The increasing connectivity of intelligent industrial devices presents a tremendous opportunity to transform industry. The opportunity, however, brings potential new vulnerability. Building ICS cyber security into control systems at birth can provide the deep protection that must accompany the advance of the Industrial Internet of Things.
By Albert Rooyakkers, Founder, CTO, VP Engineering, Bedrock Automation
Instrumentation and Control System (ICS) vendors have been delivering Industrial Internet of Things (IIoT) solutions since mid-1990s. But now, as the tentacles of Moore’s law, software and communication standards spawn more powerful, more connected – and potentially more vulnerable devices, it is time to reexamine the fundamental assumptions about protecting this modern technology and the data that courses through it.
Legacy ICS systems, such as DCS, PLC, and SCADA systems, were engineered using electronic technologies and tools from as far back as the 1970s and 1980s. These ICS systems are now vulnerable to rogue actors and nations armed with cyber weapons orders of magnitude more sophisticated than the traditional ICSs they target. Typical legacy systems expose pins, connectors, communication ports, circuit boards and a host of back door operating system, communication and application vulnerabilities. Cyber-attack vectors of legacy platforms involve message flooding, eavesdropping, message spoofing, message alteration, message replay, malformed messages, server profiling, session hijacking, rogue servers, module counterfeiting and compromised user credentials. They intend to achieve remote control of the system or process, steal intellectual property or both
The best alternative and most modern approach to ICS cyber security is ensuring that it is designed in. This requires layering strong authentication of the ICS hardware, firmware, software, communications and applications that comprise ICS computation, designing out most attack vectors and their consequences. Following are some of the fundamental cyber building blocks of a secure by design ICS.
Secure by Design: The basics
Legacy ICS system modules are often left with multiple communication ports including serial RS232, RS422, RS485 and/or multiple USB and Ethernet ports for debugging, diagnostic and interconnection purposes. Most of these ports provide potential access to system resources and cyber-attack. A modern ICS design, fundamentally, should eliminate all but the essential network ports and then secure and authenticate all devices and networks that connect to it.
Pins and interconnections
ICS backplane and module pins provide another simple means for a host of cyber attacks including snooping and inserting communication traffic via these pins. Replacing the ICS backplane and module pins with a pinless electromagnetic interconnection, which is keyed and protected against snooping and insertion of unintended data packets, is an effective way to counter a frontal assault through pinned interconnections. (Figure 1)
Figure 1. The pin-less electromagnetic backplane of the Bedrock™ industrial control system has a parallel architecture that supports ultra-fast scan times regardless of I/O count. The removal of I/O pins improves reliability and increases cyber security while forming a galvanic isolation barrier for every I/O channel.
ICS module and backplane pins serve as power and communication terminals that route, receive and radiate DC to RF energy. Every pin is an antenna susceptible to RFI bursts from handheld radios; and EMI from motors, variable frequency drives and other electrical equipment. In addition, most ICS system modules are constructed of vented plastic. These factors make systems so susceptible to RFI that even a handheld radio can distort and disrupt communication and computation. From crude “RFI bombs” to complex EMP weapons, electromagnetic radiation is an ICS cyber vulnerability. A pinless backplane and sealed all-metal modules counter this threat without expensive, complex secondary containment.
Module counterfeiting is widespread. Rogue actors, companies and nations incorporate malware into counterfeit hardware modules. It is virtually impossible detect a fake from a real factory module. Bolted-on cyber protection cannot defend against this, but deeply embedded module hardware, firmware and software authentication built upon very strong encryption can identify and reject even sophisticated fakes instantly, disallowing the counterfeit module from booting compromising software.
Security begins with the modular components of the system. The first requirement is a secure boot. No unauthorized party should be able to tamper with the software while the processor is starting up – protection that cannot be just bolted-on. A secure boot starts with an initial phase loaded from on chip-masked ROM, so it must be built into the microprocessor silicon. Numerical crypto keys that authenticate, decrypt, load and start additional levels of encrypted software would be stored in this secure memory. A secure ICS must be able to start up and decay in a secure state. Intentional or unintentional power cycling must not degrade the level of cyber protection and cyber security. Secure boot of every system-wide microprocessor is essential to meet this requirement.
ICS modules must be designed for a service life of many years, often decades. Because of Moore’s Law, the strength of encryption methods degrades over time, so a modern secure ICS design must use the strongest encryption available today.
There are two basic methods for encryption: symmetric encryption, also known as secret key encryption, and asymmetric encryption, also known as public key encryption. Symmetric encryption requires that both parties share a secret key that can be compromised on even the most tightly coupled networks, while asymmetric encryption uses a public key and a private (or secret) key pair. The public key can be shared and accessed without compromising the private key and message. The private key provides the means to create digital signatures, which can only be verified with the associated public key. Digital signatures then provide the means by which other entities can verify the integrity and authenticity of data sent with a particular private key.
A secure ICS uses a combination of the two methods, depending on many factors. Importantly every individual system module and digital component requires private key(s). Security depends upon keeping the private keys secret. This can only be achieved if the key protection is deeply embedded and built into the hardware and digital component technology. All this imposes further requirements on the processor silicon. It must not only support a secure method to store private keys but also be able to perform the required encryption and decryption calculations. Hardware mathematical acceleration is required to ensure that built-in security does not degrade the primary objective of an ICS to perform real-time process control and monitoring.
High quality random numbers are fundamental to modern cryptography. They are used in real time to generate symmetric keys or as an initialization vector for an authentication protocol. An example is a nonce, an arbitrary single use number used in authentication to prevent the reuse of older communications, a vulnerability known as a replay attack. There are two types of random number generators: pseudo random and true random. Pseudo random numbers (PRNG) are mathematically generated in software while true random numbers (TRNG), also called entropy engines, are hardware based and far less vulnerable to discovery. The strength of the system security can be directly correlated to the quality of the randomness of the numbers. A secure ICS should be built with every microprocessor having its own advanced hardware based TRNG.
Operating systems and cyber security
One of the more important technology selections in a secure-by-design system is the operating system. A general purpose operating system (OS) manages a computer’s basic functions and provides services to other applications running on the computer. An RTOS (real time operating system) provides more deterministic event driven scheduling of computer resources. An ICS will use an RTOS in the control, I/O and network computers and a general purpose OS in the workstation application computers. (Figure 2)
Figure 2. Layered and embedded security is outlined by this array of the cyber technologies that are combined in Bedrock system modules. With these cyber tools, deep authentication of the module components, hardware, firmware, operating system and applications occur.
Operating system cyber vulnerabilities are many and can wreak havoc on system security because they directly affect all aspects of the hardware computing engines. While Windows™ and Linux dominate the OS market, there are actually more than 50 commercially available RTOSs and choosing the right one will have a significant impact on the cyber strength of control, I/O and network computing. The operating system must have the inherent architecture to support integrated and validated middleware, secure communication stacks, network security protocols and embedded encryption libraries for safety and security applications.
In Bedrock Automation’s patented OSA™ secure architecture, for example, backplane power paths are parallel, redundant and channel independent for every slot versus a typical ICS serial multi-drop power bus. Each OSA™ power path to each slot is individually monitored and controlled by the Secure Power Module and Controller. A user can shut off the power to a single slot if required and the system does it automatically if the slot is empty.
One metric test that can help determine if the OS is robust enough for intrinsic cyber security protection is Evaluation Assurance Level (EAL1 through EAL7). EAL is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard of security testing in effect since 1999. An increasing assurance level denotes increased assurance requirements required to achieve Common Criteria certification and to provide higher confidence that the system’s security features are reliably implemented.
Achieving a modern secure by design automation platform is a complex challenge but when properly designed and executed, the resulting system cyber security is not only more effective but can be much simpler for users and easier to implement than the bolted-on status quo at significantly lower security lifecycle costs…and when simplicity reigns, security wins.
About the author
Albert Rooyakkers has more than 30 years of process control and electronics experience. Before founding Bedrock Automation he directed business and application development teams for Maxim Integrated Products, including serving as Japan country manager. He has also served in product and business development capacities for Invensys (now part of Schneider Electric). Albert holds more than 50 patents in electronics, automation systems and cyber security, with an additional 30 pending.