Integrating Analog Controls into IIoT Systems
As computing and networking gear in industrial environments become more sophisticated, so is the disparity between cutting-edge and decades-old equipment. This fact complicates the process of calculating cybersecurity risk. Roughly half of industrial organizations prioritize increasing visibility of connected control systems and configurations, according to the SANS 2019 State of OT/ICS Cybersecurity Survey. More than a third of respondents prioritized performing security assessments or audits of industrial control systems. Determining the optimal role of analog controls can be another challenge.
The Challenge of Calculating Risk
“Identifying processes and associated assets that are likely targets for cybersecurity threats is no easy task,” said Dan Miklovic, an analyst at the Analyst Syndicate. Not only does increasing environment complexity make gauging risk difficult, but also it makes mistakes more likely. Workers might inadvertently reboot “control systems remotely because they did not know that they logged into an operational system instead of a test environment,” Miklovic said.
While the threat of internal sabotage, whether on purpose or accidentally, should not be discounted, cyber-adversaries can cause a host of industrial security problems. “What might be targeted depends a lot on the motivation. If it is industrial espionage, the operational risks might be low in that those perpetrating the intrusion probably wish to remain hidden,” Miklovic said. “The long-term strategic loss, however, could result in loss of competitive advantage.”
Two of the most common motivators for threat actors are monetary gain and causing chaos for political gainor schadenfreude. In the case of ransomware, the motivators of monetary gain and disruption are united, as ransomware attacks such as NotPetya and WannaCry illustrate. Organizations hit with such ransomware, ranging from a multinational shipping firm to a food-and-beverage giant, have spent millions of dollars recovering from such attacks.
Such ransomware continues to be a problem in industrial environments, which often rely on common computers that are vulnerable to commodity ransomware, said Matt Watchinski, vice president at Cisco Talos. Attackers have little incentive to develop ransomware specific to industrial control systems. “If I was a bad guy, and I had 10,000 Windows boxes that are easy for me to understand, and then I have a factory and I didn’t really know how it worked, I am going with [the easy option],” Watchinski said. Still, it would be possible that attackers could interfere with access to industrial systems’ human-machine interface. “That would make a good ransomware target.”
An Occasionally Analog Solution to a Digital Problem
One strategy to reduce the risk of disruption in industrial environments — from ransomware or otherwise — is to deploy analog controls to regulate operational processes for critical industrial functions. Such systems, which have a long history, have the advantage of simplicity. “Since defects are a function of complexity, [simple systems] are less likely to be faulty,” said Bill Malik, vice president of infrastructure strategies at Trend Micro.
The use of analog controls for disaster recovery has a long history, said Aleksander Poniewierski, global IoT leader and partner at EY. “Look at nuclear plants in the 1960s and 1970s,” Poniewierski said. “Nuclear plants had redundancy everywhere and analog bridges between different systems. Everything was built based on security by design,” he said. “Such systems tended to be complicated and difficult to manage, but it is the only way you could [address risk] in a sensitive ecosystem.”
A growing number of organizations that have fallen prey to ransomware attacks are working on engineering production systems that support a shift from digital to manual mode. “A lot of the ransomware attacks that have hit industrial organizations have locked up machines that provide visibility,” said Dave Weinstein, chief security officer of Claroty. Organizations that have fallen prey to ransomware-driven shutdowns have a renewed appreciation for preserving continuity of operations, Weinstein said. “They’re asking: ‘How do we rely more on manual practices? How do we shift form digital into manual mode.’”
As industrial organizations deploy digital technologies to remain competitive in the future, they might sometimes involve reconsidering decades-old engineering practices.