Cyber Security: Its Importance and Impact on Industrial Control Systems
K Jayaprakash
Discipline Head (C & I)
Tata Consulting Engineers Ltd

In today's volatile, uncertain, complex, and ambiguous (VUCA) business world, cyber security is a mandate against the digital threats. The author, here in this article, very comprehensively provides an account on ways to secure cyber security for plant or Industrial Control Systems (PCS /ICS) including but not limited to - Distributed Control Systems (DCS), Programmable Logic Controllers (PLC), and Supervisory Control and Data Acquisition (SCADA) systems to address their unique performance, safety requirements, and reliability.

Fortification of electronic/digital data or statistics against modification and unauthorized disclosure, or destruction, or transfer - be it accidental or be it intentional - have been increasing at an alarming rate these days. To mitigate these threats, Cyber security plays a pivotal role in today's business world.

Three important concerns, with regard to this, are:
  • Governance - This is to ensure proactive implementation of appropriate operating technology (OT) security mission in a cost effective manner, while managing evolving OT security risks.
  • Operations - This one is to ensure a safe infrastructure setup by implementing appropriate security control and an in-depth defensive design concept for the network infrastructure.
  • Infrastructure - It is to continuously monitor the system's performance to ensure the consistency with agreed security requirements, and also the incorporation of needed system modifications.
Security is a journey, not a destination. Organizations, who embrace adequate and appropriate measures, are better equipped to mitigate cyber security risk. Business and technology both are needed to be dynamic in order to respond to internal as well as external events. And it's also of note that risk factors do undergo frequent changes. Cyber security programs should continuously look for new potential risks, and periodically review the past decisions to determine whether new information affects their assessments and the actions are being taken. Collaboration has to occur in order to truly cover all the bases when it comes to cyber security; engaging the OEMs and the service providers is very essential. Organizations should also therefore seek guidance from their peers, third parties, experts, and authorities in their cyber journey.

Cyber Security Governance
Number of mandatory as well as voluntary standards, regulations, and guidance have been developed and well documented by one or more corporations, associations, standard organizations, or regulatory bodies. Such work - for example the compliance support - improves the risk management, and outlines the recommended procedures related to cyber security. However, it is important to know, which ones are mandatory and/or advisable for an organization. The organizations are to leverage this information to best fit their business model. To name a few framework/ regulatory bodies,
  • Cyber Security Framework by The National Institute of Standards and Technology (NIST)
  • IEC 62443 series from International Electro-Technical Commission (IEC)
  • Indian Computer Emergency Response Team (ICERT)
They provide guidance for improving & maintaining the cyber security; and also to take proactive measures for advanced implementation.

Cyber Security Information Sharing
Information sharing is one of the key activities that organizations should engage with, to optimize their efforts in mitigating cyber security challenges. The aim of these connected organizations is: to coordinate between government and industry across multiple sectors, thus allowing information, knowledge, and expertise to be shared. Organizations like The Industrial Control Systems Cyber Emergency Response Team (ICSCERT) instituted the Industrial Control Systems Joint Working Group (ICSJWG), AISA (Australian Information Security Association) etc to stay up-to-date with select information about what relevant to their industry, as well as to the connected companies & agencies.

In order to achieve its objective, following sections will cover the ways to secure cyber security for plant or Industrial Control Systems (PCS / ICS) with a mention of Distributed Control System (DCS), Programmable Logic Controller (PLC), and Supervisory Control and Data Acquisition (SCADA) system. These shall also address their unique performance, safety requirements, and reliability.

Initially PCS was built as a stand-alone system and wasn't interconnected; therefore they had only little for security protections. The all-pervasive internet protocols and associated networks have prompted to design PCS with control network(s) extended to corporate networks for higher level supervision and monitoring. These design improvements often allow the PCS to be potentially available to the skilled and malicious antagonists over internet.

Even today PCS is not secured, conferring to the fact that they are certainly susceptible even after assessing the cyber security measures. Hence cyber security needs to be considered as a process instead of a project. Generally PCS undergoes repetitive tests, because most of PCS-s are being manufactured from mass produced hardware and customized open source software exposed to operating systems and 3rd -party software available in the current open market. The repercussions of such weakness to PCS domain are not obvious, but are visible to a cybersecurity assessment if carried out.

Typically IT security system solutions are designed to incapacitate such security issues; therefore additional precautions must be taken prior to introducing these security solutions tailor made for PCS environment.

In order to discuss about establishing a secure PCS, it's of note that control systems like DCS, SCADA, & PLC are utilized for controlling, monitoring, and protection of plants in industrial sectors. Industrial sectors include power, oil and natural gas (ONG), transport, water, sewage, paper, chemicals, drugs, food & beverage, etc and also to some extent in discrete manufacturing areas viz aerospace, automotive, consumer goods, etc.
  • PCS and DCS are used for mass production of components/systems in localized manufacturing sections & monitored/controlled from remote central location in a factory.
  • Geographically distributed assets uses SCADA systems, which are used for controlling purpose, and also utilizes them for central data acquisition system & supervisory controls.
  • For sequential or binary regulatory controls, as required for specific applications, PLCs are used.
PCS and Control system architecture help in identifying the threats and associated vulnerabilities to the above listed control systems, thus enabling the recommendations for the countermeasures in security and associated risk mitigation.

Few risk-arising reasons in PCS are
  • Proprietary solutions have been replaced by cheaper Internet Protocol(IP) devices, which have increased the possibility of cyber security incidents/proneness.
  • Corporate business systems connectivity is promoted by using the IT solution with PCS designed to ensure remote monitoring and control capabilities, implemented by using available IT infrastructure viz industry standard computers/laptops, network protocols for interface and operating systems(OS), etc.These are similar to typical IT systems. These new IT capabilities are supported by these integrations, however provides significantly less isolation from the outside systems to PCS in comparison to stand-alone predecessor system. Hence, there is a greater need to protect these control systems.
The risk-consequences in PCS
Even though characteristics of both are analogous, certain features of PCS are different from those of conventional information processing system. Such differences arise from the fact that logic execution in PCS directly affects the physical plant world. Even though these characteristics are only a few in number, they impose significant risk to the - health and safety quotient of human beings, serious environment damage as well as the issues like production loss, compromise in proprietary information, etc. Cyber security programs for PCS are always a section of comprehensive program on safety, reliability at both sites of industry as well as process plant, and the enterprise-level cyber security programs. This is predominately so in context of cyber security, because of safe and reliable modern plant operation is critical as well as required.

A Few Implementations of Security Objectives in PCS
  • To have logical access to PCS network and restricted network activity.
  • To have physical access restriction for PCS network and devices.
  • To protect individual PCS items from exploitation.
  • To restriction the unauthorized data modification in PCS.
  • To detect security incidents and events.
  • To maintain the functionality during adverse conditions.
  • To restoration the system after an incident.
  • To attack the surface of the OT network
  • To convert the external connections to oneway connections for monitoring purpose.
No single methodology or technology can fully secure industrial automation and control systems. An in-depth security approach is required for protecting the PCS assets. Balanced industrial network security framework must address both the technical & non-technical elements.

The successful security implementation method to a PCS is to collect all the recommended industry practices and to engage in a proactive and collaborative management effort in alignment with expert control engineers from OEM and IT group.

Some special considerations are listed below for considering security for ICS:

To improve cyber security, partitioning of PCS into separate security domains is being done to separate the PCS from other IT networks, e.g. corporate network. The Purpose of network segmentation and segregation is to ensure that the organization shall continue to operate effectively & also to reduce the unauthorized access to sensitive information.

Network segmentation and segregation is implemented at the gateway between the domains. PCS environments are always the well-defined multiple domains, such as LAN networks, DMZs (demilitarization zone), as well as the gateways to non-PCS and less trustworthy domain such as the Internet and corporate LAN. While implementing the network segmentation and segregation, they minimize the access method and level to very sensitive information.

PCS Security Capabilities and Tools
Based on the network architecture and configuration, technologies and methods that used to improve the security capabilities include :

Data Diode
A data diode is a unidirectional gateway, unidirectional network, or deterministic one-way boundary device in a network device, which allows the data to travel only in a single direction with guaranteed/validated information security or protection of critical digital control systems, like PCS from inbound cyberattacks. These devices are generally used in defence area, which is high security environment and where they serve as an interface between two or more networks of different security classifications. This technology is generally used to enforce one-way communication to the critical digital control system & to transmit the data from untrusted networks.

Encryption maintains the data confidentiality by encoding the data and thus ensuring that it can be decoded only by the intended recipient. In the market, specifically designed encryption product for the intended PCS application are used.

Firewall is a commonly used technique & component to segregate the networks and also to isolate & protect the PCS. These are implemented by using freely available firewalls in market having a focus on application layer protocols and Internet by corporates. Now, few of these are equipped to handle the PCS protocols.

Intrusion Detection and Prevention
Well-known cyber-attacks are detected on networks and PCS components by deploying plant intrusion detection systems (PIDS) and plant intrusion prevention systems (PIPS). PIDS monitors the network traffic. Various detection techniques are being used here to compare the traffic portions with the earlier known-attack-signatures.

On the host server, requisite software is installed for host intrusion detection with the loading of specific attack-signatures to monitor the ongoing events, and also the necessary data to diagnose the possible exploitation on these systems. Such intrusion detection along with PIPS products further automatically act by detecting the exploitation and consequently by attempting to stop them. In today's information security industry, even though PIPS is in commonplace, they are very resource intensive. These systems automatically and speedily reconfigure on any intrusion attempt. The automated reaction is designed to prevent such intrusion/exploitation threats. However, the automated tool could be used by an antagonist to affect the PCS operation adversely because of the network or server segment shutdown.

Antivirus/Malware Software
Antivirus software can be used on almost all of the PICS components. However, for PICS, special considerations to be taken into account for selection, installation, configuration, operation, and maintenance procedures. PICS vendors should always be consulted by PICS endusers before using the antivirus software.

In brief, steps to be followed are Ability to -
Identify - Organizational comprehensive security program & Cyber security audit.

Protect - Harden all hardware & software configurations & to apply permissions and security policies to complete ICS environment.

Integrate - Update and patch management.

Follow - Network segmentation.

Detect - Continuous vulnerability assessment and remediation, intrusion detection and prevention i.e. actively monitoring the sources like CERT , vendor & industry websites, etc.

Respond - Incident response program i.e. to plan & to commniucate.

Recover - Having realtime backup & restoration plans.

Comply - To conduct Traning programs & certifications