Industrial operations are increasingly becoming the target of cybersecurity attacks. There are new devices adding network connectivity as they migrate from traditional fieldbuses and standalone operation. Additional connections are being created between the IT and OT space and machine builders increasingly offer analytics if their machine can be connected to the cloud. International standards for cybersecurity, known as ISA/IEC 62443, are being updated and expanded, including requirements for end users, system integrators, and device manufacturers. These standards require defense in depth strategies to reduce the risk of attacks that cause harm considering the additional connectivity.
As you advance the cybersecurity of your operations, you need more capability at deeper levels of the defense in depth strategy. Have you performed cybersecurity assessments, minimized your attack surface with cybersecurity essentials, and implemented best network segmentation practices? If you're ahead of all these, you're on the right track!
Even once you have strong security policies and protections, adding security at each layer improves your resilience against attacks. For example, how will you protect your process if a malicious actor has access behind your firewall? You may be susceptible to various attacks that need additional measures to mitigate.
What Do You Mean, a Firewall Isn’t Enough?
A malicious actor could create an unauthorized connection to hardware in your system by pretending to be another kind of device. This has been demonstrated recently in industrial automation, with an impostor computer improperly configuring devices and injecting code based on insecure identification credentials.
Another attack type that's possible without communication integrity is the man-in-the-middle attack and a variant of that—the replay attack. During these attacks, someone would intercept and modify data between two devices, sometimes after collecting data that can be used to mimic normal operation. That could mask abnormal behavior that can cause equipment damage or endanger human safety.
Cybercriminals could also gain proprietary information by snooping on the network traffic between industrial devices. Whether those are secret recipes going from the MES to the PLCs, analytic data that could be used to steal manufacturing best practices, or production volume information that could be used to short stocks, data transmitted without confidentiality could be used for harm.
Every Layer of Defense Helps, So Get to the Devices
To bolster security at the device level and reduce the risk of those attacks, ISA/IEC 62443-3-3 and ISA/IEC 62443-4-2 include common minimum requirements for device identity, integrity and authenticity of communications, and options for confidentially transmitting data. Three of the requirements in the standard (SR 1.2, SR 3.1, SR 4.1) are almost impossible to implement at a system level without the right hardware and firmware at the device level. If you want to use devices from multiple vendors that meet those system requirements, standards and conformance testing are needed.
The CIP Security™ protocol is an open standard from ODVA, which helps solve important communication requirements that device vendors using industrial Ethernet cannot solve themselves. This standard is the only standard designed for securing communications between PLCs and devices. The CIP Security protocol provides mechanisms for validating device identity, device authentication, data integrity, and data confidentiality. All three of the functional requirements and their requirement enhancements can be met using CIP Security.
Table 1: Matching requirements from ISA/IEC 62443 with the capabilities of the CIP Security Confidentiality Profile
ISA/IEC 62443 |
Description of Requirement |
Capability |
|
-3-3 |
-4-2 |
||
SR 1.2 |
CR 1.2 |
Software process and device identification and authentication |
SL-C 4 |
SR 3.1 |
CR 3.1 |
Communication integrity and authenticity |
SL-C 4 |
SR 4.1 |
CR 4.1 |
Information confidentiality (in transit) |
SL-C 4 |
To help meet the requirements of ISA/IEC 62443, the CIP Security profile puts together best practices and top-notch technologies that have been proven across multiple industries. Identification is established using digital certificates following the X.509 standard and authentication can also be established with pre-shared keys for simplifying small installations. The integrity of the industrial communication traffic is ensured with the TLS hashed message authentication code (HMAC), which helps optimize the traffic for very low latency when confidentiality is not required. In those cases where confidentiality is required, TLS and DTLS encryption protocols are used for TCP and UDP packets, respectively. In addition to these three specific requirements, CIP Security also sets a framework for asset owner to provision a root of trust within devices (ISA/IEC 62443-4-2 CR 3.13).
Additional enhancements are planned for CIP Security to solve other challenging requirements within ISA/IEC 62443, but you should not wait for a greenfield plant to make improvements to your cybersecurity posture. The capabilities available today bring security to the device level, so start considering when and how you will add more layers to your defense in depth!
A version of this post can also be found on the Rockwell Automation blog. It appears on the ISAGCA blog with adjustments made by the author.