CS1907
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
industrial cyber security<br />
supply chain, as it is a more general problem<br />
about our outdated security mindset. "For<br />
years, we've thought that, if we only build<br />
perimeter walls that are strong enough, we'll<br />
be safe. Then again, 12-foot concrete barriers<br />
don't count for much, if they come with an<br />
unlocked door. Considering the herculean<br />
task of trying to police every device, let<br />
alone components within that device,<br />
organisations are thinking about defence in<br />
new ways. Zero Trust architecture is just one<br />
of them."<br />
Knocking down the tired inside/outside<br />
dichotomy of traditional network security,<br />
Zero Trust does not automatically trust any<br />
device, system or user, states Gordon. "Any<br />
that want to gain access must be verified<br />
according to the resource they want to use<br />
or communicate with, leveraging factors like<br />
user and location to authenticate.<br />
Instead of one wall around the city, Zero<br />
Trust builds walls - and, perhaps more<br />
importantly, watchtowers - around each<br />
Nigel Stanley, TUV Rheinland: to build<br />
cybersecurity into the supply chain, it needs<br />
to be written into contracts with suppliers.<br />
constituent building, further complicating<br />
an attacker's job, providing visibility and<br />
preventing the lateral movement that is so<br />
critical in the cyber kill chain."<br />
This matters more when we realise how the<br />
perimeter is changing, he continues. "New<br />
ways of working, such as BYoD [Bring Your<br />
own Device] are making the perimeter line<br />
on which older generations of security<br />
depended less and less clear. We can no<br />
longer say that a network perimeter ends at<br />
the office door, so it makes sense to employ<br />
strategies which accommodate these new<br />
realities."<br />
Moreover, he points out, we are just now<br />
getting regulations that will force security<br />
into the design stage for many of these<br />
devices. "The UK government, for example,<br />
will finally make its 2018 IoT guidelines<br />
mandatory. While commendable, they won't<br />
necessarily secure those supply chains<br />
entirely and the insecure components that<br />
are already floating around the IIoT will<br />
continue to pose threats. It will never be<br />
good enough to have insecure components<br />
within a device; but it's almost impossible to<br />
make sure of. Trying to wish away that reality<br />
is another version of the security wall fallacy:<br />
'If I can stop it from getting into my<br />
environment, I'll be safe'."<br />
For the moment, IIoT users simply have to<br />
accept that there will always be a risk with<br />
these devices and start thinking about how<br />
they're going to respond, once that insecure<br />
component is already in their environment.<br />
"Until IoT users can rely on these complex<br />
supply chains, "enterprises can look to<br />
concepts like Zero Trust to tackle these<br />
unfortunate realities within the supply<br />
chain, " Gordon concludes.<br />
SECURITY MYTH<br />
The number of cybersecurity- related<br />
incidents in industrial control networks has<br />
risen in every region in recent years, and<br />
there have been well publicised reports of<br />
sophisticated malware and threat actors<br />
disrupting safety instrumented control<br />
systems. On the back of this, says Nigel<br />
Stanley, CTO - Global OT and Industrial Cyber<br />
Security CoE at TÜV Rheinland Group,<br />
organisations operating industrial facilities<br />
have a responsibility to "monitor, detect and<br />
mitigate cybersecurity attacks in order to<br />
maintain the safety, integrity and availability<br />
of their site which, if compromised, may<br />
have a severe and detrimental impact on<br />
society".<br />
HOW SAFE IS ‘SAFE’?<br />
But this is no straightforward task, he<br />
concedes, given that safety-critical systems<br />
can contain thousands of hardware<br />
components and millions of lines of software<br />
code. "When it comes to securing individual<br />
components, there is no such thing as<br />
absolute security. In terms of cybersecurity,<br />
products cannot be proven to be secure, or<br />
measured against an industry accepted<br />
Safety Integrity Level (SIL). Therefore, if<br />
a manufacturer claims their product is<br />
'cybersecure', this should be taken with<br />
a large pinch of salt.<br />
"To satisfy cybersecurity concerns, the most<br />
astute manufacturers or operators tend to<br />
seek security assurance - for example, three<br />
levels down their supply chain. While a good<br />
idea on paper, in reality this is a complex and<br />
time-consuming process for all parties. A<br />
detailed questionnaire can confirm whether<br />
suppliers are compliant with cybersecurity<br />
guidelines, but this is never the full picture."<br />
To really build cybersecurity into the supply<br />
chain, it needs to be written into contracts<br />
with suppliers, states Stanley. "Obliging<br />
software code or a piece of hardware to<br />
undergo official certification against an<br />
accepted standard - such as IEC 62443 - can<br />
be helpful. However, this still doesn't<br />
guarantee that a product is secure; just that<br />
it has met the requirements of a particular<br />
standard at a particular time."<br />
32<br />
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk