Today, the term Cybersecurity is everywhere, both in our professional and personal lives. Cybersecurity pervades everything, from how we interact with banking institutions to how social media is managed at the family level. Recall, for example, the privacy clauses that we are required to accept every so often in order to keep using the most popular instant messaging applications.
Terms such as phishing, malware and ransomware have become commonplace for all of us, and news broadcasts on television usually pick up stories involving attacks by more or less organised groups that seek to extract economic or strategic gain from their malicious incursions.
In an increasingly connected industry, there are a number of concrete, scalable and context-specific cybersecurity solutions.
Not as common, however, is focusing on the unique features of this type of malicious activity when its objective is industrial plants. Currently, the internal processes of any installation that may be deemed relevant for controlling a critical resource or service, such as a gas pipeline, a water treatment plant, a traffic control centre or a power plant, are highly automated. Their management relies not only on conventional network elements such as servers, routers, firewalls and distributed control stations, but other systems that are more specific to production environments, such as PLCs, SCADA systems or robots.
These elements are connected via widely used industrial communication buses such as ModBus or ProfiBus, buses that, from approximately the start of the current century, stopped being isolated systems in the industrial plants where they are deployed, and became compatible with Ethernet protocols, which also made them prone to being accessed from the outside. The special vulnerability of these installations becomes apparent when, in addition to the value of the data being managed, the danger posed to people by a malfunction of their physical assets is introduced into the equation. Of course, there are different degrees for categorising this malfunction, and causing the power or traffic lights to go out temporarily in a city is not the same as using a city’s water supply network to distribute a dangerously high level of chlorine, or causing a serious cooling problem in a nuclear power plant.
These complex industrial facilities are very costly infrastructures that usually take several years to build and go into operation, and are designed to provide a service to the population for several decades in order to make the investment profitable. A problem has arisen over the last few years in the wake of exponential attacks by groups that organise themselves online. These attacks involve facilities that were initially designed and set up to respond to physical attacks with perimeter fences, closed-circuit TV or armed personnel, facilities that overnight had to be able to respond to logical attacks as well.
Thus, the industry’s main problem is how to repurpose systems that were not conceived during their development many years ago to withstand sophisticated attacks that can endanger not only the industrial property or business reputation of an organisation, but the integrity of services that are essential to the population.
In response to these threats, several specific tools have emerged for industrial environments, developed by both public institutions and private companies. This specificity derives from the difficulty of applying the same strategies used in conventional IT data networks, as well as from updating these tools to fight against known threats. This is because, on the one hand, it is impossible to stop the industrial processes of these critical infrastructures on a recurring basis to upload updates, and, on the other hand, it is also difficult to incorporate new, updated code into hardware components that are highly limited by their age.
Another common strategy to prevent, or at least mitigate, unwanted access using conventional networks is to segment the data network logically and physically by using complex architectures that prevent external entry into a certain device or service, which would allow malicious users to have unfettered access to the entire network being attacked. It is more complicated to apply these same segmentation techniques in an industrial network, where every controller, sensor and actuator has to operate in coordination in closed-loop structures with continuous feedback from process outputs.
Taking all these considerations into account, the cybersecurity sector has been working hard over the past few years to offer industry increasingly advanced solutions that are tailored to its specific needs, such as developing monitoring probes that are deployed virtually in industrial communication networks to monitor activity in the plant without slowing down or blocking the readings received, or the setpoints commanded by the physical elements that form part of the network. These probes are able to detect different types of anomalies in real time while hardly interfering with operations, warning almost immediately as soon as an industrial control system (ICS) is found to be operating outside normal parameters.
This is of such concern that the consequences of this type of attack on critical facilities are being addressed by the IEC (International Electrotechnical Commission), which has developed a specific standard called IEC-62443 that includes a series of recommendations to address, through a holistic approach, industrial protection throughout the entire life cycle of the processes, from the initial risk audit to the start of operations. The NIST (National Institute of Standards and Technology) in the US recently published a draft for dealing with ransomware attacks that specifically incorporates several references to the specificity of the ICS.
Fully in keeping with these international initiatives, but focused on Spain, the CCN (National Cryptological Centre) has launched its SAT-ICS service to detect in real time any threats and incidents involving traffic in industrial control and monitoring networks.