In today’s digital world, security management is a wide-ranging topic that embraces many activities related to controlling and protecting access to system and network resources.
Nowadays, office networks are primarily concerned with data security, while the major concern for industrial automation networks is uptime. Industrial control systems (ICS) security was considerably simpler before the web. Organisations were predominantly concerned with physically protecting their systems behind gates. But once the Internet appeared, the threat of connectivity-enabled attacks –with no physical access needed− became increasingly possible.
Companies are accordingly dedicating resources to protecting their ICS assets against intentional or accidental security threats. Defending these systems is now part of the industrial safety programs. The ICS networks and data acquisition systems (SCADA) that run today’s modern society are a collection of devices designed to work together as a unified and homogenous system.
In particular, the integration of automation, communications and networking in industrial environments is today an integral part of what it is called the Internet of Things (IoT). The information technology (IT) includes any use of computers, storage, networking devices and other physical devices, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data. And operational technology (OT), traditionally associated with manufacturing and industrial environments, includes ICS such as supervisory control and data acquisition systems.
When IT and OT systems work in harmony together, new efficiencies are discovered. Systems can be remotely monitored and managed, and organisations can obtain the same security benefits from administrative IT systems. Still, ICS security has plenty of challenges. Several of them owe their existence to the constant convergence of IT and OT. OT’s upgrading through IT integration brings with it some security issues. Many operational technology systems were never designed for remote accessibility and, consequently, the risks of connectivity were not considered. Therefore, the vulnerabilities can leave organisations and critical infrastructure at risk of industrial espionage and sabotage.
In the UK, the most well-known act regarding cybercrime is the Computer Misuse Act 1990, which brings in three offences:
1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
This act has been amended twice in 2006 and 2015, introducing:
• 3ZA. Unauthorised acts causing, or creating risk of, serious damage.
• 3A. Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA.
Each of these offences carries a different potential prison sentence. Offence 1 and 3A has a potential sentence of 2 years imprisonment, offence 2 is five years imprisonment, 3 is 10 years. Offence 3ZA is the most serious crime covered by this Act and has a maximum sentence of life.
Questions which arise from this:
1. Automation is, again, an important subject discussed in software protection. How to prevent massive leakage of sensitive information when all devices are interconnected?
2. The smarter devices, the smarter attacks are possible. Will cyber-attacks ever stop?
3. It is quite common to see hackers targeting other nation states to where they live. Being that the UK has extradition relations with over 100 territories around the world, is the risk of extradition stopping British cyber criminals from attacking overseas?
Useful vocab for further discussion
1. IT− Short for Information Technology. The study or use of systems (especially computers and telecommunications) for storing, retrieving, and sending information.
2. OT− Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.
3. Network− A number of interconnected computers, machines, or operations.
4. The Internet of Things− The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
5. Hacker− A computer hacker is any skilled computer expert that uses their technical knowledge to overcome a problem.
6. Vulnerable− Susceptible to physical or emotional attack or harm.
7. Theft− The action or crime of stealing.
8. Sabotage− Deliberately destroy, damage, or obstruct (something), especially for political or military advantage.
9. Espionage− The practice of spying or of using spies, typically by governments to obtain political and military information.
10. Software− The programs and other operating information used by a computer.
11. Firmware− Permanent software programmed into a read−only memory.
12. Defence− A means of protecting something from attack.
Video for discussion
Watch the video above and then try to answer the questions below.
1. Who is Dr Lars Lippert?
2. How vulnerable are companies right now?
3. What does Dr Lippert mean by cyber-attacks?
4. How much do these attacks cost per year?
5. What is the focus of the attacks?
6. What is Industry 4.0?
7. How are the attack scenarios in the Industry 4.0?
8. What steps does Lipper mention in order to fix a weak point?
9. What is the main goal of OT protection?
10. What is the primary objective of IT defence?
Benefits of IT/OT Convergence
1. Cost reduction: By applying similar technology, standards and governance principles for IT and OT, easy-to convert synergies will be found in many organisations.
2. Risk reduction: IT/OT convergence means security issues can be jointly addressed by IT and OT, leading to an integrated approach that provides enhanced security against intrusions from outside the company and to central security governance throughout the company.
3. Enhanced performance: With the convergence of IT and OT, time and costs will be saved while allowing the smooth transition of newly-developed products into existing manufacturing operations.
4. Produce anywhere: IT/OT integration will provide better transparency with regards to costs and cost structures and therefore lead to site efficiencies. The company will become more flexible, allowing for manufacturing to shift between locations.
The challenges concerning IT/OT
1. Security Breaches. Access if often more limited, because greater access poses more cyber security risk and possible service interruption.
2. Limited Access. Connections to industrial automation networks can be limited to only those who categorically require access, and the level of access can be restricted based on each person’s requirements. With such narrowly regulated access, certain security measures can be implemented which would not be practical for an office network.
3. Size and Stability. Office networks, for example, tend to be very large when compared to industrial automation networks. A company is likely to have numerous PCs, tablets and smartphones in traditional IT applications connected via Ethernet, intranet and Wi-Fi networks.
4. Software Updates. An item connected as a peripheral device typically communicates via an industry standard protocol. Even if all components and networks are supplied by one vendor, any software change must be tested before its implemented. When components and networks are supplied by different vendors, there is more reason for caution.
Potential debating topics
1. All data should be publicly available −this is the only possible way to stop data theft!
2. We must defence our right of privacy and make every reasonable effort to ensure the security of our private information.
3. Software protection companies must be stopped. Intuitive interface and automation will lead us to a disproportionate dependence on machines.
4. Software protection companies are our allies and should not be stopped. They carry out daily security checks to guarantee the complete safety of our online transactions.
5. Hackers are often different and misunderstood adolescents. They mean no harm. They should not be punished at all.
6. Cyber criminals are anti-social individuals who should receive the maximum applicable penalty!
During the last decades, OT and IT were developed and managed maintaining separate technology protocols, standards, governance models and organizational units. Nevertheless, over the last few years, OT has been progressively adopting IT-like technologies. Though many security vulnerabilities keep showing up, the convergence of IT and OT will bring clear and tangible advantages to companies all over the world.