Cybersecurity-centered systems and fundamentals
For modern industrial control systems (ICSs), cybersecurity involves technologies and user best practices. Four cybersecurity fundamentals are highlighted.
Industrial automation project designers have rightfully maintained a primary focus on delivering correct and reliable equipment functionality. However, now that most intelligent automation devices include wired or wireless connectivity, and end users are increasingly looking to obtain equipment data, the cybersecurity of these interfaces is becoming very important.
Even as programmable logic controllers (PLCs) and human-machine interfaces (HMIs) have become more capable, the cybersecurity features have not progressed at the same pace. Furthermore, improved cybersecurity is not just about PLC/HMI hardware and software, but it also requires changing the behavior of “wetware,” engineers and end users.
PLCs and HMIs will continue as mainstays of industrial control systems for the foreseeable future, even as they continue to evolve. Designers and end users need to look for cybersecurity-centric features in the automation platforms they choose, and work to encourage the appropriate cybersecurity-focused end-user behaviors.
Air gaps are not enough for cybersecurity
In the past, PLCs, HMIs, and other related devices relied on “cybersecurity by obscurity’’ along with cyber intruders being less prevalent than they are today (Figure 1). Classic automation devices used proprietary networks and protocols, and the digital plant floor was rarely connected to the outside world. This physical cybersecurity in the form of an “air gap” was commonplace and considered more than adequate.
As modern automation devices have gained wired Ethernet, Wi-Fi, and other forms of connectivity, some users believed these specialized systems would remain safe enough. History has proved otherwise, as cyber-attacks continue to grow in frequency and severity. Not all bad actors are seeking to carefully steal data or take over system control in a coordinated manner. Some want to disrupt operations or damage equipment through relatively crude attacks. In either case, these are threats to the safety of equipment and personnel and must be taken seriously.
The same trickle-down technology that enabled commercial Ethernet to be economically applied to industrial-grade devices has made it easy to interconnect production systems, business networks, cloud-based resources—and cyber criminals. Designers of localized automation often lacked full visibility into how vulnerable these systems were to outsiders.
Four cybersecurity fundamentals
There are several technologies required for modern PLCs to provide cybersecurity, and to encourage behavioral changes from users (Figure 2). Four key techniques are:
- End-to-end encryption.
- Username/password protection.
- Granular access control and port management.
- Activity auditing.
1. End-to-end encryption should be supported by any new PLCs being specified, and then applied to all Ethernet communications. This includes interactions between the PLC and the programming environment, other Ethernet-enabled devices on the network, and any external clients and embedded web servers. The programming software used to create code for the PLCs needs provisions so administrators can manage cybersecurity certificates when external access is required.
Unfortunately, encryption is processor-intensive, which prevents many legacy PLCs from adopting this capability. This pushes designers into selecting the newest generation of PLCs. If legacy PLCs can’t be avoided, they should be kept on isolated networks or behind a firewall.
2. Username and password protection is a feature that must be built into a PLC, and users should be strongly encouraged to set non-default values as they provision a PLC. During development time, many users find this additional step annoying, so they either disable password protection or leave the defaults in place, defeating the significant value this protection would offer. However, it is essential user mindsets be shifted toward securing PLCs in the same ways corporate PCs are secured today.
Even modern PLCs with username/password functionality may only allow these settings to be managed locally through the programming software. But in the future, PLCs will need to gain the ability to integrate with an authentication and management infrastructure, allowing more thorough management and traceability of user activity and access. Merging this standard IT-grade cybersecurity into operational technology (OT)-type products will improve industrial systems’ overall security posture.
Advanced username and password management can make other useful capabilities possible. For instance, the ability to create time-sensitive credentials means that system owners can assign specific levels and durations of access, so contractors can perform work in a controlled manner, and access for contractors will expire in a reasonable timeframe for completing the job.
3. Granular access control and port management involves the ability to configure which communication protocols are active, to re-assign ports for specific protocols, and to specify which IP addresses can access the PLC. While IT devices like office laptops may come and go, OT networks often consists of stable configurations with well-known communication needs.
This gives OT administrators the opportunity to obfuscate some of the known ports and protocols and limit access to a specific IP address range. By limiting access from only the known devices where it is necessary, designers can reduce the chances for a bad actor to discover and interfere with these devices.
Because the communication architecture of automation systems is relatively static compared to that of a business network, it is easier to take positive steps for assigning specific access where it is needed. Closing unused Ethernet ports and using less-common ports force bad actors to work harder to find an open door. It is best for unused ports to be turned off by default in the configuration software. This reduces the attack surface and removes the need for user action to protect the device. Instead, users must take action to add connectivity by making informed decisions.
4. Activity auditing has become necessary as a form of early detection, in the event that preventing cyber intrusions is not fully effective (Figure 3). One method of avoiding being a victim of a cybersecurity event is by reviewing logs of access activity and by attempting to discover unauthorized events, and then taking action to prevent unauthorized events from happening. Many bad actors will follow a “brute force” approach by using software tools that let them cycle through commonly used usernames and passwords. Traditional PLCs have little to no logging and auditing capabilities for this type of activity. However, modern PLCs are gaining auditing features so users can track the date/time and IP address of access attempts or actual access leading to changes.
Beefing up the PLC cybersecurity backbone
PLCs form the backbone of most manufacturing and critical infrastructure automation systems today and will continue playing a key role for some time. Legacy models were limited by the technologies available at the time, which often meant little or no cybersecurity provisions.
The operational environment today and the future demands any PLCs considered for new or retrofit work should be secure by design. Cybersecurity features should not be added as an afterthought. Fully-integrated cybersecurity should act as infrastructure to seamlessly merge OT with IT, allowing safe data flow from plant floor to the executive floor.
Progressive PLC manufacturers must perform due diligence to verify Ethernet-enabled PLCs are compliant with the latest cybersecurity standards and address any vulnerabilities. Well-designed and secure PLC hardware and software lessens some of the burden on end users while facilitating configuration and management of secure systems.
The right technologies can help nudge users in the proper direction for achieving secure and reliable systems.
Damon Purvis, PLC product manager, AutomationDirect. Edited by Chris Vavra, web content manager, CFE Media and Technology, email@example.com.