Defending the Control Room: Layer by Layer

Increased connectivity both within and outside process plants can facilitate significant benefits, but can also give hackers a better chance of accessing critical systems. A layered approach to cybersecurity is vital in protecting control and safety systems

THE rapid growth of the Industrial Internet of Things has led users of industrial automation and control systems (IACS) to seek more connected systems. This provides connectivity with the corporate intranet and internet to enable the exchange of process and equipment data. The collection and remote analysis of such data can lead to significant benefits for companies in process industries, by helping operators make better informed operating decisions that improve efficiency, reliability and productivity. However, such connectivity can also increase potential vulnerability to cyberattacks.

Hackers could carry out a cyberattack to steal sensitive information, to disrupt the process, to gain financially, or even to put a system in an unsafe condition, leaving workers, equipment, the asset, the environment and the company’s reputation at risk. For example, in 2014, according to a report by the German Federal Office for Information Security (BSI) a cyberattack caused damage to a blast furnace at a German steel mill following an attack on the IACS. While in 2017, it was widely reported that a malicious cyber-attack was carried out on a petrochemical plant in Saudi Arabia that specifically targeted the safety system. As the consequences of several high-profile incidents in recent years have shown, it is crucial for companies to implement robust and effective measures to protect their systems, including the IACS, against unauthorised access or cyberattack.

In numbers

The number of cyberattacks against organisations is alarming. For example, UK Government figures for 2019¹ reveal that 61% of all large businesses and 60% of medium-sized businesses reported cybersecurity breaches or attacks over the previous 12 months. The most common type of breaches related to phishing attacks (identified by 80% of businesses), followed by people impersonating the organisation in emails or online (28%) and viruses, spyware or malware, including ransomware attacks (27%). Breaches were often linked to human factors, highlighting the importance of staff awareness training on new technologies and a culture of security vigilance. Yet while 78% of UK businesses regard cybersecurity as a high priority for their senior management, only 33% have formal policies covering cybersecurity risks, and a mere 16% have a formal cybersecurity incident management plan.

Standards and guidance

The IEC 61511 standard – widely recognised as good practice when engineering safety instrumented systems (SIS) – requires a mandatory security risk assessment to identify SIS vulnerabilities to cyberattack, and references the ISA/IEC 62443 series of standards and technical reports for guidance on implementing electronically secure IACS. In addition, government agencies and industry associations in major European countries provide guidance to help process operators improve cybersecurity. For example, the UK’s Health and Safety Executive (HSE) has issued an Operational Guidance document², representing its interpretation of current standards on industrial cybersecurity. Following this guidance can help operators show that cybersecurity risks have been managed to be as low as reasonably practicable (ALARP), if challenged to demonstrate compliance with relevant health and safety legislation.

The HSE document focuses on three main principles for implementing risk reduction:

• Protect, detect and respond – detect possible attacks and respond in an appropriate and timely manner to minimise their impact.
• Defence in depth – multi-layer protection is required to avoid single-point failures.
• Management and organisational procedures are required – technology alone is not enough to provide robust protection.

Risk assessments

Further supporting risk reduction, process safety risk assessments can be carried out to determine the likelihood and potential consequences of a range of events for which measures can be taken to achieve ALARP safety. Risk assessment can be a challenging area because the constant evolution of cybersecurity threats makes it difficult to use historical data to indicate the likelihood of future security breaches. However, IACS suppliers employ specialists who can carry out cybersecurity risk assessments on a regular, ongoing basis, to help companies meet this challenge.

Typical threats to consider include worms and viruses; transportable media such as USB sticks and temporary connections such as vendor laptops; software errors, for example in the system firmware; unauthorised local or remote access; unauthorised actions by trusted insiders (employees or vendors with access); unauthorised data transfer; unintended employee actions; denial of service; system sabotage; and theft. An asset’s vulnerability to each of these threats should be assessed and the results stored securely, with limited access. Following an initial risk assessment phase, various cybersecurity solutions should then be considered, and periodic follow-up audits performed.

ICSS security

Integrated control and safety systems (ICSS) have been successfully deployed within process industry applications for many years. Integrating the systems has many advantages, but with it comes the concern raised by some that a cyberattack on the IACS might infiltrate the SIS, leading to the possibility of not just a process upset but a potentially catastrophic safety incident. That is why industrial automation suppliers go to great lengths to ensure a defence-in-depth approach to product development, integration does not compromise SIS security, and that separation is maintained between the SIS and basic process control system (BPCS) layers in compliance with IEC 61511 and the concepts of ISA/IEC 62443. The HSE guidance does not stipulate any particular architecture for achieving this separation, and there is no reason why the SIS cannot be secure within an ICSS, provided the system has properly designed security features.

Layers of protection

Multiple layers of protection are used in reducing the risk of process accidents and the same concept is applied in providing SIS cybersecurity. Firstly, it should be made as difficult as possible to gain unauthorised access to the control system. Plant managers should implement a user privilege management system, allowing operators to access only the parts of the system and network they need to perform their job. Remote sites should be as secure as the main production site. Further security measures include managed switches that limit access to parts of the communications network, workstation hardening that reduces system attack surface by disabling unused Windows services and external media (USBs, etc), patch management to ensure timely application of software fixes, endpoint protection, firewalls, demilitarised zones and secure architecture design following best practice. Even if a hacker still manages to gain access to the outer control system, a well-designed ICSS will contain multiple additional levels of protection for the SIS within, preventing malicious actions creating unsafe conditions.

Network isolation is an important way of keeping the SIS secure within the ICSS. The use of proxy servers limits and controls the flow of data between separate networks whilst allowing approved communication. This technique can prevent a compromise at the BPCS network level from directly spreading to the SIS logic solvers on the separate safety network.

A proprietary protocol between the BPCS and the SIS, with validity checks within the logic solver on any data change requests, further reduces the risk of unauthorised changes to the SIS. Whether the SIS is fully integrated, or a third-party SIS is interfaced via open protocols, maintenance bypasses are typically set from the BPCS. Solid bypass management functionality within the logic solver is key. This includes preventing multiple bypasses, allowing for automatic removal of active bypasses after a specified time, and requiring additional authorisation of bypasses via physical key or electronic signature. Tight integration between BPCS and SIS enables prompt notification when bypasses are present in the SIS, easing detection of an unauthorised bypass.

Another effective way to reduce cybersecurity risk is to require physical presence at the logic solver location before configuration changes can be downloaded. Most industrial process plants have effective access control systems, so even if IACS security has somehow been compromised from outside the plant, the hackers don’t have physical access to secure areas and cannot change the SIS configuration. An effective solution for enforcing physical presence should include mechanisms to avoid inadvertently leaving the system unprotected.

IEC 61511 has strong requirements for the control of modifications to the SIS. Configuration audit trail management systems can help in detecting and preventing unauthorised changes, particularly if electronic signatures from multiple users are required to authorise changes prior to them being implemented. Additional measures at log-on, such as smart cards for two-factor authentication, can further enhance security.

Security monitoring is not only an important mechanism to detect threats, but also helps with forensics and preventing similar future attacks. A centralised security information and event management (SIEM) platform can take IACS workstations, servers and network equipment system events and logs and put them into a meaningful dashboard for prompt response. A SIEM can also monitor network traffic data through network security monitoring appliances using a one-way only communication flow as an added security monitoring feature.

Comprehensive backup and recovery needs to be in place, including data storage in different geographical locations in the event of a disaster affecting local servers or to protect against ransomware attacks

As a last resort for either a complete system restoration or files recovery, a comprehensive backup and recovery solution for systems needs to be in place. This should include backup data storage in different geographical locations in the event of a disaster affecting local servers or to protect against ransomware attacks. Back-up data should be checked periodically to make sure it is valid and readily available when needed.

As previously mentioned, implementing technology alone is not enough. Companies should have management-backed cybersecurity policies and procedures in place, with all control and safety system users being properly trained and building a cybersecurity culture across all levels. All employees should be fully aware of the risks to system integrity and of the potential consequences of a security breach. Incident handling capability must be implemented covering preparation, detection, analysis, containment, removal and recovery. Finally, cybersecurity audits should be conducted at planned intervals. With new security threats constantly arising, cybersecurity ought to be considered as a continuous activity and reviewed regularly.

---

Further reading

1. Cyber Security Breaches Survey 2019, HM Government, Ipsos MORI Social Research Institute and University of Portsmouth.

2. Cyber Security for Industrial Automation and Control Systems, Health and Safety Executive.