chungking - Fotolia
New and recently developed systems typically include authentication mechanisms and other security controls, but legacy systems that are still widely deployed and used lack such controls because they were designed to work in isolation.
Many of the industrial control systems still in use were developed 25-30 years ago, but have since been connected to the internet to enable remote access, giving rise to the need for greater security.
As a manufacturing company, Airbus has a vested interest in protecting industrial control systems. Consequently, ICS security is a key area of research and development in its cyber security division.
Airbus routinely takes its ICS cyber security innovations to market, adding to the growth of this emerging market and increasing the security options available to providers of critical national infrastructure (CNI).
In this way, Airbus benefits directly from security innovations used in its plants, but also indirectly by helping to ensure the security of critical national infrastructure.
“We really know our stuff in the ICS space because we are a manufacturing organisation,” said Kevin Jones, head of cyber security innovation at Airbus.
“We are almost privileged because we learn internally by protecting and defending our own systems and environments, using and evaluating commercially available technologies, and developing our own technologies, which puts us in a good position to go to market around CNI,” he told Computer Weekly.
Read more about ICS security
- There is a pressing need to improve cyber security in industrial control system environments, according to security certification body Crest.
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
Airbus has security research labs in France, Germany and the UK that develop tools for penetration testing, code verification and validation, threat hunting, incident response and forensics, including ICS.
The research lab at Newport in Wales is focused on industrial control and is continually testing industrial control systems and developing defensive and monitoring technologies to make them more secure.
Although typically associated with manufacturing plants and CNI, Jones said retailers also rely heavily on ICS for their supply chains and logistics.
However, not all operators of industrial environments have the same level of security awareness and investment as they do for conventional IT, he said.
Although security around industrial control systems tends to vary from organisation to organisation, Jones said there is a good level of awareness, understanding and protection among operators of CNI in the UK.
“Most are still looking to improve their monitoring and detection techniques as technologies are being developed and evolved to help them do that,” he said.
Just five years ago, Jones said there were relatively few technologies for security designed specifically with ICS in mind. “But now we are seeing the emergence of a dedicated technology market,” he said.
In the past, even if there was an awareness of the need to secure ICS, there were not many options available to organisations. Jones said that is changing as this emerging market matures.
He said much more needs to be done in terms of developing monitoring technologies for the industrial environment, and consequently this is a key area of focus for Airbus.
Identifying security vulnerabilities
In general, he said, there is a much greater awareness of where ICS systems are connecting, of the need to close down everything that does not need to communicate, and of where engineers are plugging in.
Internationally, Airbus is seeing an increased awareness of security in industrial environments, with more organisations enquiring about securing operational technology (OT).
There is growing maturity on the part of the operators and suppliers, according to Jones. “Suppliers are now thinking more about these systems being in industrial environments and the responsibilities and requirements for functionality and safety that go with that, while on the operators’ side there is an evolving maturity around the risk and the threat landscape,” he said.
But most organisations have a lot of catching up to do, with many still lacking clarity around who in an organisation is responsible for OT security.
Engineered systems different to traditional systems
As engineered systems that are typically time-sensitive and run around the clock, Jones said OT systems are very different to traditional IT systems, making it difficult to simply port IT security controls into an ICS.
However, Airbus is continually investigating what can be done “at the edges” where there is standard IT infrastructure to protect critical OT systems from cyber attack.
An example of this is a patented authentication system developed to address a common security vulnerability in legacy ICS that enables attackers to access systems without any credentials, leaving them open to manipulation.
To address this problem, Airbus has developed an encryption-based device that can be connected to a typical networked ICS environment using standard protocols and programmable logic controllers (PLCs) and to human-machine interfaces (HMIs).
Plug and play
In the context of an ICS environment, the device is designed to be plug and play for easy integration and deployment and to fail open to ensure the ICS system keeps functioning if there are problems such as power failure or hardware failure of the device, but it will nevertheless trigger an alert to operators.
Once the device is connected, all communications between the HMI and the PLC are encrypted, which means only authorised operators in possession of the encryption key will be able to communicate with the PLC, effectively providing authenticated access control on legacy systems where none existed before.
“This device is designed to meet the need to encapsulate security around an existing legacy environment, providing authentication and access control, which is a real step change in the security of your system without reducing safety or functionality,” said Jones.
“You can even have specialist keys that go to engineers so that you can revoke certain access if you need to limit the scope. It also enables organisations to have different security zones by having different keys for different parts of a plant that should never communicate,” he said.
The device can also be used to get around complex key management problems with more modern PLCs that have built in virtual private network (VPN) communications and in mixed supplier environments where VPNs can be difficult to integrate between various makes of PLC.
ICS systems hard to attack
Although the Newport lab looks for vulnerabilities in ICS and develops ways of mitigating them, Jones points out that attacking industrial control systems is not as easy as many people think.
Despite vulnerabilities in individual components, he said, once these are put together in a bigger system it is a lot more difficult to exploit those vulnerabilities than some people claim.
“In the lab it is easy to exploit these vulnerabilities because we have direct network access to the PLCs, but in the real world there are a few things that can help to make it more difficult for would-be attackers, such as good network security, including various filters on the web traffic,” said Jones.
“Ultimately, good security architecture is the best thing that could help, and we advise operators of ICS environments to do all they can to harden devices, which is one of the easiest things they can do to stop attacks that exploit vulnerabilities in the hardware,” he added.
However, the need to think about security in ICS environments, to harden devices and networks, and to deploy security controls appears to be growing, especially in the light of reported claims that cyber attackers are regularly trying to attack data networks connected to critical network infrastructure.
Regular attacks on European infrastructure data networks
European infrastructure data networks face regular attacks, according to Reuters, citing current and former European government sources. It said the attacks were similar to those the Washington Post reported had been launched by Russian government hackers against business systems of US nuclear power and other companies involved in energy production.
The Washington Post said recent attempted Russian hacking attacks on infrastructure related systems in the US appeared to be an effort to “assess” such networks, but there was no evidence that hackers had actually penetrated or disrupted key systems controlling operations at nuclear plants.