When hackers hijacked the electrical systems of three major Ukrainian power distributors back in December 2015, more than 230,000 people were left without power for several hours.
The uncertainty caused by the attack lasted much longer, especially since employees in both engineering and IT teams alike were initially unclear about how the hackers managed to infiltrate the system. The scale and severity of this incident illustrated, yet again, how important it is for companies to secure their cyber systems at all levels.
Here, Martyn Williams, Managing Director of industrial software provider COPA-DATA UK, discusses the latest developments in industrial cyber security.
The rise of the Chief Information Security Officer (CISO) role in the last few years demonstrates increasing cyber security concerns at board level. Although this is good news for industry, cyber security goes beyond the IT department — and even the boardroom — as one of the four pillars of Industry 4.0, alongside data, connectivity and simulation.
So what should companies be doing to make cyber security central to their business?
Security standards
Industry standards such as IEC 62443 have been around for many years and define the procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). The standard applies to end users, systems integrators, manufacturers of control systems and security practitioners.
The IEC 62443 set of standards defines four levels of security, where the lowest prevents the unauthorised disclosure of information via eavesdropping or casual exposure. The highest security level defined by the standard inhibits unauthorised disclosure of information to an entity actively searching for it, using sophisticated means with extended resources, IACS-specific skills and high motivation.
The truth is that any organisation — no matter how small — could become a target for cyber attacks, so all companies should aim for the highest security level described in IEC 62443. To do so, a company needs to ensure it protects its hardware, software, storage and personnel against cyber attacks, intrusions and information leaks.
Security in every layer
As Software is the gateway for most cyber attacks, it is imperative that both enterprise and industrial control software have security features embedded throughout.
This multilayered approach to cyber defence not only protects the company and users from unwanted loss of data and unauthorised access, it also means that in the case of a system breach, the software can identify the issue quickly, quarantine it and alert the Chief Information Security Officer and other responsible parties instantaneously.
Useful software security features can range from user authentication and strong encryption technology, to more inconspicuous features, such as file signatures, which allow the system to recognise manipulated program files using hidden algorithms. A combination of these features ensures a higher level of protection for the entire system.
Risk analysis
With the rise of Industry 4.0, the importance of IEC 62443 is on the rise. Although the implementation of the standard is still in its early stages, more and more companies are looking at it to understand best practice and improve the security of their systems.
To cope with the IT security challenges of automation and control systems, technical service provider TUV NORD has developed a customisable Safety for Security (S4S) risk analysis tool, which helps companies identify network weaknesses and proposes adequate measures.
This new tool merges the worlds of functional safety and IT security, covering all the major fields of an application: critical infrastructure, automation technology as well as sensor-related components with interfaces to the internet. The approach highlights the importance of ensuring security at all levels within the organisation.
As Industry 4.0 continues to grow, cyber security will be necessary from chip to industrial device, cloud and infrastructure, with applications spreading from process plants to energy.
Similarly, as industrial software becomes more intelligent, cyber attacks become more complex. Because of this continuous race, it is important for companies to keep up to date with the latest cyber security developments. This shift also means that companies need to approach cyber security as a continuous improvement process rather than a one-off project.