Although open and collaborative networks have raised productivity and profitability, they have also increased vulnerabilities, making systems more open to cyber attacks than ever before.
A Frost & Sullivan white paper, entitled Cyber Security for Industrial Automation & Control Environments, which was completed in partnership with Schneider Electric, reveals that the proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion.
The paper further shows that while some industries have made progress in minimising the risk of cyber attacks, the barriers to improving cyber security remain high. “More open and collaborative networks have made systems more vulnerable to attack. In addition, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.
“The uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial, off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Insufficient expertise in industrial IT networks is a sector-wide challenge.”
Against this background, the white paper recommends that organisations need to partner with a solutions provider who understands the unique characteristics of the industrial environment and is committed to security.
One such end-to-end solutions provider, Schneider Electric is seeking to ‘build in’ security for its new solutions and services across the entire lifecycle, as well as improve security capabilities in existing solutions.
Given the complex nature of the challenge, Schneider Electric is approaching the
problem from different angles: Schneider Electric recommends a ‘Defence-in-Depth’ approach to cyber security for its customers. Defence-in-Depth is a hybrid, multi-layered security strategy that provides holistic security throughout an industrial enterprise and is expected to become a security standard in factories of the future.
Originally a military strategy, Defence-in-Depth was developed by the U.S. Department of Defense’s National Security Agency (NSA).
The six key steps used in the Defense-in-Depth approach are:
· Security plan: Policies and procedures that cover risk assessment, risk mitigation and methods to recover from disaster.
· Network separation: Separating the industrial automation and control system from other networks by creating demilitarised zones (DMZ) to protect the industrial system from enterprise network requests and messages.
· Perimeter protection: Firewalls, authentication, authorisations, VPN (IPsec) and antivirus software to prevent unauthorised access.
· Network segmentation: Containment of a potential security breach to only the affected segment by using switches and VLANs to divide the network into sub-networks and by restricting traffic between segments. This helps contain malware impact to one network segment; thus limiting damage to the entire network.
· Device hardening: Password management, user profile definition and deactivation of unused services to strengthen security on devices.
· Monitoring and update: Surveillance of operator activity and network communications, and regular updates of software and firmware.
The white paper highlights that best practice cyber security planning, in effect, addresses total security requirements in a unified manner; not just that of cyber security. It states that, according to the Pareto Principle, approximately 80 percent of impacts arise from 20 percent of causes. Recognising that the reason for inaction can sometimes be the sheer enormity of the task, Schneider Electric’s recommendation to clients is generally to adopt a step-by-step plan. This means:
1. Identifying the biggest impact to the organisation in terms of a security breach;
2. Zoning in on which specific area of plant operations is linked to that impact;
3. Outlining what the biggest vulnerabilities are in relation to that area of operation; and
4. Minimising or eliminating those vulnerabilities.
Once complete, the organisation can move on to the next impact-area-vulnerability issue. Rather than revamping an entire system at once and falling victim to ‘analysis paralysis’, a focused step-by-step approach not only ensures that the significant changes with the highest impact are effected immediately, but also the organisation does not spread itself too thin and therefore, realises the best value for Rands invested.
However, a step-at-a-time tactic should not tempt organisations into losing sight of the ‘big picture’. This is where security beyond the cyber threat needs to be considered as well.
According to the paper, with Schneider Electric’s best practice cyber security planning, comprehensive suite of industrial control solutions (from I/O level through to PLCs, SCADA and enterprise level solutions such as Ampla), building access control, data centre solutions, electrical distribution products, as well as security systems (including video surveillance, access control, fire and life safety and intrusion detection systems), organisations are reassured that any plan to mitigate vulnerability will be holistic. This is possible not only because of the diverse offerings available, but also because a single view of total operations is made possible.
Organisations can therefore make the successful shift toward securing their operations by relying on industrial control solutions providers that treat security as core to their offerings.
