SCADA networks in any factory or critical infrastructure application require protection against increasingly sophisticated and well-funded cyber threats. As emerging security standards such as IEC 62443 help marshal the industry’s response, effective protection calls for an end-to-end, lifecycle approach to device security, extending from the underlying hardware to top-level applications and back into the supply chain.
Introduction: Industrial networks at risk
Cyber attacks against industrial assets and infrastructures such as power grids aim to steal trade secrets, disrupt services, and damage economies. Tampering with industrial systems can also compromise safety and potentially cause injury or fatalities among workers or members of the public. Attackers can be lone wolves, terrorist or criminal organisations, or government-backed teams with a wide range of technical capabilities, funding resources, and motivations.
However they are funded and whatever their goals, it is clear that hackers’ capabilities and the funding available to them are increasing. Organisations running any type of industrial system can expect to be the subject of cyber-attacks and must take steps to protect themselves. This calls for a clear analysis of industrial networks and their vulnerabilities, and a whole-lifecycle approach to managing embedded control systems.
A modern industrial control system comprises both information technology (IT) and operational technology (OT) domains, which are interconnected. Security needs to be addressed from end to end, and can be analysed in terms of general security neighbourhoods as shown in figure 1.
Figure 1. Security neighbourhoods in the industrial network
With this diagram in mind, using the 2015 cyberattack on the Ukraine power infrastructure as an example reveals how both the IT and OT infrastructures need appropriate protection. The attack began with hackers sending phishing emails containing malware-infected attachments. Eventually, at least one of these was carelessly opened, allowing the hackers to harvest login details and passwords. Although firewalls separated the IT network from the power-control systems, the stolen credentials allowed the hackers to login remotely to the utility company’s SCADA systems.
Although the hackers gained entry by first attacking a weak point in the IT infrastructure, subsequently exploiting weaknesses on the OT side allowed the attackers to take control of devices on the network to maximise disruption. This included rewriting the firmware of controllers such as PLCs to prevent operators regaining control as soon as the blackouts began. Power was restored only after operators physically sent teams to each site to take over manual control, which took several hours to complete and added significantly to both the inconvenience and cost of the outage.
Clearly, vigilance, threat-awareness training for computer operators, and malware checking are essential to resist attacks aimed at the IT side of the network. However, protecting the embedded controllers on the OT side is equally important. An effective security policy must also recognise that IT and OT networks operate with different protocols, and must satisfy different user expectations in relation to the security triad of Confidentiality, Integrity, and Availability (CIA). The table compares typical high-level IT and OT operating modes and their prioritisation of system security protections.
Table 1. Comparison of OT and IT network characteristics
Security for life
The hardware and software technologies used by hackers are constantly evolving and becoming more powerful and sophisticated. The security stance of a system built with the best defences available at the time it is deployed will inevitably degrade with time.
A complete security solution based on a four-stage lifecycle (figure 2) helps minimise the vulnerabilities exposed by not only providing strong protection but also detecting unauthorised access, limiting the potential for damage, and facilitating recovery.
Figure 2. Four-stage security lifecycle
The first stage of the lifecycle is to “Protect” the system as strongly as possible given the knowledge the day a system is deployed. This should be based on a defence-in-depth strategy that provides several layers of protection in hardware and software. The defence in depth strategy must traverse not just boot-time software but also the runtime operations of a system.
The second stage is to assume that someday a system will be hacked and ensure it is possible to “Detect” when a system has been compromised using secure attestation and measurement technologies that monitor for any unintended or unauthorised changes to the system. In the Ukraine attack, and other exploits such as Stuxnet, the target systems had been compromised for many months: after gaining access to one part of the system, the hackers were then able to pivot into other parts of the system and increase the scale of their attack.
When a system is detected to be compromised in an industrial asset – where uptime and safety are of the highest priority – it is important to have “resilience” in the system to allow for a system to fall-back to a safe mode or reduced range of operation while alerting the operators and maintainers to the fact that it has been compromised.
Finally, it is important to view the security lifecycle as a closed loop where fielded devices are able to communicate back details of the attacks and compromises they are experiencing by which to ‘remediate’ fielded systems with security patches and to improve the security stance of fielded systems of similar configuration.
Protecting embedded devices
Effective security for OT infrastructures depends on providing a foundation by which to build secure solutions at the controller, control network, and I/O neighbourhoods. While various technologies may be used to secure the system in each of these neighbourhoods, the general security goals are the same in each case. Within these security neighbourhoods, maintaining the “chain-of-trust” (figure 3) throughout the operation of each digital system is essential.
Figure 3. The chain of trust in embedded devices begins with device hardware at the lowest level
Recognising that the system is only as strong as the weakest link in the chain of trust, Xilinx Zynq Ultrascale+ system on chips (SoC) provide features for establishing a strong security foundation at the hardware and boot-time software level. These include an immutable device identity and boot ROM, anti-tamper functions, integrated secure-key storage in eFuses, and bitstream authentication and encryption for secure hardware loading. The protected boot firmware then enforces a secure boot and execution of the first stage bootloader and will stop the process if it detects the integrity of the software was compromised indicating that tampering has occurred. At the higher levels, only an authenticated digitally signed OS image will be loaded.
Once a system is up and running communications with any other devices should be protected using authenticated communication channels, as well as encryption if protecting the data in-flight is deemed necessary. Xilinx FPGAs feature integrated hardware accelerators for industry-standard encryption algorithms such as RSA-SHA, and AES, to support secure, encrypted communications. Data exchanges with other ICs in the system, such as non-volatile memory (NVM) chips, can also be protected using device-unique keys that are unreadable to the user.
Finally, the system monitoring functions such as measured boot, measured application launches, and use of TPM (Trusted Platform Module) PCR extensions is supported. These links in the chain are all necessary to protect the operation and integrity of each of the devices in the end to end security architecture.
These interconnected layers of security features, from the underlying device hardware to the validated OS and application software not only protect the operational state of the device but also protect the intellectual property associated with the FPGA hardware design and the code running on the device. If this IP can be stolen, the consequences not only include potential loss of revenue for the device manufacturer, but the additional risk that devices can be cloned to launch further attacks.
Improving security best practice
While it is true that hackers present an increasingly skilled and well-funded threat, security specialists also are gaining greater understanding of the methods used to launch attacks, and the most effective responses. Evidence for this includes the publication of the international industrial control system security standard IEC 62443, and the work of organisations such as the Trusted Computing Group (TCG) and the Industrial Internet Consortium’s (IIC) Industrial Internet Security Framework (IISF), to establish best security practices for embedded systems.
Xilinx has helped to author IEC 62443, and is an active member of the TCG and IIC. Important security functions supported in FPGA silicon and design tools (figure 4) enable users to create industrial control platforms that are compliant to IEC 62443-4-2 and help accelerate their time to market. In addition, new mechanisms are being introduced to enable customer keys and unique device identifiers to be installed securely, within the supply chain.
Figure 4. Services, tools, and silicon features, together, enable end products to satisfy IEC 62443
Today’s industrial control systems are extremely likely to be subjected to cyber-attacks. The power and sophistication of these attacks will only increase in the future. An effective security policy should not only ensure strong protection but also encompass detection, resilience and remediation within a four-stage lifecycle. Strong hardware authentication features, as well as features supporting secure boot, software measurement, and encryption hold the keys to minimising the attack surfaces offered by Operational Technology (OT) devices.
The adage “knowledge is power” holds true in cyber security. OT-equipment developers should take the time to understand cyber threats and the development of industry best practices, and how to use the protection features that are already built into the latest SoC devices.
Editor’s note: Xilinx has put together a webinar alongside Avnet, Infineon and Mocana which provides an overview of security threats and examines countermeasures leveraging IIC and TCG guidelines and key elements of IEC 62443. You can find out more about it here.
Interested in hearing industry leaders discuss subjects like this? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London, and Amsterdam.