Cyber-securing an industrial system is a vitally important task... but a complex one. It raises issues of business continuity, team involvement and modelling, and shared best practice.
In our 2021 Industrial Cyber Security Barometer, more than half of respondents (51%) claimed to have experienced at least one cyberattack on their operational network. And in more than a quarter of these cases (27%), these cyberattacks had caused a halt or disruption in production. This emphasises the need to invest in cybersecurity to minimise industrial attack surfaces. However, deploying cybersecurity solutions at an industrial site is not a smooth process, and raises questions such as latency, unavailability, compliance failures. How can such risks be avoided to ensure these crucial operations run smoothly?
Industrial implementation: vitally important, but complex
Production has to come first, no matter what. For manufacturers, one of the main challenges is to ensure business continuity, as Vincent Nicaise, Head of Partnerships and Industrial Ecosystem at Stormshield, explains. “If you’re working in a factory that runs 24/7, halting everything to integrate new equipment is complicated.” Complicated, but “eminently feasible” for experienced teams, in Nicaise’s expert opinion. “First of all, you have to schedule the deployment, sometimes a few months in advance. Most importantly, you require the support and involvement of stakeholders such as business teams, plant managers and operations managers to handle implementation.”
You have to schedule the deployment of a security solution, sometimes a few months in advance. Most importantly, you require the support and involvement of stakeholders such as business teams, plant managers and operations managers to handle implementation.
Vincent Nicaise, Head of Partnerships and Industrial Ecosystem, Stormshield
Another difficulty inherent in OT is that it involves systems that are sometimes several decades old and have passed through the hands of several maintenance companies. “We don’t necessarily have a precise historical record of changes, which means that we don’t have complete and seamless control over the system”, Nicaise warns. Here again, he stresses that it is imperative to “comprehensively plan the work in advance,” and above all to involve the business teams in the process to ensure control over the deployment: the CISO team, and integrators, who “are familiar with the issues and the network”. “The difficulties arise more from changes to the infrastructure than from the solution itself,” confirms Pierre Vidard, project manager for Maisons-Laffitte-based industrial solutions company Actemium. “Whether it’s a firewall, a network or monitoring of PLCs, the challenge is to have zero impact on existing systems and installations. Depending on the infrastructure, poor execution may result in temporary loss of visibility or production.” This makes deploying cybersecurity solutions in industry a real challenge, which requires real mastery over the different stages.
Mapping the OT network: an essential step
Before starting work, the provider in charge of the deployment will first need to carry out an audit. This is an essential step, identifying areas where there is a lack of protection on the site and the extent to which this risk may affect the safety of the network. “This involves analysing PC configurations, checking the OSs in use, looking for configuration problems or accessible files containing passwords, and paying particular attention to workstations with administrator rights, etc.,” Vidard explains. He believes that this vitally important information-gathering stage also includes mapping the network. “We use tools to capture networks and map flows between equipment, identify them and analyse whether they are legitimate and – when working in France – in line with ANSSI recommendations.”
To ensure the best possible deployment in the field, the experts then turn to pre-production testing. This involves producing a kind of mock-up that is as close as possible to reality, with various tests carried out on it to validate functions. The model is a physical one, Pierre Vidard explains, because “the majority of industrial switches can’t be opened in a virtual interface using a configuration file. You need to have the hardware.” That constraint makes some modelling complicated, Vidard acknowledges, because we don’t necessarily have the option of obtaining the same equipment the client uses.” But that doesn’t make the technique any less effective. “There can always be surprises during commissioning, but this eliminates at least 90% of the problems that can occur,” Vidard says.
Finally, deployment will need to be gradual. “In cases where several factories are involved, we can choose the most representative one – the one where there is the most buy-in – so that it can serve as a Proof of Concept,” suggests Vincent Nicaise. “This enables us to work on a security project and establish a model that can be duplicated across all plants.” Explained in those terms, deploying a cyber security solution is entirely possible – but is the industry ready?
Cybersecurity and Industry 4.0 issues
This depends mainly on the maturity of the sector. In France, Opérateurs d’importance vitale – from the water, energy, oil and gas, nuclear sectors, etc. – are not only well aware of the risks, but also have a legal obligation to put safeguards in place. The manufacturing industry, on the other hand, still lags behind. “They consider the IT risks but not the OT risks,” says Vincent Nicaise.
Pierre Vidard agrees with this observation. “One of the biggest challenges is to convince customers of the benefit of implementing the solutions in their own industrial environments. Many talk about “cyber” in response to an attack, but they don’t know what that means. And then they go no further, because they have received too high a quote, or their priorities have changed. Factory owners can’t easily free up budgets without anticipated production gains. But they need to be aware of the effects of halted production, and therefore the financial impact of an attack.”
One of the biggest challenges is to convince customers of the benefit of implementing the solutions in their own industrial environments. Many talk about “cyber” in response to an attack, but they don’t know what that means. And then they go no further, because they have received too high a quote, or their priorities have changed.
Pierre Vidard, project manager for industrial solutions company Actemium
Industry 4.0 could change the perception of the impact of cybersecurity on OT with the implementation of smart objects throughout the production chain. “The aim is to improve the production tool and predict maintenance work, but the multitude of additional components involved also introduces a larger attack surface,” admits Nicaise. “There are more and more potential weaknesses.” And the main one is the cloud, that essential component of Industry 4.0, because of the way it allows computing power and large volumes of data to be stored, decentralising information. To ensure availability, “we need to secure data flows,” says Nicaise.
“The problem is that questions over cybersecurity often arise once the network has been opened up,” says Pierre Vidard. “However, this process is taking place on a system that is historically autonomous and isolated, and therefore features no firewalls or anti-virus systems, is not partitioned, and operates with administrator accounts. When exposed to the outside world, the systems are not robust enough.” Despite all that, awareness seems to be moving in the right direction, although skills within the plants themselves remain disparate, Vidard says. “These issues are becoming increasingly democratised. Some customers want to take control of their systems and train internally to increase their skills. Other clients do not have these skills, and nor are they likely to obtain them. They have employees who are able to understand the basic theoretical principles and use external companies. Others have almost none of this.”
In all cases, cybersecurity experts are able to work on a case-by-case basis depending on the teams’ experience and maturity, and provide support for organisational structures to ensure smooth technical deployment.