Secure knowledge for better cyber security

An annual report by Kaspersky Lab, The State of Industrial Cyber security 2018, revealed several interesting facts about how industrial cyber security is perceived by businesses and applied to Industrial Control Systems (ICS). The survey of 230 worldwide professionals reveals disconnections between what is feared by businesses, and what’s happening in reality.

For instance, 66% of the surveyed businesses were most concerned about advanced persistent threats (APT), like data leaks and spying (59%), because of their perceived potential impact. In reality, APT’s make up 16% of cyber security incidents. Actually, conventional malware and virus outbreaks are becoming the greater problem. These attacks are not overly sophisticated and made up 64% of cyber security incidents, last year.

Aside from misconceptions about the external threat landscape, disparities also exist within organisations. In relation to Kaspersky Lab’s survey, technology website tripwire.com cited a report by the SANS Institute. SANS found that, among nearly three-quarters of firms that were confident in their ability to secure their industrial internet of things (IIoT), there were more likely to be different internal perceptions about the effectiveness of their security measures. While leaders and department managers were more likely to have a ‘rosy outlook’ of their security, operational technology departments had a more pessimistic view.

Such misconceptions would be even more of a concern within critical national infrastructures. Cyber attacks against water, energy or chemical supplies can have very real consequences for countries and their populations.

Upgrading control systems

From a hardware and systems perspective, more than half - 54% - of the surveyed businesses identified integrating ICS with IT systems and Internet of Things (IoT) ecosystems as among the most pronounced challenges. This last statistic places a wider challenge faced by plant managers into a whole new context: specifically, how best to achieve space and cost savings by reducing the size and complexity of plant equipment.

Plant managers are turning to new systems to achieve greater levels of flexibility and profitability in their production. This coincides with older programmable automation controller (PAC) systems, like trusted Series 90-30 controllers, reaching the end of their operational lifespans. In many cases, these 90-30 systems have been relied upon as integral to plant operations for upwards of 25 years.

How can plant managers effectively upgrade their systems, while ensuring that cyber security measures keep up with the rate of technology adoption - and the external threat landscape? Fortunately, answers lie in smart hardware and its role in helping manufacturers enhance process flexibility and performance.

Centralised security

One solution lies in better control. The RSTi-EP CPE100 is a compact controller for PAC systems — specifically, to control the RX3i CPU from Emerson which has emerged as a popular and effective upgrade for 90-30 systems. In a nutshell, the RSTi-EP CPE100 leverages the power and flexibility of PAC systems in smaller applications.

The RSTi-EP CPE100, entire PAC systems can be programmed in stand-alone applications, or the system can be used as an auxiliary controller in larger process applications that use the RX3i. Not only does the system leverage the power and flexibility of PAC systems in smaller applications, there are also benefits in terms or cyber security - indeed, the RSTi CPE100 is secure by design.

With the system, companies can apply optimised security right from the very start. RSTi CPE100 incorporates technologies like Trusted Platform Modules and secure, trusted, and measured boot. It allows centralised configurations, so that encrypted firmware updates can be executed from a secure central location. Specifically, a suite of cyber security technologies can help prevent unauthorised updates. Meanwhile, built-in security protocols can protect against man-in-the-middle attack (MITM) — where the attacker secretly inters with communications between two parties — and denial-of-service (DoS) attacks.

Speaking of the ‘man-in-the-middle’, another key takeaway from Kaspersky Lab’s report is that, going forward, industrial companies must also pay more attention to employees’ understanding and awareness of cyber threats. Because the RSTi-EP CPE100 can streamline application development and integration, a further benefit of the system is that it simplifies training for operators and maintenance workers.

While cyber attacks on ICS computers are misunderstood by many within industry, it’s necessary to overcome these misconceptions while keeping up with the best cyber security measures. Novotek recommends that managers should pay attention to system security from the very beginning of their integration. The more critical the application, the more important it is that ideas surrounding cyber attacks accurately pre-empt the realities.