The modern world is rapidly evolving into a digital knowledge-based ‘Industry 4.0’ economy, in a change as significant as the industrial revolution of the 18th Century. Automation, Artificial Intelligence and Machine Learning have increased productivity and optimized operations, as well as offering solutions to (but also creating) problems such as the skills gap.
As this process evolves, the introduction of cyber-physical systems, the adoption of cloud computing and cognitive/behavioral computing all introduce a new set of challenges that organizations are only now in the process of understanding and tackling. Throughout all this, a fundamental challenge remains about how these advances should be secured, where the resources to do this will come from, and which global standards might be needed to smooth its development.
A key driver for success in ‘Industry 4.0’ is Operational Technology (OT). This is a broad term referring to any computer system that controls or detects a physical or kinetic action. This can include the computer system used to remotely control a substation circuit breaker through to the systems used to operate a complex autonomous motor vehicle.
With advances in OT comes safety and cybersecurity issues. For too long, protecting the safety-critical systems within industries such as energy and utilities have been viewed as a physical security problem rather than one of cybersecurity. Organizations have hidden behind the myth of the OT air gap – believing that safety-critical systems kept behind physical barriers were safe from cyber threats – which has allowed complacency and under-investment to take hold.
In reality, even technology that is kept in a segmented network or completely stripped of an internet connection can still be a security liability – as demonstrated by the now infamous Stuxnet worm, reportedly introduced to a “secure” facility by USB stick.
Of course, cybersecurity standards have a big part to play and functional safety engineers are starting to realize that their systems can no longer be safe if they are not secure. There is a distinct challenge for safety engineers, who operate in a deterministic world, when they have to address cybersecurity issues that are inherently non-deterministic.
In other words, a system can be proven to be safe but never proven to be secure. There has been good work from the National Institute for Standards and Technology (NIST) with their cybersecurity framework, and the International Electrotechnical Commission (IEC) with their development of cybersecurity standard IEC62443, which is starting to bring functional safety and cybersecurity together. However, we still have a way to go.
Global supply chains provide arguably one of the biggest challenges to OT cybersecurity and safety as smaller suppliers have less resources, time and money to secure their plants, processes and data. Threat actors will always go for the weakest link – so why attack a global manufacturer when you can compromise one of their tier three suppliers to gain access?
This new wave of OT cyber-attacks can be about the disruption of whole sectors, economies and political systems. If a sophisticated attack like the Triton malware of 2017, which attempted to interfere with a plant operator’s safety critical system, was successful, it could represent a serious threat to the public and environment. Thankfully this malware failed as the safety system did as it was designed to do – fail safe.
Exploratory attacks on OT systems can act as proof-of-concepts for more sophisticated attacks, and with multiple threat actors known to be researching similar methods, it seems likely that the appearance and near-success of Triton will encourage further serious incidents.
In this context, it seems likely that tougher penalties could soon start to emerge driven by a political imperative. In the future, if companies managing safety critical systems don’t invest in cybersecurity and ignore vulnerabilities, they could potentially be hit with big fines or even imprisonment for executives in the future.
In the meantime, organizations in these sectors must urgently assess the cybersecurity risk in their safety-critical systems, by conducting a combined engineering and business review of organizational OT cybersecurity using an appropriate framework. After that, they must develop and enforce a proportionate and measured remediation program, which takes into account the safety-critical aspects of some OT systems. This will involve educating every element of their workforce – from production staff to management, as well as IT and security professionals.
To mitigate the risks involved, organizations need to look beyond the limitations of today’s regulations and consider how they would cope in the aftermath of a serious attack.
Even though standards and regulations are still playing catch-up with the speed at which technology is advancing, the consequences of a security incident could be devastating – both for public safety and corporate accountability. Operating with safety and security in mind is always a safe bet, and then you will be ready for ‘Industry 4.0’.