Cybersecurity is ubiquitous in our daily lives: in our personal lives, our work and even within our cities. The scope and scale of cyberattacks is increasing in size and complexity. With the emergence of new technological innovations in critical and industrial infrastructures, cybercriminals are increasingly turning to the industry. Cybersecurity becomes a key consideration for Industry 4.0 adoption.
The cybersecurity of industrial systems does not enjoy the same level of maturity as other sectors of cybersecurity. How to offer our industrial systems the best available security, while respecting the requirements of compliance?
Why is cybersecurity in industrial systems lagging behind?
Industry 4.0 is one of the stages in the long evolution of our industrial systems and processes. Like its predecessors, especially the 18th-century industrial revolution, the changes have been rapid. Industry 4.0 is based on new technologies, including the Internet of Things, Big Data, intelligent data analysis, robotics and other solutions based on Artificial Intelligence. These transform our industrial systems and quickly move us into a new era of technology-based industry.
Operational Technology (OT), which covers industrial control systems (ICS) and their management framework, as well as Supervisory control and data acquisition (SCADA), was, until present, set back. In other words, the previous versions of the OT were compartmentalized; individual units were isolated and poorly connected to other networks. Now, with the advent of Industry 4.0 and the convergence of OT with IT, our industries and the critical infrastructure they serve are hyper connected.
However, the time required to integrate the connected technologies has led to a delay in the adoption of cybersecurity solutions adapted to this new reality.
Our industrial systems have not only connected our industries and partners, they have also connected our industries to cybercriminals. Indeed, the industry 4.0 and the technologies enabling it to impose itself expose our companies to cyber threats.
“The Road to Resilience”, a report by the World Energy Council, examined the impact of cyberattacks on critical infrastructure. According to this report, cyber threats are among the main concerns of energy leaders, especially in Europe.
Large-scale cyberattacks on critical infrastructure, such as the one previously cited, associated with global events, such as the WannaCry ransomware infection in 2017, are driving the industry to realize the threat of cyberattacks.
This is where the legislation comes in. Robust regulatory frameworks are fundamental to sustaining and accelerating the changes needed to protect the industry. This regulation must, however, be adapted to the particular environment of the OT.
Is the regulation of critical activities relevant to the industry?
Twenty general rules apply to critical activities in the industry. These twenty rules can be divided into three types:
- Essential rules: these rules are based on common sense and must be applied in a systematic way.
- Rules to challenge: observing these rules should be a goal. However, they can be difficult to meet because of structural problems.
- Inadequate rules: these rules are not always adapted to the specific needs of the industrial world.
1. The indispensable rules
The essential requirements are fundamental rules: ESSENTIAL .
This can include:
- The determination of the organizational and security methods necessary to protect industrial assets in an information systems security policy.
- Certification of critical industrial computer systems using a risk assessment audit.
Our other two types of rules are however more difficult to implement in the industrial sector.
2. The rules to challenge
Despite the importance of legal standards, the industry may encounter difficulties in complying with them.
The mapping of industrial assets, including hardware, software and all related information, is an example. This rule is essential for critical industrial operators. Our experience shows, however, that it is not always possible to comply with it for several reasons, including:
- OT assets are often delivered in “black boxes” and administered by third party providers;
- OT maintenance teams generally do not have the technical expertise to administer these assets;
- Specific communication protocols and network configurations make it difficult to integrate automatic asset discovery.
Fortunately, some specialized solutions now support the detection of industrial assets and, as a result, can gather and maintain the mapping of industrial computer systems, including for specific devices.
3. The inappropriate rules
Some rules are sector-specific and difficult to adapt to a larger industrial landscape.
For example, applying systematic security updates is simply not realistic in an industrial environment; the lifetime of the OT differing significantly from that of the IT. Applying updates compromises the stability of industrial machinery and should be systematically determined using a technical impact analysis. It is complex and time-consuming, and it requires skills that are often not available in a shop. As a result, critical industries must exploit between 30% and 50% of obsolete industrial assets from a technological point of view.
Essential security options for industrial computer systems
In the field of cybersecurity of industrial systems, a three-pronged approach is required:
- Implement cybersecurity awareness training throughout the organization
- Use a set of solutions using innovative technologies adapted to the industrial environment
- Apply integration strategies adapted to an industrial environment
Cyber Security Awareness Training
One of the main measures to put in place in the industry is to sensitize all stakeholders, workers and managers, an organization by setting up dedicated training.
- Executives: Executives often focus on the safety and productivity of staff. With the increase of cyber threats, it is now essential to merge digital and non-digital threats. Cyber threats have entered the arena of security, quality, costs, delivery and people, affecting returns.
- Workers: They are not directly involved in security decisions. But cybersecurity awareness training needs to be extended to all staff. You need to provide to your staff a good training module covers all security preparation, including daily cybersecurity issues, such as security and password security.
Security awareness training also includes simulation exercises to train users to spot phishing e-mails, etc.
In addition to setting up a cybersecurity awareness training module throughout the company, certain rules must be strictly enforced. For example, the use of mobile devices connected by USB must be prohibited in any critical industrial environment. The fact is that some critical assets cannot be protected with technical agents and it is also unrealistic to use only specific USB keys.
Specific solutions – For the specific needs of the industry
The special nature of industrial systems requires a set of cybersecurity solutions for specialized industrial systems . Certification is about the specific nature of these types of environments. This is especially true for network monitoring and automatic asset discovery tools, for which specific industry protocols and devices must be covered.
The fact that many assets are based on obsolete operating systems prevents the use of a number of market protection solutions. For example, anti-malware solutions may not be supported. Since it is unrealistic to stop production as soon as suspicious behavior is detected, it is necessary to integrate control solutions of non-blocking applications specific to an industry. They can be used in conjunction with specific protection strategies, based on peripheral protection.
Towards more advanced protection models?
Providing resilience in an unsecured and uncontrolled default environment is a challenge. Our once secure, global and deterministic approaches are limited and inadequate to protect critical environments in an industrial context.
New approaches need to be found to protect critical industrial computer systems. These approaches optimize security while ensuring the continuation of operations. Industrial systems must enable collaboration, in real time, in a performance-sensitive environment. Dynamic and adaptive solutions that can be reconfigured automatically when a change is detected in the environment serve as a basis for meeting the agility and dynamism needs of modern industrial cybersecurity.
To do this, we must rely on the latest protection technologies, such as machine learning, homomorphic encryption and blockchain.
Adapting the level of protection to the threat with appropriate measures is the key to combining the three pillars of cybersecurity of industrial systems:
- Have robust protection adapted to industrial systems;
- Respect the legislation;
- Meet specific operational needs in an industrial environment.
These three pillars of the cybersecurity of industrial systems, applied during the creation of a safe industrial environment, form the adaptive model necessary for the cybersecurity of Industry 4.0. This model has the capacity to deal with the complexity of the industrial landscape, in functional, technical and organizational matters. It allows companies to comply with the law, to stay within industrial standards while protecting their most critical industrial assets.