A secure industrial infrastructure for the connected age: Q&A with Doug Wylie, CISSP, Rockwell Automation

Securing Industry 4.0 networks demands a new approach to security that includes a rethink of current network arch

4As connectivity trends continue to influence the industrial environment, ensuring security of mission-critical networks, systems, and devices has become more critical than ever before. Doug Wylie, CISSP, Director of Product Security Risk Management, Rockwell Automation, Inc. explains the importance of comprehensive security for Critical Infrastructure (CI) entities, and describes how industry cooperation can mitigate risk across industrial markets.

What are some of the trends Rockwell sees in security for Critical Infrastructure (CI) entities?

WYLIE: Many typical security conversations with our customers who serve Critical Infrastructure (CI) cover the gamut of people, processes, and technology. As an industrial product, systems, and services provider, we often find ourselves discussing how best to design and optimize manufacturing systems for a particular application. More and more, these same discussions also reach into Information Technology (IT) network designs and connectivity with enterprise systems and business operations.

We commonly encounter customers who are looking for creative ways and help to move information between their manufacturing and process systems, as well as upstream into their business systems. Sometimes these demands are driven by desires for greater visibility into production data from within the business office environment. Other times, it’s driven by necessity to address shortfalls in staffing, regulatory compliance, or a legitimate need for enabling remote access to a production environment to allow for managed services. All of these trends continue to lead to a connected enterprise that is quickly changing past perceptions that industrial control systems are boring, isolated, disconnected islands of automation. These very same trends are also leading to new challenges in these production systems in the way they are designed, operated and secured.

Today, industrial control system topologies look a lot like IT systems just with different devices as the end-points. While industrial control devices may seem a little foreign to an IT type, the network designs do look familiar at a high level. The requirements for safe operation and high availability to ensure systems perform tirelessly is the immutable rule, but as control systems connect into the enterprise, there’s a growing appreciation for the new risks and threats that now reach down to a production environment or up into a business system.

There’s no question that, for some, just knowing where to start in the design and installation process of these new systems can be a challenge. We find it essential to work closely with our customers and help them consider the importance of establishing company policies and guidelines, along with employee security awareness programs. Strengthening physical security controls not only along network perimeters but also within the process and manufacturing system is a must. Safety in these systems relies directly on physical and cybersecurity controls, and also on non-technical controls including employee awareness, policies, guidelines, and ongoing vigilance. Bolstering the cybersecurity controls and visibility to these systems to ensure they are robust and resilient to attacks is crucial to adequately protect whatever needs to be protected – whether it’s protecting people, property, production, or information. It’s all of these foundations on which companies can build their industrial control systems as a part of a broader connected enterprise.

What are the security considerations for mission-critical systems looking to add connectivity?

WYLIE: Making sure people perform as a first line of defense is critical. They need to be trained to look for, and promptly report unusual activities whenever something is out of the ordinary. Tens, if not hundreds of thousands of dollars can be spent on technical controls that won’t matter the least if people are not trained to follow good, sensible security practices and watch out for the unusual. Often times, just someone’s gut feeling that something isn’t quite right can be a leading indicator that something may have changed in a mission-critical system either by accident or perhaps even intentionally.

The foundation of Rockwell Automation’s security position relies on defense in depth and layered security (Figure 1), but it doesn’t stop there. It also focuses investments toward the industrial devices themselves, to improve their ability to be self-defending against attacks where possible. The nesting of multiple security strategies and non-technical and technical controls all complement one another. These lend to enhancing a system’s security posture in a way that is more likely to thwart many common attacks that might otherwise capitalize on a single weakness within a system.

Figure 1: A truly secure application is dependent upon multiple layers of protection, including physical and logical controls and structured processes and procedures.

In addition to the components and devices, when designing a network and applying technical security controls, it’s important to consider the need for flexibility in the system during all phases of its lifecycle. During design and installation, security configurations and access to the system is likely to be very different than during the operation and maintenance phase. Likewise, every system reaches a point where it will need to be migrated or decommissioned without compromising the security of what’s still important to protect. In mission-critical systems, precautions at all phases of the lifecycle must be carefully considered.

Are there other security considerations to account for when designing and operating industrial networks?

WYLIE: When designing and commissioning a network, we recommend customers look very carefully at a variety of controls to help mitigate risk. Some examples include the product appropriation process; following good design practices such as network segmentation and segregation; enabling only required networking and control services; and limiting communication paths both into and out of the network. In addition, customers should consider physical and logical access controls to the network; the features and capabilities available to the infrastructure that help improve uptime and availability; the integrity of the devices themselves; and the content stored within those devices. We also suggest they carefully plan for worst-cases scenarios where assets such as hardware, software, programs and routines, recipes, and even usernames and passwords may be damaged or completely lost.

Additionally, having [the network] properly segmented is essential. A customer who wants intra-network or remote access into the control system similarly will want that access to be done in a responsible way (Figure 2). Layered security network designs that segment systems into zones connected by conduits can help isolate access, yet still enable it for those authorized. For instance, when an IT infrastructure needs to access a process or manufacturing system, the use of an industrial demilitarized zone (DMZ) helps protect and isolate while also allowing for selective information exchange.

Figure 2: The Converged Plantwide Ethernet (CPwE) Design and Installation Guide (DIG) published by Rockwell Automation and Cisco provides recommendations on secure industrial network design. The CPwE reference document and other secure remote access design recommendations are located at rockwellautomation.com/security.

An industrial DMZ offers the separation needed to help facilitate data exchange without directly exposing end-point devices in one system to another system. Although a DMZ may sound like a new concept to some, it is actually a well-tested solution deeply rooted in many IT enterprise networks as a way to separate business operations and enable remote Business-to Business (B2B) communications. Segmentation techniques like the DMZ are widely used in IT systems, and we’re strong proponents of using many of these approaches in process and manufacturing systems.

What are some of the standards Rockwell employs to build more robust security into its offerings?

WYLIE: One specific global standard we follow and promote is the ISA/IEC 62443 standard. The 62443 standard points at many architectural elements such as good security design practices – what’s sometimes called good security hygiene. It incorporates forward-thinking concepts such as network separation and segmentation via the application of security “zones and conduits.” It recommends separation of IT from Operational Technology (OT) using techniques such as an industrial DMZ. It also characterizes good product design and performance criteria that help ensure both products and systems can be more resilient and sustain certain network events or attacks.

Looking more closely at products, we established our Security Development Lifecycle (SDL) many years ago as a means to identify and mitigate risks in our product design, development, test, and manufacturing processes. Our SDL features significant continuous improvement steps to ensure the process is always getting better and more capable at reducing and removing security risks. The process and our self-imposed security requirements meet and exceed the product provisions set forth in ISA/IEC 62443.

Other guidelines, not necessarily standards, that we find helpful include ISO 27001 that describes how to build and maintain an Information Security Management Systems (ISMSs) – many of these practices are applicable to process and manufacturing networks; National Institute of Standards and Technology (NIST) guidelines like NIST 800-53 and 800-82 also afford good practices and techniques to build a strong security posture in industrial control systems; and most recently, we actively participated in the development of the Cybersecurity Framework (CSF) that resulted from Presidential Executive Order 13636 and attempts to bring a more uniform approach and terminology to assessing and addressing risk to US and international CI.

What role is Rockwell playing in the Cybesecurity Framework (CSF)?

WYLIE: If we look back to February 2013 with the issuance of US Presidential Executive Order 13636, and Presidential Policy Directive 21, it was clear that the White House wanted industry to establish a plan to address cyber risk to US national CI. Rockwell Automation took an active role during the Request for Information (RFI) stage by representing our perspective on industry trends. We also participated in all of the CSF development workshops – I had the opportunity to present to the general assembly at one of those workshops and also participate in a panel discussion that focused on industrial control security concerns (Figure 3).

Figure 3: The core of the Cybersecurity Framework (CSF) centers around five functions of cyber defense: Identify, Protect, Detect, Respond, and Recover.

We continue to maintain close ties with NIST, the Department of Homeland Security (DHS), and the White House in their efforts to move beyond the release of the CSF v1.0 Framework and towards an execution plan for how to encourage industry adoption of the voluntary guidelines. We were one of the very few industrial control companies who took active part in all aspects of crafting the Framework, and we plan to continue to help industry and our customers voluntarily adapt it into their security practices. It’s an ongoing effort but we’re quite pleased to be an active part in the process.

How will the CSF benefit CI entities?

WYLIE: There are a number of aspects that I know are going to be helpful, one of which is just bringing some common language or nomenclature to industry. If we think about the breadth of what the Framework is covering, it is a tool that is being applied across 16 CI sectors as defined in the US. This is a tall order to fill. Historically, these sectors have worked largely as silos, with their own types of approaches to assessing and mitigating cyber risk and remediating issues that would or could affect safe and reliable operation. The Framework brings some common language to these sectors, and it begins to identify relevant standards and guidelines that can be uniformly applied across all 16. What’s significant about this is that even though there are notable differences amongst the 16 sectors, there are also obvious ties and dependencies amongst them too.

For example, let’s consider power generation and distribution. A loss of available power due to a disruption in power generation or distribution can quickly affect most all of the 16 infrastructure sectors. Although it carries its own sector title as one of the 16, it is inextricably interwoven with all the sectors.

The Framework helps tie the sectors together by helping to characterize a consistent way for each to identify its risk, regardless of the particulars of the industry or application. It also allows these sectors to begin addressing risk in a uniform manner. So the language used to describe risk and how to mitigate across these sectors is really important. Having a common way of measuring and referring to these risks across sectors helps to connect silos in a more homogenous way. The Framework’s specific references to common guidelines and global standards are really important too because it helps both customers and companies conform to agreeable criteria specifically intended to reduce risk and enhance protection of CI.

What are some of the barriers the CSF faces?

WYLIE: As a voluntary Framework, perhaps the biggest hurdle to CSF adoption will be the industry’s clear understanding of what risk means to the mission-critical systems that are owned, operated, and maintained by the private sector. Building this understanding will take time and a clear perspective of the risk and threat landscape that continues to evolve that can affect or may be actively targeting CI. Information sharing from government to private industry will remain a heavily cited challenge, especially given a history that often criticizes the US Government for being overly protective and for withholding too much information from the private sector. These information sharing challenges are not new, but it seems everywhere you look there is new investment being made in an attempt to facilitate a better, more fluid information exchange.

My perspective is there are many different avenues where information is already being made available, yet they may not be advertised nor utilized well enough. Industry groups are now talking more openly about security concerns, network breaches, and specific methods that are known to help enhance protection. Standards bodies are evolving to give consideration to how security will fit into the next phase of enhancements to many of the existing standards they govern. Government outreach through groups like InfraGard (www.infragard.org) and the Industrial Control Systems Joint Working Group, or ICSJWG (ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG), offer still more vehicles to share information and discuss matters related to risk and how to enhance protection. The Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT (ics-cert.us-cert.gov), and United States Computer Emergency Readiness Team, or US-CERT (www.us-cert.gov), have notification and subscription services to monitor industry events and communicate relevant information about risks, threats, and remediation recommendations. Even one’s local FBI and the Secret Service offer industry outreach programs.

Beyond information sharing, it is also extremely important we recognize all sizes of business – small, medium, and large. Larger businesses generally have a greater degree of capability to take action against cyber risks to their operations. They often have more resources and more established processes to facilitate the CSF process that spans the Identify, Protect, Detect, Respond, and Recover phases of the overall voluntary program. Small and medium companies may indeed have staff that are very competent and talented people, but may not necessarily have a level of financial resources necessary to be proactive to establish a cybersecurity program, let alone weather an outright attack against their systems.

There are complexity factors and high financial hurdles to overcome for any company, regardless of size, to adopt the Framework throughout their entire organization. Rockwell Automation built our company around partnership and working with small-, medium-, and large-sized companies. We recognize security challenges in control systems and we remain committed to helping all of our customers understand and take action against these risks. The reason this is so important is because CI is comprised of a broad and diverse community of suppliers, designers, installers, and maintainers of industrial control systems, in addition to the asset owners that carry the greatest responsibility for the operation and maintenance of these systems.

Doug Wylie, CISSP, is Director of Product Security Risk Management at Rockwell Automation, Inc.

Rockwell Automation, Inc. www.rockwellautomation.com

https://twitter.com/ROKAutomation https://www.linkedin.com/groups?trk=myg_ugrp_ovr&gid=2875364