Stormshield - Cyber security for industrial systems in the age of Industry 4.0

Industry 4.0 is flourishing. But how can we ensure overall security in a field that increasingly combines industrial systems, the Internet of Things, the cloud and Big Data? Spoiler: It's not all about sensors.

You've probably heard the story of the internet-connected coffee machine that led to ransomware being smuggled into a petrochemical industrial company. This story highlights the challenge of protecting an increasingly connected Industry 4.0 - namely securing an ever-expanding attack surface. The gradual introduction of smart sensors and/or cloud connections creates new connections with the outside world. These in turn are potential security vulnerabilities in industry, a sector that is already the target of cyber attacks to a significant degree.

Operational technology: a multi-layered environment

In practice, industrial systems consist of physical machines within a factory (motors, pumps, valves and sensors) managed by control systems (PLCs and SCADA applications) and IT systems (for data analysis). "What we now call [Industry] 4.0 is a concept based on the digitalisation of industry, with the aim of achieving continuous improvement," emphasises Thierry Hernandez, Stormshield Account Manager and OT Security Specialist. This concept is based on several factors, including changes in tools and resources (robotics, AGVs, augmented reality software and many more) and technologies (telecommunication protocols, sensors and networked objects to supply data). All of these are interconnected in a factory today. The end purpose is to feed data into a cloud or edge computing system that hosts solutions with extensive computational capabilities based on state-of-the-art algorithms. The main purpose is to provide operational excellence through energy efficiency, time savings, reduced material consumption or predictive maintenance.

"Put simply, production is organised in four layers," explains Thierry Hernandez. "The first layer consists of the PLCs, which control all the actuators and valves. The second layer is the SCADA (the monitoring and acquisition software based on the data supplied to ensure smooth operation). The third layer is the management with the MES, which handles all production tracking and planning processes. Finally, the fourth layer is the ERP system, which issues the production orders, among other things". These software packages make it possible to control all the company's processes and are thus an important factor that should not be ignored as part of the overall cyber protection strategy.

How can industrial cyber security be designed?

Already, cyber security for industrial systems has to contend with a certain amount of "legacy". And that can be precisely the problem. "In France, an industrial system has an average life expectancy of about 15 years. That is the average age of production machinery. For trains and metro systems, this life expectancy goes up to 30 or 40 years. And if we look at even more critical systems like the nuclear sector, power plants have a life expectancy of 60 years. Of course, these systems, some of which are very old, are vulnerable," adds Jean-Christophe Mathieu, Head of Cybersecurity Orange Cyberdefense.

"Historically, this infrastructure has often been introduced haphazardly. In other words, it has been designed and automated as needed, with people wiring things the way they wanted," explains Stéphane Prévost, Product Marketing Manager at Stormshield. "As a result, all these automated systems were installed in a 'flat' network. To secure them today, it is necessary to segment them." IT system segmentation has therefore emerged as a way to isolate and protect the most sensitive assets from the others. The result is that cyber threats are contained and performance is optimised for the different devices. At a time when more and more sensors, machines and production processes in factories are becoming interconnected, segmentation provides an essential bulwark for Industry 4.0.

Why is an "OT-first" approach important?

These "4.0" issues are no longer managed solely by a factory's operational staff. "We still find that in far too many companies, the IT and OT teams do not communicate effectively with each other. There are still significant cultural differences and petty squabbles. However, it is impossible to achieve an overall approach to security if people don't talk to each other, let alone work together," Jean-Christophe Mathieu points out.

For IT operations, this means adapting their cyber approach to include OT challenges. "The OT people have the main obsession to keep everything running. Therefore, it is important to find the right balance between protection systems and the need to ensure production and business continuity," explains Thierry Hernandez. This means that a firewall should only be used if it does not interfere with anything in the factory.

In other words, IT protection must not be at the expense of production. "Security must be provided in a way that ensures the availability of the system," emphasises Stéphane Prevost. This key requirement has led to a new approach, including the emergence of industrial cyber security, which is well on its way to becoming a discipline in its own right. With increasingly specialised service providers, including Stormshield, able to propose transparent solutions for existing systems. "This transparency must be present during the integration phase, but also later on when any hardware failures occur, so as not to affect production," adds Stéphane Prevost. "Stormshield's industrial firewall solutions all come with several guarantees to underpin operational security, such as bypass and safe mode features or redundant power supplies."

How do you deal with cloud and edge computing?

Data feedback is a key component of Industrie 4.0. "It is important to ensure the perfect integrity of the information coming from the sensors and to quickly forward this data to the ERP system and the cloud," explains Thierry Hernandez. "Protecting the lower layer of the operational network is an important objective, allowing this information to be secured at source before being used further up."

"Edge computing, including everything related to computing energy consumption, is brought back to a point as close as possible to the operations network, which is directly connected to the cloud infrastructure," adds Stéphane Prevost. "This leads to further interconnectedness and makes the operational system more vulnerable to cyber threats."

Industry 4.0 must therefore have a comprehensive overview of its security. With the identification and mapping of sensitive assets, segmentation (or even micro-segmentation for the IIoT) to isolate each part from the others and prevent the spread of an attack. But according to Jean-Christophe Mathieu, this requires everything to work in a highly organised way. "We need to know who does what, when and how, accompanied by full traceability to prevent anyone from accessing the system. Or, if someone is accessing it, to know exactly who it is and what they are doing there."

The security solutions used in factories need to be able to track this. "At Stormshield, we go so far as to check the messages that the command and control system sends to the machines," explains Stéphane Prévost. "When an engineering workstation transmits a change of setting to a PLC, it is necessary to check that it is the right workstation with the right person and that the command sent is authorised." This message control function can also verify that the values sent to the PLCs are fully compliant with the operational process. "We can determine if a value exceeds a certain level, in a way that is likely to compromise or destroy a piece of equipment, or even pose a threat to the entire production system."

Industry: a prime target for hackers

As is so often the case in cybersecurity, standards provide important guidance on the use of 'safety nets'. In the case of industrial systems, the IEC 62443 standard is the reference in this area. Each sector proceeds according to its own specific characteristics, especially in industries classified as CRITIS (Critical Infrastructures), which require very high levels of security.

Despite these standards, industrial systems nevertheless remain vulnerable. Mainly because physical devices (PLCs, controllers, regulators, etc.) are used for very different purposes and play a central role in many systems. For example, we find the same types of PLCs for managing a building (heating, ventilation, air conditioning) and in a production line for making cars. As soon as a vulnerability is discovered in one of these widely used devices, all these systems must be considered at risk. "We find a lot of analogies between the different industries," notes Thierry Hernandez. "A cosmetics company can be compared to a pharmaceutical company because the IT infrastructure used can be similar. But the level of security depends on governance."

And these threats are very real. In addition to data theft and industrial espionage, PLCs are now among the hackers' targets, threatening the production system with a major ransomware event. This also poses the risk of operational disruptions or production shutdowns. "Regardless of the consequences of a malicious act or an internal error, the greatest danger comes from a production standstill. The economic costs are enormous," adds Thierry Hernandez. For example, shipping company AP Moller-Maersk puts the cyber attacks it suffered in 2017 at $300 million.

Attacks can target supply chains that are becoming increasingly complex, extensive and interconnected. For example, a sensor that is "reconfigured" by a cyber criminal can cause a valve to open further than it should. In the case of a water tower, this could cause the entire area to flood.

As we have seen, IIoT solutions and industrial systems are ill-prepared to operate in a networked environment, making them more vulnerable to cyber-attacks. The information that these connected elements collect and share should not interact directly with the core system. "If it does, it must be sufficiently filtered to ensure that it only gets out and not into the heart of the system," warns Jean-Christophe Mathieu. "It is important to ensure that the core of the system is isolated from the rest."

Original blog article by Khobeib Ben Boubaker, Head of Industrial Security Business Line, Stormshield

Abridgements and other. Corrections: Simon Schmischke