The risks associated with unsecured ICS and SCADA systems are unique as we shift from isolated, insecure, air-gapped systems, to a more interconnected and open infrastructure, which leaves systems exposed to various internal and external threat actors. The numerous security challenges linked to these systems must be overcome to prevent severe incidents at plants that could impact human life, assets, production, the environment and an asset owner’s reputation.
In order to combat these threats, businesses must consider the numerous security risks that are associated with their control systems including engineering workstations, historians, controllers and communication protocol vulnerabilities. Unfortunately, the security of these systems is often not addressed at the early phase of product lifecycle. Therefore, without considering security at the outset of product development, the reliability and safety of manufacturing and industrial facilities could be jeopardized. Moreover the cost of remediation activities becomes too high and complex once system is in production.
The draft of ISA 62443-4-1 (Security for industrial automation and control systems – Product Development Requirements) has been approved and submitted to the IEC for final confirmation. The standard defines the development process to ensure that security is built into the product design, which of course provides the required level of assurance and confidence for both suppliers and end users.
It is worth to mention that the standards applies to both hardware and software development processes, and its scope covers both new and existing products although some of the requirements will be hard to achieve considering the nature (insecure by design) of some of the control systems (e.g. legacy systems).
The ISA 62443-4-1 addresses various testing areas, for instance the Static Code Analysis (SOA) Section 8.2.1 (c) states that this testing shall be done if testing exists for that language and/or if the software has changed. The third-party software is also addressed in a separate section.
Section 9.4 covers vulnerability testing covers fuzz testing and network traffic load testing and capacity testing, attack surface analysis, and black box known vulnerability scanning. For software composition analysis on all binary executable, the following types of issues at a minimum:
- known vulnerabilities in the product software components,
- linking to vulnerable libraries,
- security rule violations, and
- compiler settings that may lead to vulnerabilities.
Industrial automation and control systems (IACS) security standards are emerging, and increasingly adopted by the industry.
Considering an ICS/SCADA vulnerability assessment? Applied Risk’s ICS/SCADA Security Assessment and Penetration Testing services could be the perspective — and the solution you need.
Securing the Industrial Internet of Things (IIoT) has become a vital business strategy for any industry utilising operational technology. Following the recent hack of Ukraine’s power grid, it is clear that industrial cyber-attacks are on the rise. The IIoT is very much at the core of mission-critical systems and the applications that operate within industrial environments. Considering most IIoT products use the same embedded technologies and protocols, the effect in the case of these technologies being compromised could be significant, leading to major security and safety incidents.
With the increasing utilisation of IIoT and Big Data within industrial facilities, it is safe to assume that this will lead to a substantial growth in the number of interconnected industrial control devices. In order to combat the risks this presents, a solid understanding of both business processes and the complexity of these environments is needed in order to ensure security. A proliferation of cybersecurity incidents is anticipated against ICS and SCADA systems, therefore investing in cybersecurity measures should not be seen as a burden, but as an enabler that will reduce the risk of downtime within a manufacturing plant, and prevent production loss or process upset. Continuous security assessments must be undertaken industry wide, and control systems staff must be provided with the security training and tools necessary to effectively protect critical environments against attack.
Going forward, IIoT security must be addressed at an early stage and not developed as a reaction to market trends. The proliferation of industrial cyber-attacks is inevitable; awareness, active monitoring and preparation will be crucial to mitigate the pending risks. Is your business prioritising the security of industrial assets?