When securing network assets, a long and often complex list of configurations must be performed to ensure industrial control systems have the appropriate cyber protection. This article presents a systematic and automatic approach to those security configurations, with an aim of decreasing the probability of implementing incorrect or incomplete configurations that can occur when performed manually.
In recent years, there has been an increasing number of cyberattacks on critical industrial sectors including energy, water treatment, hospitals, and transportation. As all of these sectors require electricity, the power generation industry is vital to them, which makes it a prime target of cyberattacks.
The implementation of cybersecurity should take a holistic approach, encompassing the pillars that the International Electrotechnical Commission (IEC) lists as: “People, processes and technologies,” where each aspect has equal priority and relevance.
The Normative Approach
Recent studies have shown that the best approach to protect critical infrastructure from a regulatory perspective is by using a hybrid adoption of standards (vertical and horizontal). Horizontal standards are characterized by a broader and more flexible spectrum, such as the International Society of Automation (ISA)/IEC 62443, and can be applied to a wide variety of critical infrastructure. The vertical standards focus on a specific sector, such as the North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards for the electrical sector.
This recommendation is based on the fact that applying both types of standards brings greater procedural robustness to the overall cybersecurity solution. As each normative system focuses on the more specific parts of their standards, their approaches tend to complement each other rather than oppose, bringing a highly multifocal approach to the process.
As different companies have different levels of maturity regarding their implementation of cybersecurity, it is challenging to recommend a singular approach that fits all of them. However, it is reasonable to start the normative process structure with the horizontal standards, and then complement them with the vertical standards that are specific to each sector. Neither approach is more efficient than the other, but both are equally necessary and complementary.
Based on this approach, the ISA/IEC 62443 set of standards, hereinafter referred to as “standard,” will be presented as an applicable cybersecurity guide to any critical industrial process. Included in section 4 of the standard are lists of good practices and requirements to which components must adhere. There are different levels of complexity defined by different “security levels,” which detail the level of resilience the components would be able to offer in the event of a cyberattack.
Each security level has a clear definition of the skills, motivations, intentions, and resources that the level is able to protect. Assuming that the standard already presents best practices for predetermined levels, the automatic security verification system presented in this article is based on the parameters elaborated by it. Security level 2 (SL-2) was defined as the minimum requirement for critical infrastructure, and is capable of handling the simplest and most common intrusion attempts, including brute force, network scanning, and weak authentication, among others, by associating these features with a graphical interface. Additionally, more sophisticated attacks, considered as higher levels (levels 3 and 4 that represent terrorism and nation attacks, respectively), require a much greater combination of resources (software and hardware) as well as a much longer development time.
The Importance of Systematization
The use of a systematic and mainly automatic approach to implement configurations is essential to ensure uniformity and, more importantly, a consistent and reliable repeatability of the configurations. This approach aims to reduce human interference during this process, as the human factor is considered a major cause of cyber incidents regardless of whether they are intentional or not.
Performing configurations automatically becomes even more important in repetitive activities, as human beings generally tend to make more mistakes on this type of process. Thus, the aim is to ensure that manual configurations are performed only when absolutely necessary as this will significantly reduce the possibility of mistakes. Furthermore, the personnel that set the security of each device should have the correct technical ability to ensure the settings are performed appropriately. Ensuring personnel have the correct level of expertise will reduce the possibility of the configurations being performed inaccurately.
Further compounding this problem is the fact that vulnerabilities caused by human error are difficult to detect, because the detection often relies on the audit process that the company has implemented, which may not be 100% reliable. This type of problem tends to be exponentially greater if the audit processes are purely manual. Unfortunately, sometimes an employee will deliberately attempt to sabotage a network. Whether performed by accident or on purpose, both are referred to as insider threats. It is, therefore, crucial that cybersecurity measures also be able to identify and prevent those with malicious intent from being able to disrupt normal operations.
It is important to give attention to not only the methodologies themselves, that is, “what to implement,” but also to the way in which they are implemented—“the how.” By taking a systematic and automatic approach to implement the configurations, these risks can be considerably reduced, which increases the reliability and security of the networks.
Although this article presents many arguments that support implementing an automatic and systematic approach as opposed to an approach that relies solely on humans, it does not mean that humans should be removed from the process altogether. Instead, the idea is to find the optimum point of interaction between technology and humans.
The Referral List
The first section of the standard (IEC 62443-1-1) introduces seven fundamental requirements for cybersecurity, which are, identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. In addition, the standard also sets out some system requirements and suitability for each security level.
Higher levels of security will require more features and configurations with high levels of complexity. Similarly, for lower levels, less features will be required. Therefore, the security levels (SLs) established by the standard must have their requirements implemented differently to achieve their objectives. Annex B of IEC 62443-3-3 shows a clear relationship between requirements and security levels, allowing the creation of a fully auditable list for each piece of equipment for each security level.
The Human Factor
A systematic configuration and verification system aims to defend automation systems against the types of threats defined by the standard, but it has other advantages as well. As previously mentioned, an extremely important issue is how humans can introduce vulnerabilities to automation systems. The main vulnerabilities are configuration process (execution only), decision-making process (cognitive decisions), and hybrid process (a combination of decisions and execution).
Decisions are necessary when implementing cybersecurity measures. Even neuroscience itself is unclear how decision-making processes and interactions occur within the human brain, but it is generally understood that performing processes of different complexity produce different intensities of effort within the human brain. Therefore, all deployment of cybersecurity measures must also consider the dynamics of the human brain in decision-making. How humans interact with automation cybersecurity systems and the difficulties that can arise will now be considered.
The Decision-Making Level
Decision-making means something that the standard leaves for operators to choose. It often involves complex decisions that only users are able to determine. In this sense, the systematic configuration and verification system should support users, but does not decide on behalf of users. It should assist users to implement their decisions easily, without compromising or influencing their decision-making process.
An important concept introduced in IEC 62443-1 that requires decision-making is security zones, where equipment within the same zone must be protected by the same “achieved security level” (SL-A, where “achieved” denotes the protection of an asset or zone). However, this does not mean that all zones must have the same security level. For this reason, it is necessary to have the flexibility to allow lower or even customizable levels of security (Figure 1).
1. List of objective functionalities to be audited. Courtesy: Moxa
The security level required for an asset or zone and the decision whether or not to apply specific security settings to an existing process is determined by asset owners. Owners can measure and understand the applicability and impact of each configuration to the system.
It is essential to highlight that the implementation of these functionalities in a production system, even if recommended by the standard, must be evaluated through an appropriate risk assessment and its impact to the current system operation should be evaluated. The result of this is that no implementation is performed automatically without users’ consent.
Compared to the decision-making process, the configuration process tends to be simpler, but as mentioned earlier, this process has other difficulties, such as the repeatability and complexity of certain types of configurations that can lead to human error. The configuration process mentioned in this article is defined as the implementation of the technical policies and does not require any decision-making processes, only the execution tasks.
The list available in Annex B of IEC 62443-3-3 is the basis for the security verification system. It allows users to compare without subjectivity whether the audited equipment is correctly configured or not.
By conducting a network scan and comparing current settings with desired ones, deliberate or unintentional acts that compromise cybersecurity settings are resolved, ensuring uniform security within the zone. As zone security is defined by its weakest link, it is therefore of the utmost importance that all equipment in the same zone has the same protections.
Additionally, this feature assists an automatic system audit, where even if users have made mistakes, a new audit can be performed quickly to find vulnerabilities. In this respect, the “pillar of the process” is critical, as it determines the duration of time that system audits should be performed. It is important to mention that any verification or changes made to production systems should be evaluated and tested prior to implementation.
Using Images Rather Than Lists. One of the most efficient ways to support the security checking process without compromising users’ judgment is to use graphical representations rather than lists to identify equipment on networks. It has been acknowledged for a long time that the human brain processes images and words differently, and that despite having many similar cognitive processes, images and words end up having different processing times. In short, images are processed faster and are easier to recognize by the human brain. Therefore, using graphical representations helps quicken the identification of the security settings of each device, as shown in Figure 2.
2. Graphical architecture with color system security status. Courtesy: Moxa
Using Colors. The second point to be considered is color differentiation to highlight different levels of security. The human brain can easily recognize different color tones, which means that different colors can be used to offer users a quick identification of the security status of each device and inform them of possible actions that have to be taken. Due to the importance of this, a color palette should be selected that ensures that color-blind people can differentiate between the colors.
When the security verification system scans and finds a mismatch between the settings recommended by the standard and the current ones deployed, users must decide how to proceed. If a mismatch is found, it is likely to be due to one of two reasons.
In the first scenario, users identify which suggestions can be implemented and authorize the system to perform the update, assuming the equipment is capable of performing the update (Figure 3). In the second scenario, when a mismatch is noted, the equipment does not have these features and capabilities. In this scenario, a risk assessment should be performed to assess whether or not the system can remain with these vulnerabilities or whether there are measures to counteract them. Regardless of these scenarios, it is important that where possible, users implement the required minimum security functionalities discussed by the standard so that the zone to which it belongs is secure.
3. Checkboxes indicate which features are available/enabled. Courtesy: Moxa
Maintaining a Secure System
It has been presented that systematic and automatic methods are more reliable, especially compared to repetitive and manual processes, when performing cybersecurity settings. Because it is such a sensitive and important issue for industries, it is essential that all existing cybersecurity features are implemented correctly.
A security verification system should not be seen as the sole resource to ensure appropriate cybersecurity implementation, as cybersecurity is complex and requires a multifocal approach. However, a security verification system can assist those responsible for implementing cybersecurity by helping them to objectively implement the requirements recommended by the standard. This approach aims to avoid the problems that occur when there is too much reliance on humans performing the security settings. ■
—Felipe Sabino Costa is an industrial cybersecurity expert for Moxa’s Latin American region.