Talk 15 - Michael McGinley - Parting ways with Purdue? The Effect of Industry4.0 on ICS Security Arc

hello my name is michael mcginley and i'm a cyber security analyst at pwc uk today i'm going to be talking about the effect of industry 4.0 on industrial control systems security architecture some of you may already be familiar with industrial control systems and what security for them looks like but some of you may be entirely new to the concept i hope that if you're an ics novice this talk will give you a good overview of ics and the challenges of securing them and if you have some knowledge of ics then you will learn something about what the future of ics security holds i'm going to explore the security issues in ics and what makes them different

from it systems in this regard we'll then look at architectures such as the purdue model shown on the right and examine the proposed solutions to creating secure architecture for industry 4.0 and industrial internet of things technology we'll look into the purdue model in more detail and talk about the implications of applying the purdue model to industry 4.0 and industrial internet of things networks so what are industrial control systems well when people talk about industrial control systems they often use the terms ot ics and scada they use them interchangeably but they do have different meanings operational technology is simply the computer systems which are used to manage industrial operations industrial control systems are used to monitor and control industrial processes

such as robotic arms safety systems and valve controls scada is the systems which allow operators to monitor the running processes and provide access to control functionality well normally you would find scada software installed on machines within a control room monitoring an entire plant in more modern systems you might find scada software distributed across much larger areas industrial control systems are not a new concept but the trend that we have seen is that they become more complex and distributed across larger areas within ics there are common devices you may find such as programmable logic controllers which are essentially industrial computers which take input from sensors process processor state and trigger output you'll also find remote terminal units

which are similar to plcs but their main purpose is for communication of process to scatter systems with sun control you'll also find cuban machine interfaces which are allow operators to monitor the status of industrial operations and make changes scada software will sometimes have hmi functionality but also the ability to reprogram plcs operators can monitor the status of multiple processes distributed across an entire plant or a large geographical area moving on to indus industry 4.0 and the industrial internet of things industry 4.0 from this definition by angela merkel is essentially the fusion of the online world and the world of industrial production industry 4.0 is all about processes becoming smarter we now have smart factories which

include devices such as iiot sensors often connected to cloud systems these cyber physical systems give us increased efficiency predictive maintenance and a whole host of other benefits unfortunately interconnectivity brings with its security challenges as we have more opportunities for attacks security now needs to be a focus from the start rather than afterthought as it traditionally was with industrial control systems in order to mitigate the risks that come from these new technologies and get manufacturers comfortable with them now let's talk about the purdue enterprise reference architecture sometimes called the purdue model this is a model for enterprise architecture it segments the control system architecture into six levels each of which having its own specific purpose this helps isolate critical control

zones from enterprise zones and therefore reduces the risk of attacks to ics level four and five are the highest levels and focus on enterprise technology and systems common systems you might find here are web servers mail servers and enterprise workstations between levels four and three is the demilitarized zone which often resides between two firewalls in level three you'll find manufacturing operations and systems such as historians and also systems for monitoring overall plan performance level two are the control systems which usually includes scada devices and hmis level one we have basic control level where we have devices such as plcs and rtus and then at level zero is the process itself with sensors and actuators or anything

else connected directly to the process there's a few common issues when it comes to securing operational technology high availability is one of the greatest requirements of ot this is because downtime can be extremely costly and sometimes dangerous in the case of safety critical systems there is also this reliance on legacy systems where it's not uncommon to see windows 7 or even older running within factory environments and this is because it's not cost effective to upgrade apache systems and doing so can create unpredictable environments there are also vulnerabilities present in these legacy and commercial off-the-shelf systems furthermore misconfiguration particularly with firewalls can allow systems within different zones to communicate which should not normally be permitted many of the ot communications protocols

such as modbus are insecure and have no encryption these were designed in a time when security wasn't really thought about but now as we have more interconnectivity it's becoming a real issue using these older unsecured protocols the demand for internet connectivity has also been accelerated by covert 19. and because of this we have seen some poorly implemented configurations for remote access which in ot environments can be very costly and also dangerous and there's also this difference in security skill set between ot and it because you sometimes have two security departments who don't work together or don't understand each other's needs looking at a case study of an ics attack let's look at the 2015 black energy

attack on ukraine's power grid now this was a top-down attack where the attackers got access to the enterprise zone stole vpn credentials and moved downwards to attack control zones and this resulted in 225 000 customers being without power post incident analysis showed the attack came from a spear phishing campaign where corporate workstations were infected with the black energy 3 malware the attackers gained access to vpn credentials which allowed them to pivot to control networks from there scatter workstation and hmis were compromised as well as uninterruptible power supplies and this follows this typical ics attack flow which normally flows down the way from the enterprise zones the attackers gain access to corporate or enterprise network often through traditional methods such

as spear phishing they then extend foothold and corporate network and find devices which should give them access to the lower levels and if they do gain access to the lower levels they disrupt the processes and often cause a lot of damage so how can the purdue model fit into industry 4.0 and industrial internet of things environments well there's this issue with segmentation the purdue model has a reliance on segmentation but industry 4.0 has a reliance on interconnectivity within industrial internet of things environments we no longer have the hierarchical data flow devices further down the model becomes smarter and therefore more opportunities for attack are created we don't have this logical separation of the control networks

from the enterprise networks anymore and this is because the data to increase efficiency can be gathered and processed at level 1 and 0 and sent directly to the cloud bypassing the logical hierarchy of the purdue model if we were to create some sort of system which sent data from the iot devices through each of the layers of the purdue model this could actually result in increased overheads and such an implementation could increase opportunities for exposure due to misconfiguration as the architectures now bypass the traditional hierarchical levels is the purdue model now outdated i would argue the issue of ot and iot converging isn't new and as we have seen most incidents seem to be as a result

of misconfiguration or error rather than an issue with the underlying architecture if we were to have this iot edge gateway which connects across the entire enterprise environment this gives us a critical component to secure but if we were to move away from the project model we may be presented with more concerns the success of the model demonstrates the level of trust that enterprises have given to it and many businesses may be reluctant to design their networks on new and untested architectures if we were to move away from the model and the rigid segmentation there could be an even greater possibility for misconfiguration issues moving to industry 4.0 and industrial internet of things will also take some time

experts have suggested in the interim period we create this hybrid approach creating an edge gateway layer within the purdue model and this is one method of adapting the purdue architecture to modern systems this is one of the most promising models which retains the six level approach from the purdue model we see the iot platform situated at level three alongside traditional systems such as a data historian level five in this instance have been replaced of a cloud layer and includes external cloud services the iot platform provides information to the systems above as well as bi-directional communication with sensors and actuators below in this model the firewalls are retained but they're not shown here this model was published in 2018 so it's

fairly recent we don't have any information about whether it's been implemented by enterprises the documented features in good practices for security of internet of things is perhaps more beneficial for modern systems and historic standards in this area such as the nest 882 standard i would recommend reading the enisa good practice document if you're interested in further implementation specifics there are also some other good recommendations for iot security beyond architecture one of these is xero trust as i mentioned with the modbus protocol ot security edition relied on a lack of encryption or authentication and implicit trust not only is this extremely outdated and unsafe but modern systems with multiple devices from many vendors it doesn't work therefore

zero trust means that there is no trust by default and all devices should be hardened before implementation next generation firewalls can also provide us with enhanced logging and threat detection connecting directly to cloud platforms we can send logs to data lakes use threat intel feeds and also use deep pack inspection asset management is another key area for securing ics modern networks are complex and have thousands of connected devices within either enterprise or control zones businesses must therefore ensure they have an up to up-to-date inventory but it's not easy and so various tools are available for modern asset management some of these are integrated also into security tools for integration of iot and ot security alerts

and security entered into event monitoring or security orchestration and response palo alto network's iot security as your defender for iot and drago's platform are all good tools available some of these use anomalous traffic detection using machine learning alongside traditional signature based alerts in conclusion is it time to part ways to the purdue model well increasingly cyber attacks are having more physical effects and becoming more dangerous experts are warning that it's a matter of when rather than if a cyber attack kills someone in the last year a german hospital was held with a ransomware attack which indirectly resulted in an ane patient's death as the ambulance had to be diverted while this is an indirect death as we

see more convergence between ot and i.t expect to see more attacks and possibly even direct deaths as a result of cyber security but as we've seen from the attacks it's not the architecture which creates security issues it's the humans in misconfiguration or having security as an afterthought which has long been a common issue within ics that being said having an up-to-date trusted architecture for administrators and designers to follow will help to ensure that systems are secure from the outset purdue is definitely still relevant in this area considering that most industries will take some time to move beyond their current setups and integrate industrial internet of things in the same breath we know the traditional purdue model

isn't entirely applicable for modern systems due to its reliance on strict segmentation and so architectures such as the enisa model should be considered and tested enabling businesses to stay protected and be prepared for industry 4.0 thank you very much for listening and you can get in touch with me on linkedin or twitter if you have any further questions