Information security in manufacturing
Ensuring information security in production has its own nuances associated with the specifics of the automated control systems (ACS) of the enterprise and with the peculiarity of the flow of production processes. Configuring the information security system will require increased attention, since any error can lead not only to a malfunction, but also to an accident. The requirements for ACS are always stricter than those for conventional information systems.
Features of information security in production
The term "information security" refers to the state of data protection against three main risks: violation of confidentiality, change, lack of availability. But in relation to a manufacturing enterprise, this triad changes, since in the production process information plays the role of not an asset, but a management tool. Risks in this case change, information flows must ensure the continuity and trouble-free production process. This leads to a special approach to the organization of the IS system in production.
The main features of information security in production are:
- a large number of consumers of information of various types, both users and devices, while it is transmitted through many channels and in a large number of formats;
- in addition to computers and infrastructure elements, production units become objects of management. They can be CNC machines, power plant life support systems, and drilling rigs. They are often not static but in motion;
- the system is always distributed, its units can be difficult to access, information is transmitted over many communication channels, the use of Ethernet connections is becoming more common.
The peculiarities of the functioning of industrial information networks give rise to the peculiarities of threats aimed at them.
Types of threats
Manufacturing-specific information security threats are also specific. Attackers, among whom hacker groups associated with foreign governments and terrorist groups have recently emerged, are interested in creating instability. The best way to do this is to invade the information networks of the enterprise in order to interrupt production processes. According to Kaspersky Lab, more than 46% of ICS systems at Russian enterprises have been attacked in the last year.
The large number of network connections makes it easier to manage remote and moving objects, but creates additional risks. One of the world's largest manufacturing facility development companies, Siemens, has proposed a comprehensive classification of industrial information security threats:
- unauthorized use of remote access to the process of managing a production facility. ACS communication channels usually do not have sufficient protection;
- hacker attacks directed through corporate (office) information networks. There are connections between the control channels of the ACS and the office information system that can be used by intruders;
- attacks on standard components of the ICS control network infrastructure. Operating systems, application servers, databases have vulnerabilities that are not always fixed by developers in a timely manner and are well known to hackers. If there are such components in the ICS architecture, they can be used for attack;
- DDoS attacks. Massive distributed denial of service attacks are often used to disrupt network connections and disrupt ICS operations;
- human error, deliberate sabotage and damage to control system components. The risks in this situation, if the attacker has access to the ICS, are serious and unpredictable;
- the introduction of virus and other malicious programs through removable media by persons authorized to maintain equipment, often employees of service organizations. An example of the realization of the risk was the massive infection of the ICS, including the nuclear infrastructure of Iran, with the Stuxnet virus;
- reading, writing and changing messages in ACS networks. ICS components support network communication using unsecured test messages. This makes it possible to read test messages and make unauthorized changes to them without difficulty;
- unauthorized access to resources. If the ACS provides a weak identification and authentication system, third parties can gain access to resources;
- attack on network components spreading to industrial infrastructure objects;
- technical malfunctions, accidents, natural disasters.
The list of threats is wide, not all of them are specific to the information security system in production, some are of a general nature.
Features of ACS
For an automated enterprise management system, the attacks on which are committed most often with the aim of suspending production or interfering with its work and causing an accident, the management of processes and physical objects is characteristic, while conventional administrative systems manage information.
This creates differences that affect the organization of the security process:
- unlike the IS, the ACS turns out to be a real-time system. The response time and response to calls is always critical, data loss or delays in data transmission are unacceptable. Timely response in emergency situations is essential. Access control systems should not interfere with the normal operator-equipment interface;
- interruptions in work are unacceptable for ACS, reboot as a method for solving problems is not used, technical work is planned in advance, provided that duplicate solutions are launched;
- When managing risks for ACS, attention is focused on physical processes, and not on information objects, as for IS. Safety of people and equipment, reliability take precedence over confidentiality and data integrity. Information security focuses on the continuity of the process of exchanging information and maintaining its integrity. The main risk that a specialist developing a safety mechanism should take into account will be compliance with the requirements of regulators regarding hazardous production facilities and critical information infrastructure facilities, prevention of harm to the company's employees, its property, and the environment;
- for ICS, specialized rather than publicly available operating systems are more often used. They are devoid of most of the vulnerabilities known to hackers, but they do not contain built-in security modules. Specialized control algorithms are used, all changes are carefully implemented by software suppliers, and this takes a long time due to the need for their mandatory certification;
- system resources of the ACS are limited, they are intended strictly for the management of industrial facilities and do not have the resources for the deployment of computing power or security modules;
- communications within the ACS are based on specialized protocols using special types of media that are not implemented in office ICs. Laying and maintaining the security of communication networks requires special engineering competencies;
- operation and support of ACS is carried out only by developers;
- all ACS are certified and licensed, the same happens with all updates.
Such differences give rise to different approaches to information security issues. Implementation of any protection strategies may not be possible without the involvement of a software vendor for the system. The cost of upgrading to improve security can be very high, licensing and certifying changes alone can take up to 10% of the total cost of an implementation project.
Implementation of an information security system in production
When analyzing the features of the ACS, the complexity of the implementation of an integrated information security system in production becomes clear. The constant modification of attack types requires the use of modern components relevant to threats to implement security systems, but in the architecture of long-standing ICS, whose age is more than several years, they may not find a place for them. The security system implemented for the automated control system must comply with the requirements of ISA 99 / IEC 62443, which is the main standard for ensuring security in industrial automation systems. It should solve the problems of comprehensive protection of the system from:
- physical attacks;
- unauthorized access by employees and third parties;
- hacker attacks.
What determines the success of the defense
When developing your own system for organizing information security in production, it must be borne in mind that the success of its deployment depends on the following factors:
- the need to ensure monitoring of communication interfaces between office and industrial networks, channels of remote access to services via the Internet, to ensure the installation of firewalls;
- creation of so-called demilitarized zones (DMZ), designed to exchange information with adjacent networks and exclude external users from obtaining direct access to the ACS;
- creation of secure network segments for individual protected production sectors, which reduces risks and increases the level of information security;
- use of VPN protocols and encryption for data transmission;
- protection of communication stations with authentication algorithms.
The implementation of these components is possible in any industrial system. The complexity of the ICS architecture and its age determines how easy the implementation will be.
But only the protection of the automated control system does not solve the problem of information security. In addition to protecting production processes from failures, downtime and accidents, information security specialists must solve the problems of protecting confidential information in the information systems of the central control office. It may include:
- production plans and strategies;
- know-how and production secrets;
- software solutions implemented for the production or protection of information;
- management reporting and other financial information.
The work to protect these information objects will turn out to be standard and significantly less complicated than the work to ensure the information security of an automated control system, but it should not be neglected. The cost of stolen trade secrets is high, therefore, to protect the office part of the control system, it is advisable to use a DLP system that completely closes the information perimeter from leaks. The choice of software that solves security problems will also depend on whether the facility belongs to KII (objects of critical information infrastructure) and whether there is a need to focus on the requirements of the regulator.