Users should look for industrial platforms that have incorporated other open and standard cybersecurity technologies as they pursue a complete defense-in-depth approach for their projects.

For example, some industrial platforms use Trusted Platform Module (TPM), a dedicated microcontroller on-board to perform cryptographic and authentication tasks. Features such as the TPM are an example of what can be incorporated in a product to address security at all levels, seeking to make things as secure as possible, while still providing the functionality customers need.

Secure Boot is another aspect which can be incorporated into digital devices, and with it the firmware checks that the boot loader and all associated software images are signed with a cryptographic key authorised by the product vendor. As a security standard developed by the PC industry and used by the Unified Extensible Firmware Interface (UEFI) in conjunction with a device’s BIOS, Secure Boot prevents devices from being hijacked my malicious actors or modified to provide covert access. 

Developers, and especially OEMs, will want to make sure their industrial automation and computing platforms offer encrypted passwords, and the ability to lock and encrypt applications developed on those platforms. This is partly to protect intellectual property and prevent unauthorised changes in the field, but effective passwords and application locking also serve as additional cybersecurity layers, preventing them from being modified by unauthorised individuals. Similarly, when automation products need to communicate amongst each other or with higher-level computing resources, encrypted industrial communication protocols such as OPC-UA Secure are preferred.

Design practices and procedures represent an important aspect of cybersecure systems. Automation providers should test their products to ensure they can withstand cybersecurity threats. Designers should comply with widely accepted industry standards, such as ISA/IEC 62443, which defines the requirements and processes involved with implementing and maintaining cybersecure industrial automation and control systems. Proactive users will audit their installations to confirm ongoing performance of their installations. 

Secure connectivity from the plant floor to the cloud is no longer a nicety for industrial automation and data processing systems, it is an imperative. Traditional OT products were not built to deliver the level of cybersecurity which must accompany this expanded connectivity. Malicious actors are now targeting OT environments for a wide variety of reasons, and industry must be prepared. Add-on cybersecurity, or worse yet ineffectively created custom cybersecurity, leaves operational facilities vulnerable to attacks that can cripple production or introduce safety and environmental hazards.

Open standards, especially those developed and leveraged from the large base of IT technologies, provide the best answer for the OT industry. Developers need to build their automation solutions based on these types of standards – using industry-leading products with key security features built-in – such as digitally signed and encrypted firmware/software, secure boot, and encrypted passwords/applications. By following a robust, tiered approach, developers and OEMs can provide the best possible cybersecurity for their automation and IIoT solutions.

Steve Rawlins is the lead product security officer at Emerson’s controls and software business.

Contact Details and Archive...

Print this page | E-mail this page