Cyber security-by-design

Organizations should build cyber resilience from the beginning, rather than only looking at security after implementation

This year’s IEC General Meeting is taking place in China, a country with a long tradition of putting up buildings that can withstand earthquakes. Centuries ago the Chinese realized that the best way to protect cities in an active seismic area is to start thinking about safety and security during the design phase. A good example from more recent times is the world’s second tallest building, the Shanghai Tower. The 632-metre structure (2 073 ft) was designed with a reinforced foundation and a system of counterweights and shock absorbers to prevent excessive swaying during earthquakes and high winds.  

Shanghai, the venue of this year’s IEC General Meeting, is home to the world’s second tallest building. (Photo: Baycrest, via Wikipedia)

It makes sense to focus resources on preventing fires rather than waiting to fight blazes. That is why the concept of security-by-design is popular too in software and hardware development, where it means making products and systems that are not only free of vulnerabilities, but also subject to continuous testing during their life cycle. The thinking is that when trouble strikes, it is already too late. According to Deloitte executive Sean Peasley, “Security needs to become embedded into the DNA of operational programmes to enable organizations to have great products and have peace of mind.”  

Changing focus

The quote comes from a report that urges organizations to start considering security threats during the initial design and development phase. Such an approach saves time and money. Firefighting may put out the blaze, says the report, but does not deal with the underlying causes.

Cyber security expert Moreno Carullo puts it even more succinctly. “We need to change our focus and shift from just looking for the bad guys to security-by-design.” Carullo is a co-founder of Nozomi Networks, which counts some of the world’s biggest utilities and petrochemical companies among its clients.

He is also key member of a group of ICS operators, SCADA engineers, security specialists and networking engineers who develop a key cyber security on behalf of the IEC. (The IEC prepares and publishes international standards for all electrical, electronic and related technologies — collectively known as ‘electrotechnology’.) Regarded as leaders in the field of security, they work for some of the world’s biggest companies, including the likes of ABB, Siemens, Schneider Electric, General Electric and Enel.

It is the task of the IEC experts to identify industry best practices and the components needed to build a secure-by-design power system. These include encryption, multi-factor authentication and the definition of roles for all users, as well as pervasive monitoring of the system itself and intruder detection.

The challenge for power stations and other critical infrastructure is that the integration of machines and devices with networked sensors and software has blurred the lines between the once separate domains of information technology (IT) and operational technology (OT). As more and more objects are connected, communicate and interact with each other, there has been a surge in the number of endpoints and potential ways for cyber criminals to gain access to networks and infrastructure systems.

IT vs. OT

The problem is that all too often cyber security programmes are led by an IT approach. It is a global issue and the key is to understand the difference between IT and OT, two different but complementary technologies. The primary focus of IT is data and its ability to flow freely and securely. IT is fluid and has many moving parts and gateways, making it more vulnerable and offering a large surface for a greater variety of constantly evolving attacks. Defending against attacks is about safeguarding every layer, continuously identifying and correcting weaknesses to keep data flowing.

OT systems are designed for specific actions, such as ensuring that a generator is switched on or off, or that an overflow valve is open when a chemical tank is full. The primary focus of OT is ensuring the security and control of what in the past were usually closed systems. Operational technologies ensure the correct execution of all actions. Everything in OT is geared to physically moving and controlling devices and processes to keep systems working as intended, with a primary focus on security and increased efficiency.

Pervasive and continuous monitoring

“One of the most critical parts of securing industrial systems is understanding the unique protocols used in ICS environments for retrieving information from field equipment and for sending control commands,” says Carullo.

“They rarely incorporate any security measures, including security against errors, equipment failure or deliberate sabotage. The standard puts forward a series of effective solutions to create secure communication channels inside critical infrastructure networks.”

The security specialists, Nozomi Networks, demonstrated at the recent Black Hat US event how attacks can be detected in real time using the IEC 62351 standard for monitoring industrial networks. The standard provides effective solutions for the remote monitoring of the health and condition of intelligent electronic devices (IEDs), remote terminal units (RTUs), distributed energy resources (DERs) systems and other systems that are important to power system operations. 

Properly implemented, IEC 62351 enables the immediate detection of any power supply failure caused by a cyber-attack. The code components included in the standard are also available as a machine-readable file.  

Security-by-design can enhance the protection of new power stations and reduce the need for costly upgrades and enhancements during their operating life. It is, of course, also true that security-by-design cannot fully protect a plant from rapidly evolving cyber attacks, which may expose previously unknown vulnerabilities. This is why IEC 62351 incorporates tools for pervasive and continuous monitoring.