IACS Security. PHOTO: Cybercrime Magazine.

Industrial Automation And Control Systems Under Cyberattack

It’s a rugged journey, but we must roll up our sleeves and extinguish the enemies

Eli Kirtman

Northport, N.Y. – Jun. 25, 2021

From Germany’s steel mill, Ukraine’s power grid, Saudi Arabia’s oil and gas facility, to electric utilities and critical infrastructure worldwide — adversaries are game for everything and they’re perfectly capable of wrecking industrial automation and control systems (IACS).

This year alone, more than 4,400 publicly disclosed Common Vulnerabilities and Exposures (CVE) were processed in the NIST National Vulnerability Database (NVD).

The International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) are responding with rapid fire. Their evolving series of standards (IEC 62443) address security risks and mitigation of threats to the IACS ecosystem.

Security for Industrial Automation and Control Systems is the latest standard to harden cybersecurity technical requirements. It’s a tight leash on embedded devices, network components, host components and software applications that make up IACS.

It “specifies security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures,” according to ISA.

ISA/IEC standards are merely the foundation to obtaining multi-level certifications required to deliver products to the market. They’re even more stringent for Industrial Internet of Things (IIoT) exported abroad.

But these preemptive attempts to derail hostile threats also deliver a toll in-house.

Cybersecurity experts across the industry share the rugged journey through industrial control security and the demanding criteria for IEC certifications.

Enterprises struggle to merge security design, concepts of defense, and life cycle management into a solid product development framework.

Failing to document security configurations, updated management policies, and other pertinent information is a guaranteed deal-breaker.

But the major land mine to certification is failure to execute appropriate standards in security testing throughout the development lifecycle.

“Each organization has unique IIoT components that must meet specific levels of process maturity and product security requirements,” says Morgan Hung, CEO and general manager at Onward Security.

Hung and his crew have trekked this mess, guiding numerous vendors through the rough terrain to certification.

He encourages cybersecurity leaders and their teams to get intimately familiar with IEC process and security standards that are specifically relative to their IIoT product.

But knowing the playbook front-to-back isn’t enough to get devices out the door.

Integrating security into development processes is perhaps more than half the battle. It requires keen awareness and stealth execution of protocols to avoid common trip wires.

Notable complications include faulty software and firmware, using libraries management with known vulnerabilities, and failure to establish incident response and tracking mechanisms.

“Risk assessment is an indispensable part of industrial control security,” says Jacky Li, director of product development at Onward Security.

Li encourages manufacturers to deploy an automated AI security strategy to overcome these setbacks.

“Tying a comprehensive security management system to automatic vulnerability assessments improves visibility across design, development and testing stages.”

In other words, it enables R&D teams to simultaneously discover known and unknown risks in more than 120 test items that could otherwise fail ISA/IEC reviews.

Understanding the intricate details from a regulatory perspective will help enterprises fine-tune their game plan.

Only then can cybersecurity leaders build security design, concepts of defense, and product management into a framework that will deliver safe technology to customers.

Not an easy feat by any means, but we must play by the book and roll up our sleeves to beat the enemy.

Onward Archives

Eli Kirtman is a freelance writer based in Cincinnati, Ohio.

Sponsored by Onward Security

Onward Security is a leading brand in cybersecurity compliance solutions for the Internet of Things. It has been selected as Best Cybersecurity Company – Asia Gold Winner by Cyber Security Excellence Awards. In addition to possessing an international IoT cybersecurity testing lab, it develops automated security assessment products with AI and machine learning features. It has been dedicating to helping customers in IoT/IIoT equipment manufacturing, finance, telecom, and other industries for fast obtaining security certification and effectively managing risks and vulnerabilities of open source software to ensure cyber and product security.