Cyber: A year of living dangerously

Connecting into a factory with a smart phone emerged top of an engineers’ wishlist for industrial networking, in a recent survey by cyber security expert Eric Byres. Based on such feedback, he predicts that 2013 will be the year that the mainstream control system vendors start promoting iOS apps, and iPhones/iPads start to be used for industrial applications.

“Tablets will start to make their way onto the shopfloor, further complicating plant security,”  predicted Byres – a worrying development, particularly as he believes that most PLC and SCADA vendors will continue to ship controllers using insecure protocols in 2013.

“As with all industrial technologies, we won’t see a full invasion of i-devices on the plant floor in 2013, but the wall will be breached,” said Byres, who expects maintenance and support to be the first target applications.

“When your maintenance team is trying to repair that failed transmitter or troubleshoot that drive at 2am, it is very nice to be able to check the inventory system for spare parts or review the online manuals for troubleshooting advice,” he explained. “Being able to do that right where the problem is – rather than having to go back to the office – will be a powerful driver for allowing tablet devices on the plant floor.”

While this “won’t be pretty” from a security point of view, the IT expert believes industry will just have to get used to it. The development, he further suggested, could drive industry to deploy more holistic security strategies rather than the security band-aids so often seen now.

Meanwhile, following the Stuxnet, Flame and Shamoon attacks, plus others like Gauss that hit the energy industry in the Middle East, Byres predicts at least one major security event impacting industry in 2013 – in either Europe or North America.

The emergence of rival SCADA and ICS security standards is yet another issue creating a stir in the cyber world. Last year the security committees at ISA and IEC joined forces, resulting in the ratification of IEC/ISA 62443-2-1 - ‘Industrial automation and control systems security management system’.

This year, Byres expects to see more progress towards coherent international standards, as well as improved usability and consistency of these standards. A number of new or substantially improved documents will be released - for example, a completely rewritten 62443-02-01 may be available before December.

And, as almost anyone can call themselves a SCADA security expert, another significant development this year will be the release of certifications for SCADA/ICS security professionals. The best, said Byres, will be independent of both ICS/security vendors and the various training companies and will just focus on testing subject matter expertise.

Meanwhile, security consultancies like TUV are set to make a major push into the SCADA/process security markets and, the IEC safety standards will start to be reevaluated in terms of security.

In the UK, meanwhile, efforts to protect the country against cyber crime are being hampered by skills shortages in the area of ICT and a lack of response by industry to the growing threat, the National Audit Office (NAO) has found

Cybercrime is estimated to cost the UK - mainly its industry and national infrastructure - between £18 billion to £27 billion a year, said a new NAO report on the Government’s cyber security strategy.

The UK’s ‘Cyber Security Strategy’, published back in late 2011, set out how the Government planned to deliver a national cyber security programme through to 2015. This included committing £650 million of additional funding.

Addressing challenges to the strategy, the NAO cited government figures showing that the number of ICT and cyber security professionals in the UK had not increased in line with the growth of the internet.
There has also, it said, been a decade-long decline in ICT and computer science in schools and universities and a lack of younger people working in the area of cyber security.

“This shortage of ICT skills hampers the UK’s ability to protect itself in cyberspace and to promote the use of the internet both now and in the future,” the NAO commented.
Meanwhile, cyber security is still not well understood at board level in industry, where executives have difficulty assessing the impact of cyber security risks, said the report.

The NAO highlighted the need for partnerships between government and industry and within industry itself to reach a common understanding of risks and share the costs of protecting UK plc.

Elsewhere, management aspects of cyber security featured at a panel discussion at the November 2012 Honeywell Users Group EMEA meeting in Istanbul. Organised by Honeywell Process Solutions (HPS), the panel included Dimitris Moutzouris-Lygeros of Greece’s Motor Oil Hellas, Romano Karlovic of Croatia’s INA Rijeka, Mohamed Amine Kaddour Brahim of Algeria’s Sonatrach, Karl Huthmacher of Shell in Germany and Rick Kaun of HPS.

The discussion included the question of determining who should have responsibility for protecting production assets from cyber attacks. The consensus was that control systems and IT groups share a joint responsibility.
However, operational groups, who understand the relative importance of process availability and safety, must take the lead, while also tapping into the skills of IT personnel.

“It needs to be the joint responsibility of control engineers and IT,” said Sonatrach’s  Brahim. “They need to work together to protect the IT network and the production assets.

“The operations and production people must bear ultimate responsibility,” added Moutzouris-Lygeros of Motor Oil Hellas “We are familiar with safety; cyber security is the same way.”

Likewise, Kaun said that a combination of skill sets was needed. The HPS man concurred that users with process and operational expertise should leverage the skill-sets of their company’s IT department instead of duplicating them.

While much of industry’s cyber security effort today is focused on identifying system vulnerabilities and fixing them, cyber security measures are often treated as one-off deployments. There is also a tendency for end users to rely almost solely on the capabilities of control system suppliers to identify and address cyber vulnerabilities, rather than develop a security culture within the organisation.

“Companies need policies that affirm secure practices, and the need to have repercussions,” Kaun said. These policies and practices should spell out, for example, how mobile devices, jump drives and USB ports are to be used.

At Shell, all USB devices are scanned to verify their security, said Huthmacher.

However, USB sticks get a ‘bad rap,” according to Kaun, who suggested that rather than just disabling all the USB ports in a facility, companies need to understand what the business needs are, and develop processes to do what you need to do as securely as possible.

Physical security, too, is increasingly intertwined with companies’ cyber-security thinking, according to Huthmacher.

“What if an employee opens a cabinet and switches off a firewall’s power?” asked Huthmacher.

Agreeing that there was a need for better communications between physical and cyber security functions, Kaun pointed to the possible emergence of regulations that require real-time response to any incidence of physical intrusion.

“At its most essential, cyber security is the end result of people, business processes and technology together working to make sure your process works in the way you expect it to,” concluded Kaun. “Security needs to be a culture. It’s not enough to think about it once in a while. It needs to be baked into everything you do.”