We were very grateful for the opportunity to sit down with the Practice Director of Cyber Security for TÜV Rheinland and OpenSky, Nigel Stanley, to talk about cyber security risks for industrial control systems and Internet of Things (IoT) devices. Machine to machine connections are growing exponentially and with the increased ease of communication, threats to cyber security also rise. At the same time, more manufacturers of medical devices want their products to benefit from having features which connect to the internet. Additionally, we are seeing increasing links between industrial or operational technology and traditional office information technology, making cyber security at this interface a critical part of functional safety. Mr. Stanley generously took the time to give us some insight into these issues.
What is so interesting about security of electromechanical systems that are computer enabled and have internetworking capabilities today?
What is interesting is that if you compromise an electromechanical system such as an engineering system or a processing plant, it can have a physical or kinetic effect. Traditional hackers and traditional information security has been about securing data. Data itself is invisible; as such it doesn’t have any tangible impact in terms of physical effect. In contrast, the compromise of industrial control systems absolutely can have a physical kinetic effect. So, if you imagine critical national infrastructures such as the electrical power grid – by subverting the security of that system you can have a physical effect because you can theoretically turn off electrical power. The need to secure these systems is now paramount because they are increasingly being connected into the internet. We see hackers paying a lot of attention to such systems, so we as cyber security professionals need to be working harder to protect those systems.
What kind of protections can one put in place?
There are a number of issues here. The first issue is that we need to understand the risk facing the system. Whenever we do client work, we look at the electrotechnical system to understand what the cyber risk is to that system. We observe the system architecture, it’s business objective, the way the system is constructed, how it’s used, and how it’s connected. Once we have understood these things we can assess the system risk based on our understanding of likely threats. If the system is connected to the internet, there is a potential for that system to be compromised through the internet. If the system is not connected to the internet – it’s got what we call an air gap – then it may be possible for a technician to insert malware using a USB stick. But every system is different and it is very important for organizations that run these systems to go through a risk assessment process, so that they can then put in place the necessary controls – be they technical controls or be they policy-based controls.
What are the risks of such an increase in machine to machine connections - from 500 million now to 3.2 billion in 2020?
As machines start to communicate, we find that the communication mechanism is often reused or replicated in other systems, so insecurities in one connection can be carried into other systems down the chain. We often find that due to the nature of the machines being connected, the software or the process doesn’t have much capacity in terms of memory or processing power for additional security controls. So, if there is a choice between a feature or adding more security, in my experience the new feature will always be added. That means we are finding machine to machine connections with poor authentication, which is how one machine authenticates to another machine, and we are seeing reuse of software code containing errors propagated across multiple systems. As the world of IoT devices starts to gain momentum, we become more reliant on these machine to machine connections. Security issues and associated risk explodes exponentially as more systems connect, compounding the problem as the network grows.
You talk about, “data exchange directly from the Supervisory Control and Data Acquisition (SCADA) network to the office world” – what cyber security risks present themselves in this context?
A SCADA system controls things like processing plants, perhaps a power grid, or maybe a water processing plant. Increasingly we are seeing those systems starting to connect to traditional office information technology. So, if I am an accountant working in a processing company, I might decide that I want to see the most up-to-date processing information – for example, how many units of a chemical being produced in real-time. To achieve that, some companies are putting in place a connection between the SCADA system, or an industrial control system, and normal office IT systems. We then see data flowing from the industrial control system into an accounts system, or maybe into an enterprise resource planning (ERP) manufacturing control system. That is ok – if the flow of data is unidirectional, in other words, if the data flows just from the industrial system to the accounts system. Of course, we still need to secure it, to manage it, but because the data only flows in one direction, its normally OK. The problem comes when we start to have bi-directional data flows from the industrial system to the office IT system and back again. The accountant will say, we wish to send data to the industrial control system, maybe to increase some production value. This is crazy and hopefully no production manager would allow unqualified staff to interfere with a production or control system but anything is possible. In addition, more up-to-date control system networks are using the same Ethernet and wireless IP technology used by office IT, introducing the potential for additional security risks. The understandable driver for this is cost saving, as putting in place one network to control your industrial system and your office IT could save money, but the security risks need to be understood. Luckily, we have a way of dealing with this risk by the use of technical controls and good network planning.
Does that mean that essentially you are opening another gateway or access point?
Correct. It is another way of introducing risk into your systems. Normally, the industrial control, the SCADA system, is isolated and as soon as you start to connect it to other systems you increase cyber risk.
How do corporate IT and industrial IT differ?
Traditional corporate IT is email, file-sharing, office productivity tools, online meetings and conferencing which is quite well understood and there are security measures in place to address many of the associated risks. Operational technology (OT) or industrial IT is a very different world because the networks are often quite old. They may have been installed 30 years ago, and use what we call serial based networking technology. These networks do not use Transmission Control Protocol and Internet Protocol (TCP/IP), but often a very basic, unsecured serial based protocol. There is typically very poor security in OT, for example, we often don’t see passwords being used and if they are there they are often very basic and stuck on sticky note by the side of the engineering or technical workstation. OT systems are very rarely patched or updated. In office IT, we are patching and updating almost every day. Patching and updating a processing plant is a very risky thing to do because it may impact availability – so often they are not patched or updated for many years. The two are very different forms of IT.
Why is availability normally a major risk in terms of industrial IT?
If there is an interruption in the operation of a processing plant, millions of euros or millions of dollars could be lost an hour, because the product is not being produced in that time. So, availability is a big issue. Almost all decisions taken at a plant or process installation will be in the context of availability.
What safety measures should be applied to industrial IT?
Functional safety is very important – that is a way of understanding the safety posture of a processing plant – and then ensuring that it is as safe as possible. We undertake safety reviews within TUV Rheinland using various safety standards including one called IEC 61508. Safety standards increasingly ask how can a plant be safe if it is not secure? How can we have a safe processing plant, if we are allowing malware and viruses to enter the plant? So, we are now starting to see that industrial operational technology safety standards are requiring cyber security to be considered as well. At TÜV Rheinland and OpenSky we are leading the way for our clients by bringing together functional safety, and the internationally recognized standards behind functional safety such as IEC 61508, with cyber security standards, such as IEC 62443.
The next question changes direction a bit: Why have hackers taken an interest in medical devices entering the IoT?
Increasingly, we see medical devices that are enabled with wireless connectivity. For example, I am currently working on a project for a medical device – it is a continuous glucose monitoring device. It measures the amount of sugar in the blood for someone who has diabetes. It connects with a smart phone and therefore is connected to the internet. Other devices could be an X-ray machine, or an infusion pump, so on and so forth. Medical device manufacturers want to take advantage of the internet in the same way an industrial control system manufacturer does. Hackers have seen this and they find it quite interesting. Why hack boring data when you can hack a physical kinetic device? It’s cool, it’s exciting, it’s interesting and it’s a new challenge. Hackers are very innovative and they see this as a new playground. Some hackers are also interested in the data that is contained on these devices – for example, sensitive medical data, results of medical tests. If a hacker can get hold of the medical data for a senior politician, they may have the opportunity to blackmail that politician, or even manipulate or change the results – so that is why hackers tend to take a lot of interest in medical devices.
How can manufactures of IoT medical devices make their products safer?
As for manufacturers of any device that connects to the internet, they need to conduct a risk and safety assessment. They need to understand what risks exist. Does the device connect to a wireless network? What passwords does it use? what about the code that runs on the hardware or the firmware – how well written is it? Once a risk assessment has been conducted, they need to implement proportional controls to address that risk or safety concern. For example, if there is a hard-coded password in the code, then that needs to be removed, so a proportionate control would be a review of the software code and removal of hard-coded passwords. If the device is using a wireless network, we need to understand why and then put a control in place such as encrypting the data across the wireless network.
What does the General Data Protection Regulation seek to regulate? How does this affect industrial IT?
The General Data Protection Regulation (GDPR) is an EU-wide regulation that will be enforced as of May 2018. It is very focused on the protection of personal data and sensitive information, and how that information is processed. So, if you think about a typical industrial system or OT system, it does not use personal data. If I am operating a processing plant I am very unlikely to be using much or any personal data. But, if I have a medical device I will be using personal and sensitive data. One of the big considerations around that is how do I secure the medical device so that I don’t have any data breaches and how do I manage data transfers. We do a lot of work with US-based medical device manufacturers that want to take data from the EU to the United States. That transfer must be conducted in a particular way with regard to various regulations to ensure that when the data arrives in the United States it is protected at the same level it is within the EU. The GDPR creates an EU-wide regulation that replaces individual country data protection laws. And because data protection is paramount, it has some very significant fines if people are subjected to a data breach or organisations fail to comply to GDPR requirements. So now there is this stick for people who fail to adhere to GDPR – it is a real big deal to the world of information security.
What about IEC 62443-4-2 Foundational Requirements/Technical Security Requirements?
IEC 62443 provides a good security standard for operational technology, and we are adopting this as our preferred standard in this area. It is a very good start in helping organizations understand the security risks they might face and how to mitigate those risks. It has four security levels that organizations can achieve based on the controls they have in place; Security level one includes putting in place basic measures to control their security, all the way up to security level four, which is a super secure posture. We are using IEC 62443 as part of our security risk assessment and evaluation standard set.
As more devices connect to the internet and more networks are shared, for example between corporate IT and OT, ensuring cyber security means taking a structured and professional approach. For manufacturers of IoT medical devices as well as process plant managers and systems integrators, cyber security is paramount for the prosperity of their businesses and the safety of their assets. The implementation of international standards and strictly enforced EU legislation are significant steps on the path to increased cyber security both in functional safety and IoT medical devices. Once again, we many thanks to Nigel Stanley for making time in his schedule to speak with us.