As internet connection speeds improve around the world and devices continue to enter the market in nearly every sector at an exponential rate, it is unsurprising that much of our critical infrastructure is now taking advantage of connectivity through what is known as the Industrial Internet of Things (IIoT) or Industry 4.0. IIoT is a general term used to describe the integration of hardware and software with internet connectivity to support critical infrastructure. The industrial control systems (ICS) are what enable processes and systems to take full advantage of the IIoT; while they help to drive technology communication between automation and improve the accessibility of data, they also expose these systems to the potential for cyber issues. And the threats can come from many places – via the ICS that is managing an industrial process or via the electronic physical security safeguarding the facilities in which the ICS is housed.
The importance of critical infrastructure makes the ICS in these sectors prime targets for bad actors seeking unauthorized system access. Damage from cyber events varies but can lead to exposed proprietary and/or confidential information, data theft, loss of system control, terror activity, catastrophic shutdown and safety issues and/or ransom situations (e.g. “Pay X amount, and we will restore access to the system.”).
Many of the conversations surrounding ICS weaknesses in our connected world revolve around software vulnerabilities and implementations into the actual ICS. Today’s industries must remain diligent in the effort to manage risk, prevent bad actors from accessing critical systems and ensure that all necessary personnel have continued access to all systems and facilities. Diligence requires a constant effort from companies, as the technology used to launch these attacks is constantly evolving, but there are precautionary steps that can be taken to secure both digital systems and physical facilities.
Safeguarding ICS Software
When considering the ICS itself, the software that manages the system embedded in the products presents a primary vulnerability. It is common for companies to use third-party software as components of an ICS to help reduce development timelines and decrease costs. While this is a convenient approach, this decision increases the risk of exposure to attack due to the open availability of the software. To help mitigate these risks, companies must:
- Establish Security Specifications: All vendors and software should meet predetermined, internal security specifications. To save time, these specifications should accompany every request for proposal (RFP) and vendor agreement.
- Embrace Due Diligence: Regularly evaluate all new suppliers and software against these internal security specifications. Trusting a reliable third party to complete these evaluations offers the peace of mind associated with an independent third party and frees internal resources. Regardless of whether these evaluations are internal or external, they should be conducted regularly to help ensure compliance. It can also be helpful to select a platform that has been certified by a trusted third party. For example, the UL Cybersecurity Assurance Program (UL CAP) uses the new UL 2900-2-2 to evaluate software vulnerabilities specifically related to ICS.
- Commit to Scheduled Testing: Validation testing using a non-production environment should be completed when the product is acquired and throughout its use where possible. Small test beds of representations of the production environment allow for an opportunity to validate new software updates and configurations and detect vulnerabilities.
- Stay Current with Updates: Up-to-date software can provide the best defense against a cyberattack. Remaining current with software updates and patch releases helps keep things running safely while also keeping security measures up to speed with the evolution of technology. In the absence of deploying fixes, understanding and tracking known vulnerabilities can help mitigate or plan for potential weaknesses until an availability for deployment of updates can occur.
Maintaining Building Security and Functionality
Facility protection for ICS systems is just as vulnerable to attack, and access to these facility protection systems by a bad actor can have broad and damaging impacts. Because these electronic physical security systems are Internet of Things (IoT) systems, they are just as threatened by cybersecurity challenges as the ICS systems they are protecting.
For example, in April 2017, hackers triggered all 156 emergency notification alarms in Dallas, TX, creating panic and confusion for residents. With so many systems connected to the IoT, nearly every connected device becomes a potential access point. Technologies such as access control systems (e.g. card readers that grant facility access), banking and general alarm receiving equipment and surveillance cameras are all vulnerable.
The security, performance and financial risks affecting these products and services in both the public and private sectors are helping to drive the need for better preventative measures. Again, third-party verification under a program like UL CAP can help offer peace of mind, as it provides testable cybersecurity criteria to help assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness in physical security systems. UL’s newest cybersecurity standard, UL 2900-2-3, was developed specifically for electronic physical security systems; it provides the industry with guidance and added support while demonstrating to consumers and companies alike that products are designed with security in mind.
Though it remains impossible to anticipate every cyberattack, due diligence and complete software evaluations for every piece of connected equipment can help mitigate risks and keep companies and people prepared.
About the Author
Ken Modeste is the cybersecurity lead, principal technical advisor and subject matter expert for UL’s Cybersecurity Assurance Program. He helped develop UL’s series of cybersecurity standards that tests network-connectable devices for known vulnerabilities and software security. A key developer of the cybersecurity strategy for UL, Ken is responsible for strategically identifying long-term growth opportunities that align with UL’s mission to address public safety. He is responsible for creating the laboratory, hiring and training all personnel and developing programs and services to support UL’s client’s security needs. Ken has a proven track record in leading large diverse teams delivering commercial enterprise software in rapid environments with major business financial commitments. His leadership and analytical skills have helped develop and execute long-term software strategies. Previous to his engagement at UL, Ken served for 12 years as an engineering manager with GE. He began his career as a software engineer for GTech Corporation, after completing a Bachelor of Science degree.