© Fotolia / rangizzz

27.01.2016

SECURITY: A MOVING TARGET

Finding the gap in the defense is the goal of the offense. The quarterback and his players run, pass and move down the field to finally enter the end zone of the opposing team: Touchdown! Hackers use a strategy similar to that of a football team in attacking the opposing side. And in the end, they, too, often win.

By Katrin Pudenz

Hackers detect the gap and sneak their way into a company’s or plant’s software system. In consequence, the company loses reputation, money, knowledge, security and safety. This is why VDMA and Steffen Zimmermann, VDMA Informatics, Managing Director Product and Know-how Protection, push hard for cyber security. Zimmermann pleads for a stronger focus on security.

“Currently, if we discover deficits in security, we usually apply a patch,” he explains. “Just like putting a Band-Aid on a bleeding wound.” And this needs to be changed. “Greater focus must be placed on security.” Zimmermann points to the European Machinery Directive: This directive specifies the must-haves for machines in the production process and commissioning period, but there are no further specifications concerning the everyday operation under realistic conditions. “At first, machines and plants are secure. But after being put into service, the security level drops continuously. The reason: there is no further development of security. The attackers sharpen their skills constantly. And if they find any new gaps, they will attack.”

An infiltrating worm

What happens when malware strikes is best exemplified by the well-known example of Stuxnet, a malicious computer worm. Stuxnet apparently was a cyber weapon intended to sabotage Iran’s nuclear program. Stuxnet targets programmable logic controllers (PLCs). These controllers allow the automation of electromechanical processes. For example, controllers used to control machinery on factory assembly lines or even centrifuges for separating nuclear material. Stuxnet targets machines using the Microsoft Windows operating system and networks and then seeks out Siemens Step7 software. This malicious computer worm reportedly compromised Iranian PLCs by collecting information on industrial systems and causing the fast-spinning centrifuges to collapse.

Hackers collect information

“This is an example for what hackers are able to do,” explains Steffen Zimmermann. They can access a system and do whatever they aim on doing; hackers need to collect as much information on the specific product or system as possible. Often the products or systems are unknown territory, so-called black boxes, to the hacker. So for them, it is essential to obtain detailed information on the interfaces, for example, which software is being used and how to enter the system, and/or how to attack it. The security gap might be an employer or they might find their way via an unsecured Internet connection. “Most of the attacks are carried out through the Internet,” the VDMA cyber security expert explains. According to a study on product piracy, information searches are conducted via reverse engineering (72 percent), misappropriation of know-how (42 percent), disclosure statements (18 percent), industrial espionage (15 percent), robbery, theft and extortion (1 percent). Reverse engineering, or back engineering, is the process of extracting knowledge or design information and reproducing it or other products or ideas based on the extracted information. If reverse engineering is used to crack software or remove a copy protection, it is being used in a harmful way. Creating a cheap copy could be the goal of a competitor.

Targets and protection goals

Hackers have specific targets such as classified information. In turn, security specialists have targets they want to protect from attackers: i.e. specific software, a method, production process, formula and, of course, the reliability of a developer, system or company. If product designers want their products to be safe and secure, they always need to evaluate what an attacker could possibly want and what the motivation for the attack could be. “If the reason involves counterfeiting or plagiarizing merchandise, the motivation obviously is profit maximization,” Zimmermann points out. “If the goal is to sabotage a system, the reason for the attack is to discredit the company.” Therefore, products need to be trustworthy, upright, reliable, and authentic.

“An attack can be,” as Zimmermann cites ICS-Cert, “unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices, an exploitation of zero-day vulnerabilities in control systems devices and software, malware infections within air-gapped control system networks, SQL injection via exploitation of web application vulnerabilities, network scanning and probing, lateral movement between network zones, targeted spear-phishing campaigns, and strategic web site compromises (a.k.a. watering hole attacks).” This all sounds quite cryptic and theoretical, admits the VDMA-expert. But in the end, all these different kinds of attacks lead to considerable harm, destruction and, ultimately, a loss of money.

How to protect successfully?

Today, we are still living in a largely non-digitized industrial world, Zimmermann emphasizes, even if this is somehow hard to believe. But with the upcoming age of Industrie 4.0, everything will be digitized and connected: humans and machines, machines and machines, machines and humans, humans and humans. Therefore, we will soon no longer need security for business processes only; we will also need security for manufacturing processes and products. And the users need to be sensitized.

Think security

“In the mechanical engineering business, engineers design and build features demanded by customers. Security in plants, machines etc. is generally neglected since there is no real demand for it,” the expert explains. But security needs to be integrated into the infrastructure of every machine, every plant, and every single product. “This is what we are fighting for, and this is what the German and European governments are working on,” says Zimmermann. The German parliament passed a new IT-security law, but this law can only provide a framework for persuading companies to deal with security and establish appropriate structures. Zimmermann amends, “We need to make sure that laws do not restrict innovations. Industrie 4.0 production is designed to be secure; now we need to make sure that the products will be as well.” This is what the IUNO project – a project VDMA supports – is working on: researchers plan to demonstrate, by means of specific use cases, how to minimize the points of attack. For instance, they want to investigate how to safeguard the production process against cyber threats.

How to safeguard products and machines

“To ensure this, security by design is not only the trend, it is the solution,” Steffen Zimmermann emphasizes. “In the long term, we need to accomplish security by design and security as a function. Security by design means that we need to examine the entire process: from the design up to the end of the products’ life cycle. Security needs to be implemented right from the beginning.”

Dr. Eric Maiser, head of the VDMA Competence Center Future Business, adds another method for security by design to the list: “Hardware encryption is another important aspect of viable security concepts. The difference between software and hardware security can be illustrated by how you secure the front door of your house against unwanted entry: Somebody rings and you ask for a password. If the password is correct, you let him in. That is the software-type of entry. The hardware part is to have a lock on the door and the person who wants to enter needs a physical key. Although you can fake both, it is a lot easier and less expensive to obtain the password than duplicate the key. Combining both methods is more effective than just upgrading one of them. Having neither a password nor a lock nor a door is not very wise – still, this is exactly the status of a tremendous number of applications.”

Hardware security systems

Hardware encryption is an electronic variation to mechanical locks when it comes to controlling data streams. This is done by so-called gateway systems that need to be certified. Comparable to drilling the mechanical lock open or to duplicate the key, one would need to physically manipulate the encryption chip to achieve unauthorized access. “Of course, the effort for hardware security systems and their certification has to be justified and adopted to the respective situation. It does not make sense to have a security chip in every single part of the ‘Internet of Things’, for example a toaster or refrigerator,” Maiser says. “However, critical infrastructures such as utilities, factories or machines require the best security you can possibly get. And that includes providing hardware and software security at the same time.”

If this is not possible because a hardware gateway is blocking the entrance, the hacker will have to physically enter the factory. And this is an option most hackers hardly will choose. Hardware security gateways are already in place, for example, in credit card terminals and smart meters. Official and trusted certification bodies, standards and chip and electronic equipment makers play a big role here. Cyber security is a particularly vital part of Industrie 4.0. “Technical solutions are available so there is no need to be afraid of implementing Industrie 4.0. We believe there is even new business behind this for the machine manufacturers, plus a new way to fight counterfeit machines and parts. VDMA’s role is making the companies aware of all aspects of this and bringing all relevant parties together,” Maiser points out.

Adopted software and hardware security

The bottom line is that the machinery and production equipment industry needs global legislation on cyber security, secure identities and automated product-machine communication, physical identities for products, parts and human beings as well as embedded security and know-how-protection, Zimmermann demands. “And maybe we should think about CE security guidelines for machines and factories, cars and critical products.”

Everything must be considered: Adopted software and hardware security is the kind of security we need for the future, Zimmermann and Maiser emphasize in complete agreement. “This is what we need for self-driving cars as well as for Industrie 4.0 in production.”

Further Information

ICS-Cert - Industrial Control Systems Cyber Emergency Response Team

 

© VDMA
Contact
Steffen Zimmermann, VDMA Informatics, Managing Director Product and Know-how Protection.