Protecting critical infrastructure: the role of a new cybersecurity standard
Electricity grids, water systems, hospitals and factories are essential to maintain our way of life and keep the economy running, so it’s vital they’re kept secure. This requires defenses – physical and electronic – and a new international standard helps organizations reduce the risk of exposure to cyberthreats.
You only need to turn the clock back a matter of decades to see a much simpler world – one in which industry and critical infrastructure were comprised of mechanical parts and only required physical security. Today, things look rather different. Companies tend to have ‘legacy’ or ‘modern’ mechanical systems. In the case of legacy systems, machinery is often custom-made and 10 or more years old. It forms the basis upon which developments are made, so it is often difficult to replace due to the investment required. In modern industrial systems, equipment tends to be more up-to-date.
In both cases, systems are often controlled electronically, even automatically, and they’re networked. One approach often used to protect critical infrastructure is separating it from the internet.
“Once you’re separated, it’s very hard for an attacker to manipulate what’s inside,” says Ronald Prins, Dutch cybersecurity expert and founder of Hunt & Hackett. “But that’s where the supply chain attack comes in.”
The way criminals gain access to networks that have been isolated for security, such as factories and water systems, is through hardware used within those networks. In a factory, for example, there may be cameras running. They have drivers and firmware updates you can download from the vendor’s website. Hackers can manipulate these and send a virus into the network. “So even if you're separated from the internet, you still need to be very careful,” Ronald says.
Exploiting weaknesses in cyber security
One of the big issues in cybersecurity is that industry and critical infrastructure are increasingly connected to the internet. In recent years, the operational technologies (OT) in use have taken a leap forward with the development of the industrial internet of things (IIoT), also known as Industry 4.0. Networked sensors, devices and software work with machines and humans to make processes more efficient and increase production.
For example, in the automotive industry, IIoT makes car production more precise through 3D printing of tools, and it helps humans and robots function together efficiently. In logistics, sensors keep track of stock and feed information back to ordering systems. And in agriculture, farmers can rely on sensors out in the fields to trigger irrigation and harvesting.
“One way or another – physically, through the internet or through humans – it’s all connected,” says Santosh Sharman, IoT security specialist at Kiwa. “In the end, these technologies are there to serve us. And they need information from us to do that perfectly.”
One way or another – physically, through the internet or through humans – it’s all connected.Santosh Sharman
Whatever level of automation has been applied to the system, there will be a human element, and this leaves organizations vulnerable to attacks, Santosh continues: “Security systems can become really complex and sophisticated, with layers upon layers upon layers of security. But there’s always a human in the loop, and humans make mistakes.”
One of our human limitations is the inability to remember endless numbers of randomly generated passwords. Instead, we tend to use something we can recall, and people often reuse the same or similar passwords. A cybercriminal on the dark web could buy, for example, your password to a social media site. If that is similar to the password you use to access your work system, the hacker has a chance of getting in.
Continuity, IP and data protection
The risks to businesses vary depending on who you’re talking to, according to Ronald Prins. Some people and departments are most concerned about the privacy of the data they have. Some are more worried about theft of intellectual property. For others, the biggest risk is business continuity, and therefore ransomware.
“I think actually, the answer should be to focus all three of them,” he adds. “Organizations can struggle to find a balance in making their organization secure, so they might be very good at one aspect but neglect the other two a little.”
For industry and critical infrastructure, ransomware is a major threat. The more familiar form of ransomware targeted the individual, demanding, say, €400 in Bitcoin for access to hijacked data. But far more common today is that cybercriminal organizations will target big companies that are likely to go bust without that access – and would therefore be willing to pay huge sums for it.
Once the criminals have made the ransom demands, the crime begins to resemble a business-to-business transaction. The company can usually negotiate with the hackers, and when they agree to pay, there might be guidance on how to use keys to the locks they have set up in the system, and even a helpdesk to troubleshoot.
A game of cat and mouse
While police advise not to pay the ransom (and therefore perpetuate the problem), private organizations tend to pay in order to protect their business. The criminals target specific systems and processes to make sure this happens. For example, Ronald says: “If your key process is sending out packages, they will try to break into the warehouse systems and actually stop the robots. Doing this to eCommerce companies around Christmas almost guarantees they will pay.”
“The groups who carry out the attacks are getting more and more professional, and they’re maturing faster on the attacker side than we are on the defender side,” Ronald adds. The problem? The traditional approach to cybersecurity is blacklists – blocking invaders we recognize as threatening. Armed with these lists, attackers will always be one step ahead. Instead, Ronald says, we need whitelists.
The groups who carry out the attacks are maturing faster on the attacker side than we are on the defender side.Ronald Prins
“It becomes a cat-and-mouse game between the attackers and the defenders. We need a different strategy, more like an immune system, which comes from a zero trust perspective: we don’t trust anything on a network unless it can prove its validity.”
IEC 62443: standard for industrial communication networks
So how do you protect an organization’s key processes and critical infrastructure? IEC 62443, the new global standards for the security of Industrial Control System (ICS) networks, help companies reduce their risk of failure and exposure to cyberthreats.
IEC 62443 approaches security from the company’s role in the industry. For example, it might be an operator, integrator (a service provider for integration and maintenance) or a manufacturer. The standards are laid out in four parts, and they assess companies on four levels of maturity and five levels of security.
The first part of the standard consists of glossaries, agreed upon definitions and similar content, while the second part covers policies and procedures a company should have in place to guarantee better resistance to cyberattacks. The two further levels cover processes, systems and the human element. These three are interlinked, Santosh Sharman says: “A cybersecurity process requires a human to run it, and that process is itself linked to the technology – physical and non-physical components. All this is laid out in the standards.”
The level of maturity refers to the stage a company has reached for each part of the standards. At Level 1, they are just getting started and have more of an ad-hoc approach, and at Level 4, they have a well-structured system of continuous improvement in place. The security levels refer to the company’s resistance against attackers, with level 0 being the lowest, and level 4 being extensive and sophisticated.
Kiwa has started working with the policies and procedures part of the standards in 2020. “At Kiwa, our job is to test if your system adheres to the requirements in this standard, depending on the role you have,” Santosh says. “First we identify the person in charge of policies and procedures, then we conduct an interview and from there on we determine the level the policies and procedures are.”
The future of cybersecurity
Technology continues to evolve exponentially, and while that will lead to more efficient and productive industrial processes, it will also bring greater cybersecurity risks. Santosh believes the new IEC 62443 will play a vital role.
“In the future, cybersecurity will be one of the most important aspects of business. I think these standards will become a regular layer for companies’ cybersecurity, just like ISO 27001 is for information security. Every company that takes itself seriously needs to have ISO 27001 certification, and I think that’s where IEC 62443 is headed.”
Ronald Prins supports the development of stronger regulation around cybersecurity. “I hope governments will regulate much more what’s happening on a cybersecurity level – that they will put more restrictions on these types of networks, and prescribe how you should make them secure.”
IEC 62443 will play a role, and Ronald also recommends working with an experienced partner. “This is not something you can do on your own,” he says. “You need a certified security partner who is there all the time. Don’t wait for your first breach to get the experience yourself.”