For several years, the globalization of the industrial market, the increase in customer requirements and the constant search for lower costs have led to a strong increase in the complexity of industrial environments. Thus, the collaboration of security actors and those of information systems (IS) security is more than ever essential to maintain and strengthen the competitiveness of companies. With this in mind, the IS can – depending on its flexibility and robustness – hinder or facilitate this collaboration.
On the other hand, the security of critical infrastructures using industrial control systems – and more particularly for operators of vital importance – is now becoming an essential priority. This observation is all the more true since the emergence and increase of risks on industrial systems initiated in the 2010s.
Originally designed to operate in isolation, these systems are now integrated into the company’s IS to meet productivity requirements. Developments lead, in fact, the computerized control systems of installations to open up to external networks, which exposes them to new risks, especially as their sensitivity is increasingly important. Added to this is the weakness of the technical components used in industrial control systems, which are generally poorly prepared for the challenges of the current cyberwar. As with other areas of cybersecurity, the first responses are first organizational before being technological.
What is the difference between a traditional IS and an industrial IS?
In a company made up of industrial IS, the growing need to consolidate data and access it in real time from any point on the planet, the reduction in development and ownership costs have precipitated the convergence of the fields of IT. industrial computing and management.
Unlike the field of traditional IS where security patches are published by software designers and publishers themselves, the industrial field, mainly due to availability and operational safety constraints, does not allow the adoption of this same operating mode. This difference in treatment, in the face of vulnerabilities, is one of the main risk factors suffered by industrial control systems.
The main difference between the sensitivity of industrial IS and management IS is related to the prioritization of security requirements with respect to the type of data processed. Beyond the classic criteria of confidentiality, integrity and availability, there are also requirements related to physical security, the environment, health, dependency and regulation.
What are the different vulnerabilities of industrial IS?
The vulnerabilities of industrial IS are often linked to the architecture and mapping of the IS (lack of inventory of the IS stock, equipment and vision of the technological generations and their intrinsic vulnerabilities, of a risk analysis on the IS industrial or business continuity and recovery plan), preventive technical measures (misuse of administrator accounts, unsecured remote management tools, file sharing on the network with full access when access read-only is sufficient, read or write access to configuration files via FTP or TFTP, default password for service accounts, databases and access in console mode (programmable logic controller “PLC”, gateways, equipment network) as well as the durability of security (absence of removable media policy (blocking of USB ports), absence of backup of data, configuration of equipment and of the source code, absence of corrective updates of operating systems, applications and firmware, absence of a mechanism for signing firmware).
So how can these industrial IS be effectively secured?
Industrial systems today make extensive use of information technologies, even though they were not designed to deal with the threats they introduce. There are many examples of publication of vulnerabilities in industrial systems (the Modbus and OPC protocols are a good example). This is why it is necessary to integrate them into the general reflection on the security of the company’s IS (security culture). Two strategies can then emerge in terms of securing environments.
First of all, security by design is a strategy for integrating cybersecurity into all company projects – whether in the specification, design, integration or test phase. It is not a question of making the approaches and processes more complex, but rather of integrating the challenges of cybersecurity into the various methods of risk analysis carried out historically – in particular those of safety – including FMECA (Analysis of Failure Modes, of their Effects, and their Criticality) or HAZOP (risk and operating safety analysis), as well as the integration of cybersecurity in purchases (determination of legal clauses to be included in contracts, definition of the conditions of ownership of source codes and parameters).
While post-design security, strategy for implementing security measures – concerning old installations and systems, architecture and mapping of industrial systems (access management, modification of read and write access to PLC configuration files for example) – reinforces the security of default and obsolete equipment, and optimizes the security of industrial systems.
Each installation has its own particularities and risks that should be analyzed in order to deploy appropriate solutions while limiting the impact on the company’s business activity. Securing an installation generates costs, which are often difficult to estimate. The gains made are also. Nevertheless, this securing process protects the company’s investments and production. This is why it is more than important to define your objectives and adapt them to your needs.
Be careful however, over-safety can cause effects contrary to those sought and harm the expected industrial performance. Add to this, the difficulty of industrial operators to understand the actual risk and to quantify it… The cultural gap – between IS security practices on the one hand and industrial production practices on the other – may present organizational difficulties linked to the establishment of governance. In order to overcome this, it is essential to develop a real collaboration between these two parties – with the aim of bringing together reflections on cyber risk and responses to the security requirements of the two environments. The risk-based approach, which has proven its value and its interest in addressing the risks on traditional IS, has its place in supporting industrial IS in turn in their overhaul and opening up.