Why Industrial Automation Security Should Be a Renewed Focus
As industrial organizations grapple with COVID-19 fallout, automation has become an even hotter topic. Experts fear, however, that the acceleration of automation could drive unforeseen consequences for organizations that don’t focus on security.
“When it comes to automation and industrial control systems (ICS), there is no doubt haste makes more than waste,” said Dan Miklovic, an analyst at the Analyst Syndicate. “It leads to potentially catastrophic or deadly outcomes.”
Mission-critical systems in industrial facilities have traditionally relied on the close oversight of human workers because the senses were “usually the most effective way to ensure optimum uptime,” Chris Catterton, director of solution engineering at ONE Tech. That is changing. Automated systems often exceed human capacity to spot machine problems. An automated system can detect when a torque value on a bolt is, for instance, a few pounds light, or hear a high-frequency bearing squeal undetectable to the human ear, Catterton said.
But being lax in terms of industrial automation security can be dangerous. Hobbyist electronics, for instance, may make automating industrial machinery simple, but such products can also provide cyberattackers with a familiar target, Miklovic said. “Plug-and-play automation solutions that are not built with security in the forefront can also open the door for a vast amount of vulnerabilities,” Catterton said.
Take Care With AI Deployments, Too
There’s also a risk that organizations will hastily deploy artificial intelligence (AI) as part of their automation initiative. With data science experts in short supply and many experienced industrial operators sidelined as a result of COVID-19 quarantines, there is a heightened danger of errors creeping into AI algorithms. There’s a risk that “the person trying to train the system lacks critical safety information,” Miklovic said.
Even in ideal conditions, developing software or AI algorithms inevitably introduces some error. One rule of thumb holds that there are one to 10 mistakes per 1,000 lines of software, as the book “The Fifth Domain” has observed. Even software for mission-critical space systems could have one to five errors per 1,000 lines of code.
With software often having millions or billions of lines of code, the need to prevent and correct bugs becomes critical. History provides examples that underscore the risk of cutting corners in industrial automation security. The Ariane 5 rocket disaster of 1996 is one such example. After software developers from the European Space Agency failed to adequately update code they borrowed from a predecessor rocket, the rocket exploded. Because the speed of the craft during the launch exceeded the bounds its software specified, the rocket self-destructed. “The cost of this software error was about $300 million,” said Johannes Bauer, Ph.D., principal security advisor at UL.
Another example of costly software shortcuts is the grounding of the Boeing 737 Max in 2019. After outsourcing software development tasks to $9-an-hour engineers, the plane killed 346 people in two accidents. An automated system relying on information from a sole sensor played a role in the crashes, according to the New York Times. The cost of grounding the 737 after the two accidents is $18 billion, according to Boeing estimates.
Discriminate When Allowing Remote Access
In addition to the risks of cutting corners with software-driven automation or AI workloads, the expansion of remote access in industrial environments is another danger. “Think about using Zoom [the videoconferencing application] to have shop floor personnel communicate with a shared expert resource to diagnose a problem,” Miklovic said. In such a case, a cybercriminal could steal trade secrets or product manufacturing information, he noted. The rush to enable remote operations can also prompt organizations to make control systems accessible via the public internet without appropriate security controls. The threat of doing so is “a concern for safety instrumented systems,” said Mark Carrigan, chief operating officer of PAS Global. “Such systems are the last line of defense for processes operating beyond their boundary conditions, and a known attack target for malicious actors.”
Remote operations also heighten the risk of phishing attempts using social engineering. Such an attack could “identify employees who are likely to have privileged access so their credentials can be exploited to gain access to control system environments through increasingly accessible remote gateways,” Carrigan said.
Evaluating Threats by Sector
The rush to deploy automation and remote access won’t be uniform across the industrial sector. “The most critical of critical infrastructure systems” tend to have established protocols in place, and are less likely to redefine core processes, said French Caldwell, co-founder of the Analyst Syndicate. Critical infrastructure such as nuclear power plants, oil refineries and chemical plants are less likely to be impacted by social-distancing working restrictions given exemptions for such institutions.
Critical infrastructure organizations also tend to have regulatory requirements for cybersecurity. Energy utilities, for instance, must follow cybersecurity standards outlined by the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation.
At the opposite end of the spectrum is industrial infrastructure such as heating, ventilation and air conditioning (HVAC), lighting and plant systems. Such systems have been “operated and monitored remotely for decades now,” Caldwell said.
Organizations in the middle of these two poles are more likely to increase automation and remote working infrastructure, according to Caldwell. “It’s in the very large middle group of systems where, no doubt, there is a pandemic-led increase already in remote ICS access,” he said.
The Final Word
Ultimately, each organization has to evaluate the risks and rewards of digitization and automation. The risk of moving too slowly can be a threat to an industrial company’s longevity just as much as rushing a deployment. “There are many different views on what to automate, how much to automate and when to automate,” said Nitin Kumar, chief executive officer of Appnomic. “Physical assets are increasingly going digital. Not having automation woven around these with an adequate digital process will create a very inefficient digital operating model.”
One thing is universal: Organizations must collaborate to solve these problems. Especially during the pandemic, engineers and IT leaders “need to team up to ensure that reliability and security are aligned to both the criticality of the systems and the security risks,” Caldwell said. After the pandemic subsides, organizations will have more time to review how they can expand automation and remote access of ICS systems to accommodate “both unexpected contingencies and to improve effectiveness and efficiency of day-to-day operations,” Caldwell said.
From a business standpoint, organizations should consider strategies to deploy automation to enhance resilience in the face of uncertainty. “There is a lack of clarity on the duration of the shutdown and the risks posed to the workforce even if the economy migrates to a semi-open posture,” Kumar said. But more certain is the likelihood shareholders will “continue to be demanding as the recovery mounts,” he added.
Technologies such as automation, AI and remote access can enable industrial organizations to do more with less. Those who aim to deploy them should do so cautiously. Despite the adage of security by design, many organizations find them in a sort of continual remediation mode. “Security should be a functional requirement from the outset,” said Sean Peasley, a partner at Deloitte.