In the past, it has been a given that control systems are isolated from the internet and information systems, instead operated in closed environments, making them safe. However, as systems become increasingly open due to developments in the Internet of Things (IoT), this mentality regarding control systems has become out of date. It might be more realistic to think of all control systems as having potential points of contact from attackers not shown in network diagrams. It is difficult to apply conventional information system countermeasures such as security patches to control systems which require high levels of availability.
Toshiba Digital Solutions has prepared innovative security measures which take the features and requirements of control system into consideration to suppress damage from cyber-attacks.
"We're not connected to the internet, so we're fine." Sometimes customers that operate control systems say this when presented with security measure proposals. What they mean is that their control systems are isolated from the internet and information system networks.
However, with advances in the IoT, it is no longer reasonable to conclude that one's systems have a low risk of cyber-attacks because they are closed systems or specialized systems. It is said that the percentage of control systems connected to information systems or the internet has already reached 80% to 90%. Unique operating systems developed in-house are being replaced with universal operating systems such as Windows and Linux. Networks are also becoming more open, with the use of Transmission Control Protocol/Internet Protocol (TCP/IP) becoming commonplace. Even if systems are not directly connected to external networks, they can be indirectly connected to the outside world by connecting computers or USB flash drives permitted for maintenance work or brought in without being checked (Fig. 1)
Unfortunately, control systems are built, operated, and managed based on the assumption that they are closed environments, and in many cases no security measures are implemented on endpoints such as networks or control devices. In most cases, if a system is infected with malware, it is not even possible to detect this fact or to realize that the system has suffered a cyber-attack. Control systems generally must remain operational 24 hours a day, 365 days a year, making it difficult to apply security patches in a timely fashion in the same way as with information systems. This is because patches cannot be applied if there is potential for them to negatively affect systems, nor can systems be rebooted.
From a control system security standpoint, it is extremely dangerous to be unable to see the imminent security threats posed to ones plants or systems and to be faced with difficulties implementing security measures, preventing one from being able to rapidly implement concrete measures.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a U.S.-based organization that gathers control system security incident information, has reported that the number of cyber-attacks on control systems is growing every year.
Since the cyber-attack in Australia that damaged sewage facilities 18 years ago, in 2000, numerous major incidents have been reported, such as an oil pipeline explosion and the crashing of nuclear fuel equipment. In many of these, networks and devices with low security measure levels were attacked, wreaking severe damage on entire facilities. The WannaCry ransomware, which became rampant worldwide, and the damage caused by the Mirai malware, which targeted IoT devices, are still fresh in peoples' memory. One auto plant was forced to shut down operations, and malware infections have been reported to have caused major damages in critical infrastructure facilities such as hospitals, fire departments, and rail lines. There have also been reports of a cyber-attack on the Pyeongchang Winter Olympics.
This situation has led to the accelerated development of security standards for control systems such as IEC62443. So how can we protect the control systems that attackers are starting to target?
Over the past years, Toshiba Digital Solutions has investigated appropriate security countermeasures with roughly 80 companies and over 300 customers, focusing on 13 sectors designated as critical infrastructure by the National center of Incident readiness and Strategy for Cybersecurity (NISC). These include the energy, rail, air, government and administrative service, medical, and financial sectors.
Unlike information systems, for which confidentiality is the highest priority, for control systems the highest priority is availability, as these systems have the potential to impact human life and the environment. Not only must they remain in constant operation 24 hours a day, 365 days a year, but they must also ensure integrity and confidentiality (Fig. 2).
We meet these exacting requests while introducing the latest security technologies, providing a lineup of solutions such as data diodes and intrusion detection, whitelist-based malware countermeasures, assessment services (Cyber Security Management System (CSMS)/Embedded Device Security Assurance (EDSA) certification) and certification acquisition consulting services (ISO 27001/ISO 15408). Let's look at two of these solutions that are good fits for the characteristics of control systems.
*ISO: International Organization for Standardization
How can closed control networks be safely connected to information networks? One measure for achieving this is the use of data diodes. Our solutions use Waterfall security gateways from Waterfall Security Solutions. They physically limit the flow of data in a single direction, so placing them between control systems and information systems makes it possible to restrict traffic, allowing data to flow from the control system to the information system but not vice versa. This innovative solution blocks 100% of cyber-attacks that target control systems via information networks. This makes it possible to create environments in which data can be sent from control systems, yet they can be protected from 100% of external attacks. Waterfalls can also be used in redundant designs, so they support unique configurations in which they are combined with our ClusterPerfect, integrated cluster software with an extensive track record of use. We already have a great deal of experience using it in critical infrastructure sectors such as power and gas, rail, petrochemicals, and water and sewage systems.
Customers have also expressed a desire to implement malware countermeasures but indicated concern about their potential impact on performance, and have expressed their wish to implement countermeasures without applying security patches. One way to meet these requests is to use whitelist-based measures which protect systems by limiting which files can be executed on them (Fig. 3).
For control systems, availability is the highest priority. This makes it difficult to shut down devices to perform maintenance, and limits the range of measures that can be applied to devices themselves. Blacklist-based measures detect malware by using lists of information about malware that has been discovered worldwide, but whitelist-based measures work by creating a list of permitted programs in advance and blocking the execution of all malware and any applications that are not on the list. Even if someone such as a maintenance worker brings in a USB flash drive that has malware on it, since the malware is not registered in the whitelist, it will automatically be prevented from running.
However, there is a tremendous diversity of system environments, so creating a solution that uses whitelists effectively requires advanced deployment know-how. We use our rich deployment experience with a wide range of social infrastructure systems to identify the detailed structures of customer systems and the management methods best suited to them, and deploy solutions which are appropriately tailored so that their whitelists function effectively.
The threat of cyber-attacks is growing worldwide, making it vital to implement security measures for control systems. We will continue to investigate appropriate measures together with our customers, providing effective security solutions for use with diverse control systems.
* The corporate names, organization names, job titles and other names and titles appearing in this article are those as of May 2018. Corporate names, product names, and system names are the trademarks or registered trademarks of their respective corporates.