We are publishing an interview with Vladimir Karantaev, head of the CIGRE working group on cyber security (Implementation of Security Operations Centers in Electric Power Industry as Part of Situational Awareness System), head of the cyber security direction of ICS TP of Rostelecom Solar, about trends in attacks on ICS segments TA, architectural problems in the security of the industrial Internet of things, the Digital Economy program and the necessary steps to protect industrial enterprises from cyberthreats.
- Usually, a conversation with a specialist in the field of information security begins with “scary stories” that excite the imagination of ordinary people. Tell us about your attitude to the most striking events of this kind related to industrial enterprises.
- Yes, the press likes to discuss high-profile stories of cyberattacks. Probably, for the first time, they started talking about targeted cyber attacks aimed at industrial facilities in connection with the Stuxnet virus. It is still often cited as an example, although more than 10 years have passed since the incident, and several books have been written about it. Of the more recent cases, the Industroyer malware, which led to massive blackouts in Ukraine at the end of 2015, and Triton, discovered at a petrochemical plant in Saudi Arabia in the summer of 2017.
I see a certain trend behind these events. According to various estimates, no more than 5 types of specialized malicious software were developed specifically for attacks on automated process control systems, of which only 3 were aimed directly at disrupting the process. And then Triton appeared - an attack, the ultimate goal of which is the onset of physical consequences for the functioning of hazardous production facilities (OPO), i.e. triggering of the so-called HSE risks, the assessment of which in recent years has been included in the practice of management of public benefit organizations. This case is fundamentally different from what it was before. In my opinion, Triton has brought cyber security threats from ICS to the next round of development.
The Triton virus was focused on a specific type of automated system - emergency protection (PAZ), which is the “last frontier” of the safe operation of HEP. Today, PAZs support remote configuration from workstations over the network, and this was the attack. Its ultimate goal was to replace the legitimate process of configuring the PAZ controller with the ability to adjust its settings. This was facilitated, in particular, by the fact that neither the configuration software nor the network protocol provided for security measures. This is despite the fact that at the level of regulatory and technical documentation cyber security measures were described back in 2013. If the attack were successful, most likely it would lead to physical consequences for the enterprise.
- Could the enterprise take protective measures?
- Yes, the enterprise that operated the PAZ controller could take certain measures: use OS hardening on AWS with engineering software, organize and implement measures for identification and authentication, monitoring critical systems and processes of this type of AWS using SOC. The peculiarity is that, for unknown reasons, the hardware key of the PAZ controller was in a position that allowed programming and configuration. It was possible and necessary to apply organizational measures regulating the use of such a regime during operation.
It is worth noting that the system manufacturer can take a much wider range of measures. For example, implement and use a trusted operating system, a secure protocol, provide mechanisms for identifying and authenticating access subjects and objects both at the people level and at the process level, provide trust during configuration, etc.
Schneider Electric - the controller of this manufacturer was operating in the affected plant - took up the corresponding modifications of its products. However, this is not a quick business, and it’s bad that we observe the precedent nature of actions, because the consequences of even one successful attack can be catastrophic. We need to think about preventive measures to respond to threats and risks.
- Does anyone in the world think proactively?
- Serious processes are underway to create the industrial technologies of the future: the Industry 4.0 initiative in Germany, which, according to the authors, is supposed to help the world move to a new technological structure. American Industrial Internet of Things (IIoT) Initiative: It is based on a similar idea, but covers more sectors of the economy. National programs of this kind appeared in China, Japan.
Obviously, any country that considers itself a serious player in the world arena should respond to such challenges and form its own national agenda. With us, it has taken the form of the state program Digital Economy.
- Do you think that our Digital Economy is a IIoT-scale project in the USA?
- This is true. In fact, over the past 7–8 years, we have been observing how the global strategic struggle for technological leadership is intensifying in the international space, which will determine the dominant concepts and approaches for the next 30–50 years. The result of this struggle is, in fact, reduced to the transformation of business models, which, in turn, are based on a specific set of technologies. They in our Russian documents were called end-to-end technologies.
Actually, the foundation of the digital economy is a certain stack of technologies, including those that increase the efficiency of industrial enterprises in different industries through automation (or digitalization). At the moment, the basis of this automation are automatic process control systems, the implementation of which began in the Soviet Union in the 70s of the last century. Then the first programmable logic controllers appeared, which provided a serious incentive for the development of industry in developed countries. And today we are approaching the milestone beyond which the next stage of global rapid growth begins, and its basis is likely to be a set of technologies called the Industrial Internet or Industrial Internet of Things.
- This is not about the public Internet?
- IoT generally covers two areas: the user (or consumer) Internet of things, in which various wearable plug-in devices appear: for medical purposes, fitness, etc., and industrial IIoT - a set of technologies that will increase the efficiency of enterprises now and in the near future. We are talking about them - about those technologies that should lead to increased efficiency in the functioning of specific enterprises, industries, and the national economy as a whole. The parameters of this efficiency will be determined by a set of technologies (the International Telecommunication Union calls them infocommunication) that will be used to organize the interaction of elements or objects within the infrastructure or between different infrastructures.
- The task is large-scale. How is it progressing in terms of industrial automation technologies compared to, say, IIoT?
- As for IIoT, the International Internet Consortium (IIC) is engaged in the development of the concept. Its goal is to help accelerate the very digital transformation of enterprises and national economies, in particular, by promoting best practices. They create documents of a doctrinal level, the first documents of the white paper class appear, that is, technical documents explaining specific technologies for those specialists, for example, developers of application systems. Since cybersecurity is a key topic for industrial systems, relevant technologies should be seen as cross-cutting, permeating all processes and levels. In this vein, new approaches to the security of industrial Internet systems are being developed.
- How is the work on industrial automation technologies of the future progressing in Russian structures?
- There are special working groups, which include, among others, Rostelecom Solar experts, who form the agenda for the development of these technologies, in particular, on the cybersecurity of cyberphysical systems and industrial Internet systems. There is a common understanding that the object of protection today is the processes of interaction of elements both within the enterprise, for example, at the ICS level, and between enterprises, for example, within vertically integrated holdings or even between holdings. This, in turn, implies the transformation of business models.
It is extremely important here that such transformations require a very deep integration of technological and business processes between enterprises of the same industry or even different industries. This will allow enterprises to quickly create and market new products that are more personalized from the point of view of the target audience. This means that the technologies that are already widely used today in modern enterprises will be even more widespread. In other words, it will be a set of various telecommunication protocols: from low-level protocols to protocols that will interact between automated or robotic systems that form the very cyber-physical systems. And, in addition, there will be a variety of information technologies - a combination of system-wide and applied software. There is a risk in this.
- The risk of making a mistake with the choice of technology?
- Since the industrial Internet is a combination of information and communication technologies that penetrate the entire system from top to bottom: from an intelligent sensor to a system that controls the technological process or issues a specific task or generates a forecast, the topic of cybersecurity is cross-cutting. In this sense, security methods should be present in the development of new technologies initially, even at the level of formation of requirements. They should be applied both to the system as a whole and to the technologies on which this system is implemented.
Naturally, in different industries these systems have and will have their own specifics. In the electric power industry, for example, even the term “industrial Internet” has not taken root, they talk about Smart Grid technologies or an active adaptive network, although the task is generally the same: an intelligent sensor, for example, a current, voltage transformer, is the same system top level. The same is true in oil and gas: from an intelligent pressure level sensor and other sensors to a decision support system. Cybersecurity is a set of end-to-end technologies and methods that should ensure the sustainable functioning of cyberphysical systems.
However, in the Digital Economy program, it seems to me that this serious component of the development of future technologies was practically not reflected, and in fact, we are talking about the safety of industrial systems. This direction is allocated in a separate group, but it is necessary - it is absolutely necessary - that the topic of cybersecurity be present in every working group, in every vertical, where cross-cutting technologies are discussed. We always advocate for this and hope that they will hear us.
- Why is it not enough to deal with security issues as a separate team, so to speak, purely professional?
- The fact is that we are talking about a very complex multi-level data exchange system. As I said, it is necessary to formulate technical requirements for cybersecurity for both the whole system and its elements. But that's not all. We must formulate such cybersecurity requirements that are based on an adequate threat model and intruder model for elements and systems. It is clear that these tasks can be performed with the right quality, only by working within thematic groups on an ongoing basis. The development of a comprehensive IIoT cybersecurity proposal is possible through established ecosystem partnerships.
If these specific features are not laid down even at the stage of formation of the roadmap of the Digital Economy, then the corresponding work will not be performed. And if we do not formulate the basic requirements for the elements of the system and the system of the Digital Economy as a whole, then there will be no requirements for the technologies that should appear: microprocessor protection technologies, secure protocols, protection of custom ASIC chips, other chips, system-based crystal, etc.
- What is the main cyber threat today for industrial control systems? Targeted attacks like Triton?
- Statistics show that today ICS are quite strongly integrated with top-level systems (SCADA dispatch systems or MES workshop control systems), supporting intensive two-way data exchange, and the level of protection measures, both organizational and technical, at the level of ICS often quite low.
And here’s what’s important: speaking in terms of the five levels of enterprise systems, at the upper levels in recent years, they have been engaged in security at the very least, but at the lower levels they haven’t done anything at all. In such a situation, the integration of levels clearly leads to increased risks. The threat to the continuous operation of the plant is not only targeted attacks, but also any other computer incidents, including massive non-specific cyber attacks such as WannaCry and Petya. Cases of infection of industrial enterprises with these viruses have been noted: initially, the attack, most likely, was not aimed at ICS, but it accidentally fell into the infrastructure.
Indeed, often in enterprises there is no information flow control, as are no current security updates. There are no built processes for responding to this situation. If somewhere at the level of corporate systems a mass attack of WannaCry has begun, it can easily go to the level of industrial control systems and will “live” in this structure. Relatively speaking, a malware that implements a denial of service attack during mass infection of an automated process control system may well have an effect on the process itself. Unfortunately, not all enterprises are aware of this risk. They often reassure themselves with the thought: "As an object of a targeted attack, I am not interested in anyone, which means that I have no problems with the cyber security of production." But this is not so.
The main problem of today is, in my opinion, that the industrial Internet of the future, understood as a combination of technologies, initially has a serious vulnerability - modern telecommunication protocols, software and hardware of different levels used to create critical systems are not initially protected from exposure computer attacks on them.
- Is this a problem for all industries?
- Everyone. Today, the tendency to unify and use technologies from the world of IT in the systems of industrial control systems is clearly manifested: switching equipment, a stack of telecommunication protocols. Take, for example, electricity. Digital substations use protocols based on the TCP / IP stack. And the fact that TCP / IP is initially vulnerable to computer attacks is known to any novice information security specialist. In all sectors, general-purpose operating systems are widely used, which have a huge number of regularly identified vulnerabilities, and the specifics of exploitation in industrial enterprises do not allow them to be quickly closed. The same applies to embedded operating systems. SCADA-systems of supervisory control are operating at the upper levels of industrial control systems - in fact, ordinary workstations and servers running general-purpose operating systems.
- Can you evaluate the volume of implementation of new technologies?
- Take the electric power industry - a digital transformation program has already been announced in the industry. And in our country at the moment there are only five digital substations. Five! But in 10 years, hundreds of thousands must be created. This is not a pun, this is reality - a real new “GOELRO plan”. If these typed decisions of the future are not carefully designed from the point of view of cybersecurity, they will certainly appear, but in what form?
Therefore, I’m sure that if we do not formulate system requirements for cybersecurity at the current stage, this will become a limiting factor for the emergence of effective security technologies in the technologies of future systems and will pose a systemic risk that they will be vulnerable to computer attacks from the very beginning. And this despite the fact that such systems are called to function in the future in systemically important sectors of the economy: energy, the oil and gas sector, metallurgy, agriculture, where now even an ordinary grain combine is already turning into a "CNC machine" - the "thing" of the industrial Internet.
- What is the state of those industrial enterprises that have to go through a digital transformation towards the cyberphysical systems of the future?
- Their current state, from the point of view of automation of production in different industries, is extremely heterogeneous. The legacy of post-Soviet times is affected. Although it was 30 years ago, these decades have passed for each industry, to put it mildly, in different ways. Some, to the best of their ability and economic situation, have developed in the country. Some were even able to one way or another to modernize their fixed assets and technological processes. Among, let’s say, “catching up” industries there are also those for whom the issues of cybersecurity in industrial control systems are not relevant at all. “We have no microprocessor devices to be wary of. We have a spring relay. The only threat is obsolescence and Petrovich with a screwdriver, who screwed this spring incorrectly, ”can be heard from them. , , . , , , , , . , . .
— ?
— , , . , , Shodan. «» : ( ) , .
— , TCP/IP - . ?
— , . , , . Air Gap – – . , , , , - , . , , – .
. , , . , . : , , .
— ?
— - . 10 , , , . 2016 . – () . , : , .
№31 2014 « , , , » 187- « » 2017 .
, 2014 , – -187 .
— , -187?
— , ( – ): , , , , , , .. . -187 , . , .
— compliance ?
— . .
: , ( ), . , , .
: . , , – . , , IDS (Intrusion Detection System, ).
: , , . . , , , .
: , , IDS. , – , . , .
— ?
— - . , , , - . , ( , ), -187. — , — . , .
, . .
— ?
— , . №127 « , » 8 2018 . , , .
, . , , « ». : , , . , : , . ! , , . : , .
. , . , , , . .
— ?
— . . 2015 . , – « » – . – . , , , . , , .
— ?
— , . , , , Schneider Electric Siemens 62443-4-1 « . ». – . , (Security Development Lifecycle, SDL) . , , .
— - , , , , Linux?
— Linux . , , Linux : - (SCADA) . . - Linux , , , .
– . , , 61508 « , , , ». – , , .
, , , Linux, . , , , . , , , , , , .
— , ?
— . – . – - . , , . , « ». – .
– – , . , , , . : – , , .
, , , . , . « » .