The notion that ideas become reality especially applies to cybersecurity in critical national infrastructure. Security breaches can result in very real losses of water or energy; but ideas around cyber threats are obscured by misconceptions around the nature of such attacks and how to deal with them. Sean Robinson, service leader of automation specialist Novotek UK and Ireland, explains how a compact controller could negate these threats, and improve companies’ internal understanding of cyberattacks.
An annual report by Kaspersky Lab, The State of Industrial Cybersecurity 2018, revealed several interesting facts about how industrial cybersecurity is perceived by businesses and applied to Industrial Control Systems (ICS). The survey of 230 worldwide professionals reveals disconnections between what is feared by businesses, and what’s happening in reality.
For instance, 66 per cent of the surveyed businesses were most concerned about advanced persistent threats (APT), like data leaks and spying (59 per cent), because of their perceived potential impact. In reality, APT’s make up 16 per cent of cybersecurity incidents. Actually, conventional malware and virus outbreaks are becoming the greater problem. These attacks are not overly sophisticated and made up 64 per cent of cybersecurity incidents, last year.
Aside from misconceptions about the external threat landscape, disparities also exist within organisations. In relation to Kaspersky Lab’s survey, technology website tripwire.com cited a report by the SANS Institute. SANS found that, among nearly three-quarters of firms that were confident in their ability to secure their industrial internet of things (IIoT), there were more likely to be different internal perceptions about the effectiveness of their security measures. While leaders and department managers were more likely to have a “rosy outlook” of their security, operational technology departments had a more pessimistic view.
Such misconceptions would be even more of a concern within critical national infrastructures. Cyberattacks against water, energy or chemical supplies can have very real consequences for countries and their populations.
Upgrading control systems
From a hardware and systems perspective, more than half — 54 per cent — of the surveyed businesses identified integrating ICS with IT systems and Internet of Things (IoT) ecosystems as among the most pronounced challenges. This last statistic places a wider challenge faced by plant managers into a whole new context: specifically, how best to achieve space and cost savings by reducing the size and complexity of plant equipment.
Plant managers are turning to new systems to achieve greater levels of flexibility and profitability in their production. This coincides with older programmable automation controller (PAC) systems, like trusted Series 90-30 controllers, reaching the end of their operational lifespans. In many cases, these 90-30 systems have been relied upon as integral to plant operations for upwards of 25 years.
How can plant managers effectively upgrade their systems, while ensuring that cybersecurity measures keep up with the rate of technology adoption — and the external threat landscape? Fortunately, answers lie in smart hardware and its role in helping manufacturers enhance process flexibility and performance.
One solution lies in better control. The RSTi-EP CPE100 is a compact controller for PAC systems — specifically, to control the RX3i CPU from Emerson which has emerged as a popular and effective upgrade for 90-30 systems. In a nutshell, the RSTi-EP CPE100 leverages the power and flexibility of PAC systems in smaller applications.
The RSTi-EP CPE100, entire PAC systems can be programmed in stand-alone applications, or the system can be used as an auxiliary controller in larger process applications that use the RX3i. Not only does the system leverage the power and flexibility of PAC systems in smaller applications, there are also benefits in terms or cybersecurity — indeed, the RSTi CPE100 is secure by design.
With the system, companies can apply optimised security right from the very start. RSTi CPE100 incorporates technologies like Trusted Platform Modules and secure, trusted, and measured boot. It allows centralised configurations, so that encrypted firmware updates can be executed from a secure central location. Specifically, a suite of cybersecurity technologies can help prevent unauthorized updates. Meanwhile, built-in security protocols can protect against man-in-the-middle attack (MITM) — where the attacker secretly inters with communications between two parties — and denial-of-service (DoS) attacks.
Speaking of the “man-in-the-middle”, another key takeaway from Kaspersky Lab’s report is that, going forward, industrial companies must also pay more attention to employees’ understanding and awareness of cyber threats. Because the RSTi-EP CPE100 can streamline application development and integration, a further benefit of the system is that it simplifies training for operators and maintenance workers.
While cyberattacks on ICS computers are misunderstood by many within industry, it’s necessary to overcome these misconceptions while keeping up with the best cybersecurity measures. Novotek recommends that managers should pay attention to system security from the very beginning of their integration. The more critical the application, the more important it is that ideas surrounding cyberattacks accurately pre-empt the realities.