With the development of the Internet of Things Industrial (IIoT) and cloud computing, the interconnection of industrial systems is increasingly important and cyber threats multiply. In this article, we will see why the cybersecurity of industrial control systems(ICS) requires a specific approach, different from traditional computer networks (IT). The particular risks of industrial systems such as theft of confidential data (a minimal threat compared to a production stop), sabotage or denial of service of the industrial facility will be developed through 3 scenarios of attacks in future articles. Stay connected !

1. WHAT IS AN INDUSTRIAL SYSTEM?

Industrial systems are different from traditional information systems: they control physical installations . These strategic systems ensure the operation of critical installations in various industrial fields:

  • energy : extraction and / or production of oil and gas, electricity distribution;
  • transport : road infrastructure, rail or air transport;
  • production : manufacturing plants, production units;
  • services : water management and distribution; security, air conditioning, heating …

Industrial systems are regulated by international standards emanating from:

  • of cross-organizations (International Society of Automation (ISA), International Electrotechnical Commission (IEC) …);
  • of industry organizations (International Atomic Energy Agency for Nuclear; European Committee for Electrotechnical Standardization for the rail …).

2. INDUSTRIAL SYSTEMS: A 6-LEVEL TECHNICAL ARCHITECTURE

The industrial infrastructures are driven by interconnected industrial networks at various levels: programmable logic controllers (PLCs ), monitoring and data acquisition stations (SCADA), digital control systems (DCS), sensors, actuators, calculators, etc.

6 interconnected levels
According to the ISA 95 standard, the architecture of an industrial network is organized into 6 levels:

  • Level 0 – Terrain : sensors, actuators, motor;
  • Level 1 – Process : automata, safety systems, controllers;
  • Level 2 – Supervision : SCADA stations;
  • Level 3 – Driving : factory driving, MES;
  • Levels 4 and 5 – Business : PC, office, messaging, intranet.

Industrial Network

We speak of industrial control system (ICS ) when at least 4 of the 5 following characteristics are met:

  • The network aims to pilot and supervise a physical process;
  • It is deployed in an environment requiring a specific material resistance(resistance to a temperature of 70 ° C, DC power supply of 12 or 24 V, resistance to dust …);
  • It uses IEC standardized communication protocols or proprietary protocols managed by recognized manufacturers;
  • Its operation mainly relies on low-bandwidth “machine-to-machine”communication (10/100 Mbps for local networks and 512 kbits for remote networks);
  • The use of IT technologies (IETF and http protocols for example) is reserved for management operations such as web administration, SNMP or ICMP monitoring.

3. SPECIFIC RISKS AND OBJECTIVES

3.1. Physical risks

3.1.1. Classic computer networks …

In the event of a cyber attack on an information system (IT), the risk is an attack on the confidentiality, integrity and availability of the data. The impact is mainly financial (extortion of bank details, denial of service distributed on web servers …).

3.1.2. … vs. industrial systems

The industrial systems control physical infrastructure with operational technologies(OT), risks in case of cyber attacks are more numerous and can have much more serious consequences:

  • jeopardize the operational safety of the facilities ordered;
  • question the physical integrity of the production tool;
  • affect the physical security of property and people.
Bodily and material consequences
During the Lodz streetcar attack in 2008 , the takeover of switches by a teenager resulted in 4 derailments resulting in 12 injuries. In addition to the human and material consequences, the criminal responsibility of the leader is also engaged.

3.2. Cyber ​​security objectives adapted to the threats

Cyber ​​security objectives differ according to the type of system to be protected:

  • On an information system (IT) will be prioritized in order of priority: confidentiality, integrity and availability of data.
  • On an industrial system (IT + OT), the focus will be first on the availability of data, then on their integrity and finally only on their confidentiality.

4. THE 4 SPECIFICITIES OF CYBERSECURITY OF INDUSTRIAL SYSTEMS

4.1. Specificity # 1: Vectors of various threats

The intrusion of malicious malware can be done through corrupted USB keys and then move to the stations driving industrial networks. The existence of remote diagnosis or remote maintenance devices requiring remote access to networks and the presence of workstations operated by third parties (subcontractors, external service providers) are also potentially dangerous loopholes for the industrial system.

4.2. Specificity n ° 2: systems not designed to fight against malevolence

Initially, industrial systems were designed in a logic of transparency and ease of access to data. The concept of malice was not taken into account by the designers or the users. Today, as the threat of cyber attacks is exacerbated by the hyperconnection and multiplication of gateways to the network, security has not been improved by industrial operators.

4.3. Specificity # 3: proprietary and closed protocols

Industrial systems are built on the basis of protocols allowing the exchange of data between the different components of the network. But the protocols for modifying and sometimes reprogramming the control system are mostly proprietary and closed. For intellectual property issues , industrial equipment manufacturers have not planned to open these protocols. It is therefore not possible to apply protection techniques such as protocol compliance on the messages that pass through the industrial network.

4.4. Specificity n ° 4: events to contextualize

Industrial systems require contextualization of events for decision-making. For example, a stop command (“STOP” command) passed to a PLC can not in itself be considered legitimate or malicious. For the protection to be operational and non-blocking, any order must be contextualized by a suitable cybersecurity solution inorder to trigger or not a protection operation.

Given the specificity of industrial systems incorporating operational technologies (OT), it is not possible to protect them against cyber attacks in the same way as traditional information systems (IT). To not block the flow of information necessary for the proper functioning of the controlled infrastructure, it is necessary to inventory all the events and analyze them in their context thanks to the monitoring and the complete cartography of the system. To defend against specific attack scenarios, such as data theft, sabotage or industrial denial of service, it is necessary to protect its industrial systems specifically: this is what Sentryo proposes with its ICS Cybervision security platform. Discover our ebook to benefit from all the keys to understand and ensure the security of your industrial systems.