Security systems

Industrial Cybersecurity

The objective of cybersecurity is to analyse system vulnerabilities (hardware, software, procedures, human factors) in order to implement measures to limit them and bein a position to safeguard the continuity of core business functions to an acceptable extent.

There are no ideal or “one-size-fits-all” solutions. Each system has its own unique characteristics and risks that need to be analysed in order to implement suitable solutions whilst limiting the impacts on the core activity of the company.

Our target is to assess the cybersecurity of industrial control systems. Although specific to each facility, ICSs are in most cases made up of the following components:

• Programmable Logic Controllers (PLC);
• Distributed Control Systems (DCS);
• Safety Instrumented Systems (SIS);
• Sensors and actuators(intelligent or non-intelligent);
• Fieldbus;
• Supervisory control software: SCADA;
• Manufacturing execution system (MES);
• Engineering and maintenance software;
• Embedded systems.

ICSs currently make abundant use of information technologies, but they were not designed to deal with threats that the latter present.

There are now numerous examples of published ICS vulnerabilities (for example, concerning Modbus and OPC protocols).This is why they need to be included in general assessment on the security of company information systems.

Securing a system entails costs that are often difficult to calculate. Nevertheless, this securing process will protect company investments and production. This is why it is important to define the right objectives and adapt these to requirements.

As the General Security Guidelines (French acronym “RGS”) indicates, it is built upon four pillars that are essential for the good functioning of ICSs:

• Availability: within a context of high productivity, any degradation in availability results directly in financial losses and dissatisfied customers (delivery delays, increased production costs, production down-time, etc.);
• Integrity: compliance in this regard certifies that the products and services provided meet customer or regulatory requirements. For Safety Instrumented Systems (SIS)that protect assets and individuals (for example, safety shutdown systems), this is imperative.Integrity concerns all ICS components, for example PLC programmes, data exchange and SCADA software databases;
• Confidentiality: this is sometimes minimised, but the divulging of a company’s information assets can have a very tangible impact on its profits and its future (loss of customers). ICSs contain sensitive parameters and data such a manufacturing formulae, quantities of substances used, system plans, maintenance plans, PLC programs and devices address lists. These can be exploited by competitors or malicious groups to direct targeted attacks or simply to collect data enabling company know-how to be copied;
• Traceability: this is a regulatory requirement in many activity sectors (e.g. food, transport and nuclear industries). Not being able to provide proof of the traceability of operations carried out, materials used and origin of materials, and non-compliance with regulatory requirements may result in legal action being taken against a company.

The Benefits from Digitalization are Great – Security Must Keep Pace

It is with growing concern that hackers are increasingly targeting operational technology (OT), essential for availability, production and safety of critical infrastructure. Attacks against OT have ballooned from 5% to 30% in the last few years. Energy companies make up a majority of these attacks – a spike driven by aging assets, outdated security practices and increased connectivity.
The attached provides a high-level overview of both the benefits and challenges from digitalization in the energy sector. This study covers topics such as:

• The new risk frontier in the energy sector and what the industry must do to prepare.
• The relationship between connectivity, transparency and insight.
• Why security analytics are an essential part of any organization.