With the introduction of the international and domestic Industrial Internet, Industry 4.0, and Made in China 2025 strategies, the integration of Information Technology (IT, Information Technology) and Operational Technology (OT, OperaTIonal Technology) has become an inevitable trend. Under this trend, industrial automation control systems are gradually transforming from closed and isolated systems to open interconnected systems, and industrial automation production begins to integrate horizontally and vertically at all network levels.
However, with the increasing openness of industrial control systems, system security loopholes and defects are more likely to be exploited by viruses. Industrial control systems also involve power, water conservancy, metallurgy, petrochemical, nuclear energy, transportation, pharmaceuticals, and large-scale manufacturing industries. Once attacked will bring huge losses. In fact, the intrusion incidents of industrial control systems in the fields of electric power, water conservancy, energy, manufacturing and other fields have emerged one after another before this.
For example, in 2008, the urban railway system in Lodz, Poland was maliciously attacked, causing 4 carriages to go off the normal track; in 2010, the “Stuxnet” virus attacked Iran’s nuclear facilities; in 2016, Ukraine’s power grid was attacked by hackers, causing widespread power outages, etc Wait.
Industrial Control System Security National and Local Joint Engineering Laboratory and 360 Threat Intelligence Center Mapping
According to the latest statistical report of the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), there were 492 security vulnerabilities in critical infrastructure in the US in 2016, and related vulnerabilities involved critical infrastructure such as water supply, energy and oil industries.
From January 2000 to December 2017, according to the statistics of my country’s National Information Security Vulnerability Sharing Platform (CNVD), the total number of all information security vulnerabilities was 101,734, of which the total number of industrial control system vulnerabilities was 1,437. In 2017, there were 4,798 new information security vulnerabilities and 351 new vulnerabilities in industrial control systems, both of which increased significantly over the same period last year.
Unlike IT information systems, industrial control system security has its own uniqueness. For example, malicious code cannot be killed or killed. Based on the compatibility between industrial control software and anti-virus software, anti-virus software is usually not installed on the operating station (HMI). Even if there is an anti-virus product, its virus database-based killing mechanism has limitations in the field of industrial control, mainly network The requirements of isolation and guaranteeing the stability of the system cause the virus database to always lag in the processing of new viruses. In this way, large-scale outbreaks of viruses, especially new viruses, occur in the industrial control system every year.
In addition to external attacks, the other hand is the lack of security construction of the industrial system itself. For example, many industrial control equipment lacks safety design, mainly from the control protocols, control platforms, and control software used by various machine tool numerical control systems, PLCs, motion controllers, etc., which may not consider integrity and identity verification at the beginning of the design. There are security challenges such as input verification, lax permission, authorization, and access control, improper authentication, insufficient configuration maintenance, lax credential management, and outdated encryption algorithms. For example, the operating system used by the domestic CNC system may be tailored based on a certain version of Linux. The used kernel, file system, and external services will not be modified once it is stabilized. It may continue to be used for many years, and some even exceed ten years. However, the vulnerabilities that have been exposed in the kernel, file system, and services for many years have not been updated, and the security risks have been retained for a long time.
To sum up, industrial networks mainly face the following security issues:
1.Industrial cybersecurity threats are getting higher and higher, with various types of vulnerabilities
According to the statistics of new vulnerabilities in the ICS-CERT and CNVD security vulnerability platforms in 2017, it is found that the information security incidents of industrial control systems have increased significantly, the proportion of high-risk vulnerabilities has increased, and the destructive power of attacks has continued to increase, which poses a major threat to the security protection of critical infrastructure.
2.The network structure changes rapidly, and there are hidden dangers in the current industrial control technology
1) The scale of the industrial control system is rapidly expanding, the industrial control system is rarely upgraded, and is vulnerable to virus attack and infection;
2) The system generally lacks monitoring means and cannot infect unknown devices; when performing server operations, there is a lack of system auditing;
3) When performing key operations, there is a lack of log records; there are many loopholes in industrial control equipment, and RTU/PLC security risks are prominent;
4) In the industrial control system, opening the external interface will bring security risks; the network structure changes rapidly, and the original IP data network information security technology is far from meeting the security requirements of the industrial control system.
3.The network boundary is not clear enough, and local security problems are easy to spread to the entire system
In the industrial control system, there is a lack of unified planning for the security requirements of each component in the network, and the access to the core business system is not well controlled; there is no clear access control between the access systems, and the networks can communicate with each other. Mutual access, easy to start at the boundary, difficult to start within the system.
4.Industrial control safety standards need to be improved, and safety companies do not pay enough attention
There is no doubt that the security of industrial control systems is an important part of the security of a country’s critical information infrastructure. In order to promote the healthy development of industrial control network security, the National and Local Joint Engineering Laboratory for Industrial Control System Security (a public research platform for industrial control security technology opened to the outside world, which was established with the approval of the National Development and Reform Commission and built by 360 Enterprise Security Group) The following recommendations are made:
1.Establish a dynamic security model of network security sliding scale
The scale model includes five categories: Architecture, Passive Defense, Active Defense, Threat Intelligence, and Offense. These five categories have a continuous relationship and effectively demonstrate the concept of progressive defense.
Architecture security: fully consider security protection in the process of system planning, establishment and maintenance;
Passive defense: A system attached to the system architecture that can provide continuous threat defense or threat insight without human intervention, such as: industrial security gateway/firewall, industrial host protection, industrial auditing, etc.;
Active Defense: The process by which analysts monitor, respond to, learn (experience), and apply knowledge (understanding) to threats within the defended network;
Threat intelligence: the process of collecting data, converting data utilization into information, and processing information production into assessment results to fill known knowledge gaps;
Offensive countermeasures: Direct actions taken against attackers outside friendly networks (according to the requirements of domestic cybersecurity laws, for enterprises, counterattacks against attackers are mainly through legal means). Only through the superposition and evolution of the above-mentioned levels can we finally achieve offensive countermeasures and maintain the overall security of the Industrial Internet.
2.From the perspective of safety operation, establish the industrial safety operation center of the enterprise
In the development of the integration of IT and OT, IT technology is widely used in the OT field, and the risks faced by IT have also entered the OT network. Therefore, industrial enterprises must identify the entry points of risks from the perspective of these two applications, and list relevant risk and need to carry out integrated planning.
The Industrial Security Operation Center (IISOC) conducts fast and automated correlation analysis on the communication data and security logs of the industrial control system based on threat intelligence and local big data technology, discovers the anomalies of the industrial control system and threats to the industrial control system in time, and analyzes these threats through visual technology. The overall security situation and abnormality are displayed to users, and the closed-loop management of security risks is realized through the automatic release, tracking and management of alarms and responses. Threat intelligence, threat detection, deep packet analysis, industrial big data correlation analysis, visual Display, and closed-loop response realize an integrated protection system centered on industrial security operations. The purpose of security operations is to solve the problem of “security defense islands” formed by the deployment of more and more security products in the network.
3.Set up a security management team that integrates IT & OT
Set up an IT&OT integrated information security management team to operate the entire industrial control system safely. Provide necessary guidance to the security management team, establish appropriate security policy management and response recovery mechanisms according to specific scenarios, and respond to security threats in a timely manner. For enterprises to successfully deploy industrial cybersecurity projects, they need to focus on talents who master both information technology (IT) and operational technology (OT). Order security services and threat intelligence, regularly train the security management team, and establish a unified security plan for IT and OT, so that members of the security management team try to use unified standards to handle security incidents.
4.Improve protection capabilities at the technical level
Terminal level: For CNC and other old equipment, deploy lightweight whitelist (system process) protection measures; for production equipment with good performance, deploy unified terminal antivirus software, such as 360 Tianqing; Unified management and control (host protection).
Network level: Horizontal partitioning and vertical layering, effectively dividing the office network, industrial control network, and production network; deploying security gateways at the network boundary, the principle of least privilege: only opening necessary ports for refined access control.
Monitoring level: find out the assets, centralized and unified management, and careful maintenance; deploy an industrial security operation center to continuously monitor and visualize the company’s network security status.
Recoverability (backup level): For old equipment such as CNC, regularly ask industrial control manufacturers to perform system backup; for office and production computers with good performance, regularly perform system and data backup by themselves.