As we noted in August 2018, industrial control system (ICS) security has become more complicated since the introduction of the web. Organizations are now bringing together the logical and physical resources of both information technology (IT) and operational technology (OT). This creates various ICS securitychallenges, including how each team must learn from and work with the other in the interest of preserving the organization’s security as a whole.
But ICS security is always changing. Whatever challenges there are today won’t be the challenges of tomorrow. That begs the question: what will have the greatest impact on ICS security in the next 5-10 years?
We asked a number of security experts to find out. Here’s what they had to say.
GARY DIFAZIO | STRATEGIC MARKETING DIRECTOR, TRIPWIRE
I think that there will continue to be events impacting many different kinds of industrial environments no matter what the vertical. These incidents will consist of either collateral damage from IT-based malware or ransomware or will be specifically targeted against industrial control systems. These events will negatively affect productivity and quality and also have the potential for physical damage.
While malware is a risk, nation-state cyber warfare activities will also be more prevalent. This will be the new battlefield. Automation vendors will be pressured to create automation systems that are secure by design, and as plant or line upgrades happen overtime, the next generation systems will be more cybersecurity aware to thwart malicious behavior. Cybersecurity capabilities will become part of control systems’ DNA.
NICK SHAW | SENIOR SYSTEM ENGINEER, TRIPWIRE
The amount of legacy systems using serial connections being migrated to Ethernet-based networks will increase significantly. IT technologies will continue to permeate industrial control systems, thus opening OT assets up to threats that the IT side of the shop is familiar with. Indeed, the OT folks have just got a taste of these threats over the last few years given the significant amount of malware being developed each day.
Organizations need to shift focus and put a bigger emphasis to protect the OT environment from these threats. Today’s mindset at different levels of the organization is that “IT is in charge of security.” The controls engineer or maintenance technician doesn’t think that security is part of their role. But that’s not necessarily the case. Training and education focused on industrial cybersecurity need to improve within these organizations. An emphasis on digital security in the OT environment especially needs to take place. Everyone has a role to play in a robust cybersecurity strategy, and they need to be armed with the knowledge to control what they can control as part of that strategy.
KRISTEN POULOS | GM OF INDUSTRIAL, TRIPWIRE
It’s such a fast-moving industry, even knowing what’s going to happen in the next 5-10 months can sometimes be challenging! But in all seriousness, the themes of IT/OT convergence and automation will continue to substantiate the need for organizations to have a top-to-bottom cybersecurity plan. This means budget consolidation (likely to IT teams) and vendor consolidation. Certainly, a significant industry cyber event could turn any prediction upside down, but our mission as a security community is to provide the solutions to prevent that from happening.
LANE THAMES | SENIOR SECURITY RESEARCHER, TRIPWIRE
I have been working in various capacities in areas related to the industrial internet, with a focus on cloud-based design and manufacture and Cyber Physical Systems (CPS) for almost a decade. For me, this work has been mostly a secondary research interest of mine, with cybersecurity being my primary interest. On more than one occasion, I’ve been “scolded” by old school OT engineers when I talk about connecting industrial systems (ICS, OT, etc.) to the cloud and how the controller will one day live in the cloud. Indeed, there are already portions of control systems that partially live in the cloud. They say that my ideas and the work my colleagues and I have performed are totally contradictory to cybersecurity for any industrial system. Unfortunately, these folks just don’t understand where the technology is going, and the trend will not change.
When I speak of the cloud for this case, I should be more exact and say the cloud and the fog. Fog computing is related to cloud computing, but it strives to bring the cloud closer to the edge where the industrial systems live. This resolves issues related to time-sensitive operations, for example. However, the near future will have industrial systems connected to the fog or the cloud and, more probably, both. The issue is that this will induce new cybersecurity challenges that traditional industrial systems have never encountered. This will be a time when ITOTSecOps will be a requirement for industrial systems. These systems must be developed using a security-first mindset where security is built-in at inception.
SCOTT KORNBLUE | FIELD APPLICATION ENGINEER, BELDEN
I see IT and OT networks becoming even more interconnected over the next 5-10 years. This will, in turn, create more IT-centric threats such as ransomware and specialized industrial protocol malware that’s even easier to develop and exploit on industrial networks. This will require even more endpoint level security strategies designed to safeguard the data flow from source to destination to create a level of trust throughout the entire network that must be maintained to ensure integrity within the critical industrial network operation processes. Within the next 5-10 years, I also see the prospect of these threats causing a regulatory reaction that will produce compliance strategies similar to NERC throughout all critical infrastructure industrial networks.
GALINA ANTOVA | CO-FOUNDER, CLAROTY
The main topic of conversation 5-10 years ago was as follows: “Are industrial networks really air-gapped?” I think we all know by now that this is not the case. Moreover, the increased connectivity (needed for productivity) is making this challenge even greater. As companies aggressively undertake their digital transformations, portions of the industrial process have already migrated to the cloud, and in the next 5-10 years, we can reasonably expect that most of the non-critical applications will be hosted in a cloud environment.
If this transition is done with the right security measures in place, then it could have huge positive impact on productivity. However, for entities that don’t invest enough time/resources into the cybersecurity angle, this cloud migration could become significant exposure.
PATRICK MILLER | MANAGING PARTNER, ARCHER ENERGY SOLUTIONS
In the next 5-10 years the biggest impact on industrial cybersecurity will be the unintended consequences of digital transformation. This change is good and necessary, but it comes with risk. As we introduce more and more digital endpoints, these will become data streams. There will be so many data streams that we won’t be able to hold or efficiently analyze all of that data on-premise. Further, we will use that data to drive decisions about the process or even the process itself. Eventually, probably through AI/ML, we will begin to allow the analytical data-products to become inputs back into the process.
In other words, process generates data, that data leaves the process network and goes anywhere/everywhere (e.g. cloud, fog, lake, on-premise, off-premise), gets analyzed, repurposed and fed back into the process. All of this introduces new risks to the process data and associated systems outside the control/process networks in ways we are just now beginning to consider.
GREG HALE | EDITOR/FOUNDER, ISSSOURCE
A quick and easy answer to what will have the biggest impact on cybersecurity in the coming decade is two-fold: artificial intelligence and big data analytics.
Given the fact that these developments will have a major impact in the coming years, I am convinced a secure environment in 5-10 years will come down to how AI and analytics all play into a resilient and holistic security plan that encompasses the entirety of security, which includes cyber and physical.
With the Industrial Internet of Things (IIoT) becoming more pervasive in the manufacturing enterprise moving forward, security experts must have a plan that understands and knows what all the networks should look like and how they should behave. At the same time, all security plans need to be resilient enough to withstand any kind of assault coming its way.
The current network monitoring technology that gives manufacturers asset inventory and network visibility is a great start toward that overarching security program. However, with organizations rushing and becoming more reliant on the digital environment, having that overarching security understanding becomes even more vital. If an attack occurs in 10 years like what happened twice in Ukraine or with Norsk Hydro, companies need to have a back-up plant that will enable them to go manual, if need be, to stop an attack.
JUSTIN SHERMAN | CYBERSECURITY POLICY FELLOW, NEW AMERICA
In the next 5-10 years, industrial systems are going to become increasingly connected to the internet as the Internet of Things becomes more and more essential to industrial operations and as those systems are also hooked into 5G cellular networks, which are promising much lower communication delays between devices. Internet of Things device security is usually terribly weak right out of the box, so this will be a serious challenge for industrial systems to manage when IoT devices are deployed at scale.
Add to this the fact that increased connectivity means more actors can attempt to break into systems—and that more sophisticated actors can have potential visibility into systems—and the cybersecurity challenges from this growing connectivity are exacerbated even further. It’ll also impact not just those managing and securing industrial systems but also those on the public policy side of things as well given that many industrial systems, if manipulated in a certain way, could have physical impacts on human life.
PACO GARCIA | DIRECTOR OF CYBER SECURITY & NETWORKING DIGITAL PLANT LINE OF BUSINESS, SCHNEIDER ELECTRIC
We are surrounded by disruption in every level, but probably the most impactful in our process will be cybersecurity as a transversal topic in all the plant activities. At the industrial level, we are used to defining product lifecycles up to 20 years, but this is going to be disrupted by cybersecurity at the level of products. There are therefore some key points that affect the design of products:
- Hardware support for cryptography services, including secure storage, secure boot, TPM, dedicated CPUs for encrypted communications. We are already designing these products, but any change in the current standards will directly affect the products as well as their ability to be in the industrial market for the next 10 years.
- The use of embedded switches in industrial devices is a common practice in industry to reduce cost and space. In consequence, the classical automation device has a dual role of being part of the network infrastructure and also an automation device. In five years, this situation will be a challenge for automation vendors because of TSN and cybersecurity. With TSN, the ownership of the network will be in most of the cases taken by IT. There are two possible paths for the automation vendors in this scenario:
- get the right skills and resources at the same level of an IT company, and
- be disruptive at level of products and migrate to an ethernet strategy of removing the embedded switches by migrating to a pure endpoints strategy.
- At the level of cybersecurity, there is a similar challenge if automation vendors keep with the strategy of embedded switches. In five years, we think that every ethernet infrastructure device will have
- embedded sensors for passive network monitoring,
- SDN capabilities to support network automation, and
- 62443 Security level 4 or similar.
- Last but not least, the introduction of PKI in industrial plants is going to have a huge impact in all industrial process. PKI is 90% process and 10% technology. The industry is missing today all the needed process for securely provisioning certificates for devices/humans/services as well as all the process related to the management and maintenance of the certificates. The role of security admin doesn’t exist today in the industry except for some big customers that are already mature in cybersecurity. Something as simple as replacing a device will be a challenge when security based on PKI is put in place.
The enforcement of more stringent regulatory requirements with regards to cyber security for industrial control system environments is driving organisations into required change. While the intent of these regulatory requirements is to reduce risk and increase cyber security maturity it should be seen as an implementation journey.
LARRY VANDENAWEELE | INDUSTRIAL SECURITY PROFESSIONAL
Network segmentation is a change that is very often required by organisations. Introducing network segmentation and segregation to implement defence in depth across the OT network environment. The practical implementation of such activity is timely and requires additional resources for successful completion. Additionally, the financial investment of large change projects tends to result in multi-year projects and sub-projects. However, it remains an avenue that provides a more layered form of protection and allows organisation to increase visibility.
From a threat landscape viewpoint, I would assume that cyber-attacks will remain present, targeting critical infrastructure and automation control systems leveraging critical infrastructure. Attacks resulting in cascading effects across multiple sectors due to interdependencies may increase (e.g. attacks targeting supply chain across multiple organisations).
Overall, organisations will be required by some sort of regulating body to introduce, implement and refine their cyber security maturity. The implementation of security and remedation controls will take time. Legacy equipment that remains operational due to business challenges remain to form a risk. Micro segmentation and segregation of such systems can reduce attack paths. Allowing organisations to utilise security features available in new control system equipment should be a priority. Linking legacy and current equipment often result in incompatibility of security features which leads to security controls not being used.