Whatever the business sector, there are human and environmental risks but also business risks such as production shutdown and the inability to deliver on time.
Didier Appell, Head of OT/IoT cybersecurity, Capgemini
The advices presented below are based on a little less than a decade of support to industrial companies in different sectors, who wanted to increase the security and monitoring/surveillance level of their factories and production centres (electricity, gas, water, etc.) where we have acquired significant experience in End-to-End services (Define/Protect/Defend).
It has been a decade or so (and the STUXNET effect which raised awareness), that industrial companies are concerned about cyber risk and that Capgemini is supporting them in those challenges.
Whatever the line of business, there are human and environmental risks but also business risks such as production shutdown and the inability to deliver on time.
Our presence with companies wishing to enhance the security and monitoring level of their factories and production centres (electricity, gas, water, etc.) allow us to acquire a significant experience in End-to-End services (Define/Protect/Defend)
Before going into details of the security approach followed with these companies, it seems important to remember that a cybersecurity project in industrial environment requires to involve people with dual « business » skills (industrial production, energy, transports, …) and « cyber » skills in order to propose recommandations and solutions that respect the regulatory and normative framework for Industrial Information System security (ANSSI/NIS,IEC 62443, IEC 62351, ISO270xx, NIST-800, …) and adapted to the business context :
– Compliance with safety,
– Compliance with operational constraints,
– Compliance with technological constraints (heterogeneity, obsolescence, real time perfomance, limited resources, network bandwidth).
The 5 key steps of a factory security program and important points to remember
1 – Have a clear vision of what the company wants to protect
It is essential to perform an assets inventory on the industrial network in order to understand the diversity of these to set up protections able to cover a maximum of them.
However, it is not enough to simply map the equipments physically (type, network location, etc.) but also set up a functional mapping to understand which equipments contribute to which function. To do this, it is recommended to use the « zones and conduits » concept of IEC 62443. This allows a better reaction in case of an attack because it will be possible to immedialty identify which function is impacted and then adapt the remediation action.
2 – Only protect what is necessary
In other words, optimize the security costs. For this a risk analysis based on specific attack scenarios for factories allows us to quickly identify risks that we accept and those we want to reduce (human risks are unacceptable whereas risk of image degradation may or may not be acceptable depending on the company’s market positioning).
To do this, it’s necessary to involve people working in the factory at the moment of the scenarios analysis by means of dedicated working sessions. In addition to a precise risk assessment, this risk approach makes it possible to raise the awareness among the operational staff and get them on board in the program as they are convinced of the risk’s reality and that something must be done.
3 – Design a realistic, efficient and progressive roadmap
Willing to secure everything everywhere at the same time does not work ! Only a progressive approach can succeed by taking into account the factory’s business stakes (a production shutdown can be costly/expensive in terms of penatlties for late delivery and damage the company’s image).
For example, it is possible to start by deploying protections that do not impact the architecture of the production line:
– EPP/EDR on Endpoints
– USB key control device
– Port mirronig detection and asset management tools
– Operators awareness
Then when it is necessary, it is possible to change the architecture with:
– Isolation and segmentation of networks
– More detailed management of access rights and priviledges, including many remote accesses to industrial Information System for operations and maintenance
– Management of obsolescence with version updates (i.e with the automates) or « virtual patching » (i.e with old OS)
It is interesting to classify factories into 2 or 3 categories by level of criticality and choose to only deploy a certain type of protection depending on the category. The highest criticality will be for example for factories producing the company’s flagship product and which also have environmental (SEVESO for example) and/or human risks if there are dangerous manipulations by the operators.
4 – Test a solution before deploying it in all the factories
Prototyping the solution in a pilot factory allows detailed understanding of the solution and better preparation for its deployment. It is important to not only test the functionality of the solution but also ensure that it does not degrade safety, operators efficiency and of course the perfomance of the system. A second point to check during this test step is that the solution to be deployed is easy to install and « patchable » with a maximum of automation enabling the writing of deployment procedures minimizing the production impact.
5 – Detect and react to attaks without « breaking everything »
The challenge here is to have teams that know and understand the functioning of the production chain and industrial equipments / networks in order to be able to analyze events in detail and above all, build a remediation plan minimizing the production impact and avoid the deterioration of the critical industrial equipments.
To do this, it is important to have a cybersecurity representative, within the factory, from the operational teams, who has a very good knowledge of the factory to help analyse alerts and above all, contribute to the construction of the remediation plan. It is not up to the SOC to decide to stop a machine on the production chain or within the control command chain of the system!