Trends in the industry, improvements in cybersecurity

Posted date 12/07/2018
Autor
INCIBE (INCIBE)

Behind the industrial environments there is a wide range of manufacturers that supply devices and provide support. For this reason, they play a vital role when it comes to improving the cybersecurity of many processes, as their devices are involved in them. On occasions, these devices cannot be altered at all, thus it is very important that they come with an incorporated layer of security. Thanks to this layer of security some not very complex attacks, or those with few technical requirements, can be avoided. This, additionally, provides the manufacturer with an added value, which may attract future clients.

To illustrate this with an example, the PLCs, end products that control industrial processes, should operate in such a way that they can adhere to regulatory obligations, such as SEVESO III which forces industries to follow certain steps in order to offer an adequate level of security, all whilst maintaining their mission of control. Many manufacturers have modified their devices, including two internal, independent processors, or using distinct communication systems, so as to adhere to the previously mentioned regulation, carrying out the integration between security and functionality without losing autonomous operational capacity, of both safety and security, in such a way that if one part is compromised, the other is not affected.

As well as adhering to regulations, many manufacturers are incorporating measures into their devices that satisfy demands with regards to standards such as IEC 6206(up to SIL 3), EN ISO 13849 (up to PL e) etc. A great deal of these standards are related to the characteristics of physical safety that devices have depending on the sector in which they are deployed.

Leaving the improvements incorporated by manufacturers with regards the compulsory and recommended standards and regulations to one side, there are improvements that are only related to cybersecurity, and from this moment onwards, this article will be focused on these.

IMPROVEMENTS

Some of the improvements that industrial manufacturers are incorporating in order to improve their devices and provide their clients with a more complete service in terms of cybersecurity can be divided into 4 large groups:

Tendencias industria ciberseguridad

  • Communications
    • Use of certificates in order to encrypt communications between the client and the server, when web operations are carried out. Until now a large amount of industrial devices only supported the HTTP protocol in their web application communications. That is why some manufacturers are now taking measures in this regard and are incorporating the secure option of this protocol (HTTPS).
    • Support for secure versions of industrial protocols and others, that are used by the devices, such as DNP3 secure, WirelessHART, Zigbee, OPC UA, SNMP v3, etc. The support for protocols that incorporate authentication and authorisation with the aim of restricting the non-legitimate access to devices is already being implemented.
    • Use of encryption for simple operations. Firmware updates or the loading of strategies to devices are sent encrypted in order to prevent manipulations from possible attackers and thus prevent the attacker from interpreting the information that is being exchanged in a trivial way. Others choose the firmware option, in a way that any modification will not be accepted by the device. Thanks to the incorporation of these security mechanisms, manufacturers help their clients to ensure that the integrity of the files is not compromised.
    • Incorporation of tests to obtain certifications, such as the certificación Achilles, that enables the communications stack of the protocols to be tested. The Achilles tool has the capacities to analyse protocols supported in different layers of the OSI. Some manufacturers are carrying out tests with this tool on the main TCP communications that their devices have, such as Modbus/TCP, HTTP, etc. for example. Achilles is not a novelty however, the certification is, which is started to be carried out by manufacturers in order to give clients more security.
  • Operative System
    • Use of hardening guides in order to undertake secure configurations in the services and processes that are carried out within the system. Until now applications have been installed directly on the SO base, without any application or port control. Now, large manufacturers provide hardening guides for devices in which the industrial plant applications are installed.
    • Parametrization of tailored operative systems in order to prevent carrying out unnecessary services or processes that increase the device's surface exposure. The integration of BusyBox and SandBox is becoming general in final devices.
    • Use of whitelists of processes in order to prevent possible malicious files or the correct creation of sub-processes of non-controlled processes. Up until now the incorporation of solutions removed from the process were rare and scarce.
  • Applications
    • Development of applications using good practice guides in order to prevent attacks and basic errors, such as buffer overflows and different types of injections, etc. In the case of web applications, the incorporation of advanced filters in order to improve the processing of input data. Thanks to these advanced filters, attacks such as XSS and SQL injections are prevented.
    • Incorporation of a role-based access control (RBAC) which enables for the control of the permissions that each user has depending on the role assigned within the application. With this measure, manufacturers aim to provide their clients with an adequate control of authorisations, which will prevent access being given to resources that were originally defined as non-authorised accesses.
    • Creation of a security activity register (log) in order to have a trace to analyse should an attack occur, or to detect abnormal behaviour in the affected device. In this case, many companies are taking advantage of the capacities that devices have to send activity registers to their SIEMs and to be able to centralise said registers. With this management, companies can parametrize the strong correlation motors in order to detect the problems within the control systems, such as incorrect access, attempts at attack, etc.
  • Hardware

    Numeración estándar de pines de las tarjetas SD

    • Support for external storage (SD cards), where the device's information is stored, with a special type of format that can only be read from the device or from a specific software provided by the manufacturer. Furthermore, there are cards that work with a different voltage, specifically designed for industrial devices, thus, if an internal person tries to read an industrial SD card in another device, there is the possibility that the card may get damaged due to the different voltage (normally between 2.7 V and 3.6 V, but it could be 5 V so that it cannot be used in another device); or they have connection pins in a different order to the standard, which can cause a failure when connecting it in a conventional device.
    • Incorporation of mechanisms to prevent the manipulation of devices. In this case, some manufacturers have opted for mechanisms known as anti-tampering, in order to prevent openings and for an attacker to be able to make modifications in boards, or the epoxy resin in order to prevent direct readings of signals in the pins of a chip.

      Other additional prevention mechanisms that some manufacturers are incorporating in their devices to avoid readings in the debug ports (JTAG, SPI, I2C, UART, etc.) are:

      • ITo include functionality changes in the pins, making them different to the standard.
      • To have a draft of the firmware in the case of detecting tension in a specific pin, which would imply the devices unavailability, as it would be unusable without firmware. However, it should be noted that this type of action is often carried out in laboratories, not in manufacturing equipment.

All the security measures that can be included directly by manufacturers in order to raise the security level will be seen well by clients, although it will be them that must pressure manufacturers so that they continue making the effort to add them. With the arrival of industry 4.0 and the IIoT, a great deal of devices are being incorporated into industrial environments and the role that manufacturers play when it comes to providing their devices with cybersecurity capacities is essential.