Opportunities and Key Solutions for Securing Cyber Physical Systems

Let us now look at some of the key security best-practices and technologies for securing Cyber Physical Systems. Looking at the modern threat landscape and the complex and distributed designs, all Cyber Physical Systems have to be built with security in mind, taking into account the needs of the digital economy. This means that components powering the Cyber Physical Systems, including the sensor network, embedded data acquisition and control systems, edge computing devices, communication network, data centre/ cloud infrastructure, CPS/IoT software platform and applications, have to be secured continuously for dealing with the complex and changing threat landscape. Let us take a look at some of the opportunities and key practices in the area of product security, secure development methodology and secure monitoring and operations of a Cyber Physical System.

Securing the CPS Components and Solutions

It is a well-known fact that security is only as strong as its weakest link. It is important to ensure that all of the components that make up a Cyber Physical System are designed with the appropriate security features, using an holistic approach starting from ОТ to IT technologies. Since CPS is designed with a distributed computing paradigm with many embedded systems, it is important to ensure that all the installed firmware and software components are compliant with customer policies and approved security baselines, while being free from any kind of malware. Let us look at some key security features that are important in the context of Cyber Physical Systems.

14.3.2.1.1 Hardware Root of Trust in Cyber Physical Systems

One of the mandatory requirements for a secure CPS design is the presence of malware-free/uncompromised firmware and software. One way of implementing this in critical embedded systems is using the hardware root of trust feature that allows the verification of the integrity and authenticity of the firmware and software of all key system components inside a device. As part of this feature, all embedded systems should be designed with a hardware root of trust module that verifies the digital signature of all the components inside adevice and ensures that a device boots up only with valid firmware and software. A properly implemented hardware root of trust in a silicon chip inside the embedded system can also be used to verify supply chain integrity and any compromise of the software stack at the supply chain or during transit.

14.3.2.1.2 Secure CPS Cryptographic Module Design

CPS systems will have multiple communication modules over different hardware bus architectures, that includes wired and wireless protocols. To ensure high levels of security, it is recommended that all critical communication with and controls of the device are carried out using secure communication protocols, that can guarantee confidentiality and integrity at all times. It is highly recommended that key communication between entities outside the trust boundary should support mutual authentication using certificate-based validation or other industry-accepted methods, and that all commands and data should be sent over a communication channel providing strong encryption and integrity verification. For devices with low power requirements, elliptic curve cryptography (ECC) with key strength of 256 bits and higher is a good recommended practice. For internal communications within a data centre or between two internal devices, use of Advanced Encryption Standard (AES) with a key size of 128 or greater and operating in Cipher Block Chaining (CBC) or Galios Counter mode (GCM) is considered a secure option. All communications external to a network and across trust boundaries should use secure protocols. Data from the ОТ to IT boundary should be sent over secure protocols like HTTPS, using TLS1.2 or greater, and all systems should support Transport Layer Security (TLS) 1.2 protocol and above, with weaker protocols/cryptographic algorithms disabled by default.

14.3.2.1.3 Trusted Computing and Attestation Solutions for Cyber Physical Systems

The Trusted Computing Group (TCG) has defined multiple specifications to verify trusted computing systems and to securely attest all computing devices, IoT systems and edge gateways. The use of Trusted Platform Module (TPM) as a hardware root of trust enabler allows measurement of the code and configuration of all the components within an embedded system or any infrastructure device, like server, storage and networking equipment. The measurements from the device can be retrieved by a centralized remote attestation server, using a secure communication channel, and the measurements can be verified using whitelisted repositories of approved versions of software and configurations. This attestation solution, using a hardware device, such as TPM, will help to detect the integrity of the software running on the device, along with any unapproved and unauthorized devices.

14.3.2.1.4 Key Product Security Features

Products used in critical CPS deployments should support strong authentication features, allowing the password length and complexity to be configured, based on the required level of security. The embedded end points should support installation of different types of certificates, which can be used for authentication, identification and secure connection to remote devices. It is also important to ensure that the products are designed with no back doors or hidden accounts/keys, as motivated attackers can easily reverse-engineer the code base to get all the secrets embedded in the product. The keys used in encryption should be protected in a trusted store like Trusted Platform Module (TPM) and the device should have protection from common Denial of Service (DoS) attacks, using secure implementation and handling of invalid input and excessive resource consumption.

All embedded systems used in a typical Cyber Physical System design have to support secure firmware/software update mechanisms. As part of this feature, the products should support updates to a newer and more secure version of the software and also ensure that only authentic and non-compro- mised firmware/software can be flashed to the system. This validation can be performed using digitally signed firmware/software components and the module responsible for firmware/software update should ensure digital signature validation before a firmware/software update action is initiated on the device.

Secure Development Methodology for Hardware and Software Powering the CPS

To ensure a secure implementation of Cyber Physical Systems, it is very important to design with built-in security, using the right methodology and development practices to ensure that the product meets the required security assurance level. All component vendors should understand the key standards and regulations during the requirement phase and ensure compliance during the development and testing phase. For example, product development teams should be aware of newer regulations, such as the Californian law that prohibits standard default passwords for IoT devices. The UK government is also mandating some basic security practices for all Internet- connected devices and a proposal to use security labels on the device that are compliant with the new regulations.

Another key practice that is important during any product development is the use of threat-modelling practice during the design phase. Threat modelling starts with a well-defined security architecture capturing all the key CPS components, applications, the users, the key data flows and the data stores that are part of the physical and cyber system. Using known attack patterns on key assets, a detailed analysis and review of the architecture is carried out to proactively identify design flaws and to mitigate the important issues, taking into account emerging risks and threat landscape. There are multiple threat modelling methodologies, with the most popular being the Microsoft methodology called STRIDE. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of privilege. Performing a threat model for any CPS involves capturing all the IT and ОТ components, interfaces and key assets that could be attractive to cyber criminals. The threat model is then used to identify threats and vulnerabilities across the IT and ОТ landscape and the potential impact.

A typical threat modelling exercise will involve assessing the threats on all key IT components, including edge computing, communication network, etc., and the interconnections between the IT components and the physical systems, compromising control systems, sensor and actuator networks, and distributed embedded systems. During a CPS threat modeling exercise, it is important to assess the impact of a malfunctioning or compromised sensor, spoofed or tampered sensor data or a compromised edge computing system that can abnormally control the key actuators required for proper functioning of the Cyber Physical System. It is also important to look at the impact due to compromised applications and corrupted data stores used for analytics and deriving insights. Based on the criticality of the identified issues, appropriate mitigations, that include strengthening the confidentiality integrity, availability, authorization and non-repudiation of the system, needs to be added to the design and verified during the test phase. More details on the Microsoft threat modelling methodology can be found using the link https://www.microsoft.com/en-us/security engineering/sdl/threat modeling.

During the validation phase, it is important to ensure that the product undergoes vulnerability scanning to detect all well-known vulnerabilities in the system. It is highly recommended that all critical and high-level vulnerabilities are fixed before the release of the product. For products that have management access points connected directly to the Internet (e.g. edge computing devices, IoT gateways), it is highly recommended for the device to undergo penetration testing to detect unknown vulnerabilities that can compromise the system and devices connected to the same network. Along with the penetration testing of the individual components that make up the CPS system, it is also highly recommended to perform penetration testing of the complete Cyber Physical System solution stack during the commissioning phase to discover potential weaknesses in the configuration of firewalls, network infrastructure and host-based technical controls. A detailed list of important secure development practices is documented as part of the open Software Assurance Maturity Model (SAMM). The details of open SAMM can be found at https://www.opensamm.org/

Secure by Default and Advanced Physical Security Features

Secure by Default is an important attribute for critical Cyber Physical System components as many products generally get commissioned with minimal configuration and human effort on a factory floor. The Cyber Physical System should be secured by default at the time of shipping from the factory, with all weak protocols and insecure services turned off or disabled completely.

To handle the environment where the edge computers may be installed, on factory floors with little physical security, it is recommended that all key edge computing devices are installed with physical intrusion sensors to detect events like chassis opening actions aimed at stealing or compromising the platform. It is a recommended design that these intrusion sensors should operate using a local battery source to support intrusion detection even when the external power is switched off completely. Such advanced security controls within the device, along with CCTV cameras and realtime video analytics, can help in providing optimal security for computing devices installed in harsh environments like factory floors and smart grid generation stations. It is also highly recommended that modern CPS components should have a way to securely alert centralized management stations when a security anomaly is detected in the environment.

CPS Secure Operations

Once the appropriate set of secure products is identified and assembled to create a CPS solution, one of the main challenges is to securely operate the Cyber Physical System 24/7 while meeting all applicable compliance requirements. To meet the needs of the future, the CPS Security operations has to be adaptive, automated and analytics-ready, while meeting the business needs of agility, reliability and availability. Here are a few important considerations for securing the Cyber Physical System operations.

14.3.2.4.1 End-Point Protection

With the complexity of Cyber Physical Systems, including the interconnection between physical and cyber systems, it is important to look at security holistically, considering the potential threat landscape. With the distributed nature of Cyber Physical Systems, the network-centric security controls for perimeter security, with firewall, intrusion detection/prevention systems, etc. will no longer be sufficient, when considering either external or insider threats. With modern attackers being highly motivated and resourceful, it is important to look at security beyond the network layer, using end-point and unified security products and solutions. It is very important to install a next-generation end-point protection solution that includes host-based intrusion detection system and/or host firewalls to prevent and detect unauthorized access at the endpoints. It is also important that all critical systems used in Cyber Physical Solutions run the latest version of antimalware programmes, with the virus signatures being updated regularly to deal with newly discovered vulnerabilities. A combination of the latest antimalware, host-based intrusion detection systems and firewalls on edge computing systems, cloud systems and all embedded systems that perform critical operations, will ensure a good level of protection from many advanced persistent threats.

14.3.2.4.2 Segmentation and Network Isolation

Since IoT and CPS security is evolving and the business is always in a race to release the next innovative feature/service in this highly competitive world, sometimes there is a good chance that the Cyber Physical System deployment may contain devices with non-optimal security features. Some examples of the non-optimal features include the configuration capability to turn off weak protocols/ports, lack of features to update self-signed certificates and the lack of provision to set password complexity or enable two- factor authentication. In some cases, the design of the device may make the firmware/software update process very cumbersome or the vendor patch update policies may not meet the required security timelines. In such cases, with a mix of multiple devices, network segmentation and the compart- mentalization of secure devices from devices with non-optimal security features, using properly configured firewalls, is going to be a key security operations practice for all Cyber Physical Systems. Depending on the nature of the device, available product security features and certifications and the risk caused by connecting an unsecured device to the Internet, the network has to be partitioned into different isolated areas, with insecure devices partitioned in a separate logical network behind a well-configured firewall. It is also a highly recommended best practice to separate the IT and ОТ network, using proper technical controls and firewall policies and mandated multifactor authentication for all administrator-level access to critical resources.

14.3.2.4.3 Hardening Cyber Physical Systems

For protection against cyber criminals and nation state-sponsored attacks, all Cyber Physical Systems should be hardened, based on the identified risks, while balancing usability, performance and flexibility. Hardening of a Cyber Physical System involves selecting the right set of technical controls for protecting the key physical assets, processes and data required for the proper operation of the solution. It is highly recommended that a security baseline is identified for all components that are part of the ОТ and IT stack, and the systems are configured according to the defined baselines. Some of the best practices followed during security hardening and baseline creation are the use of strong identification and authentication procedures. The solutions and operations should be built with the principle of least privilege, using proper access controls that limit the users to performing the operations required for their job level/role. It is also important to secure the data at rest and transit by maintaining the confidentiality, integrity and non-repudiation at all points of time, using data encryption, digital signature/hash of files, authorization and audit logging procedures. It is also recommended that all systems are installed with the latest security patches and the Cyber Physical Systems are audited for compliance with defined policies and applicable regulations before commissioning the solution.

With the constant threat of newer types of attacks that do not follow a well- defined pattern, analytics is increasingly becoming a key driver for mission- critical Cyber Physical Systems. It is also important to protect the data and to limit exposure to ransomware types of attacks that have taken many industries by surprise in the past few years. So, Cyber Physical Systems must comply with standard IT security practices, like ensuring regular backup on multiple media, while also ensuring that the design is fault tolerant, highly available and, in some cases, disaster recovery ready.

14.3.2.4.4 Proactive Vulnerability Management

With increased risk of zero-day attacks and with increasing numbers of breaches happening as a result of security patches missing on critical systems, proactive vulnerability assessment and remediation is a key operational practice for any Cyber Physical System. With proliferation of open-source products and operating systems, like Linux, in both enterprise and ОТ devices, it is very important to have a proactive vulnerability management practice which allows discovery of newly discovered vulnerabilities and assessment of their potential impact. The recommended practice is to have automated solutions for monitoring new vulnerabilities and to ensure timely triaging of these issues, based on the criticality of the vulnerability and associated risks. The National Vulnerability Database (NVD) is a good source of information on newly discovered vulnerabilities, and there are many proprietary tools, from companies like Synopsis (Blackduck tool), Flexera (Code insight software), etc., that can help in managing open-source component discovery and vulnerability management in a simple and automated way.

14.3.2.4.5 Al-Based Security Monitoring System

With the threat landscape and attack pattern becoming very complicated, signature-based detection mechanisms found in traditional anti-malware solutions may not be adequate for the modern systems. It is important to look at Al-based security analytics solutions, with user and entity behaviour analytic capabilities to detect anomalies in the environment, device or data communication layers. For IT systems, Security Incident and Event Management (SIEM), with capabilities to correlate logs from different sources, should be considered as part of the overall solution. It is also highly recommended to turn on security alert capabilities from all embedded systems and IT computing devices. A well-documented security incident management process and procedure and an Al-based automation and recommendation solution that limits false positives should be used for managing all potential security incidents from a Cyber Physical System.

14.3.2.4.6 Periodic Assessment and Audit of Cyber Physical Systems

Cyber Physical Systems are much more complicated than traditional IT systems and the operations of these interconnected IT and ОТ technologies can be prone to manual errors. It is very important to continuously assess that the configuration of network segmentation, assets and network security controls are in accordance with approved baselines and ensure compliance with key security requirements. To detect unauthorized devices that may have been added without proper approval or inserted deliberately by cyber criminals, it is important to periodically discover all the elements in the network and match them with a whitelisted/approved set of asset register or asset inventory database. Along with the periodic monitoring of security controls and newly added assets, it is also highly recommended to periodically perform penetration testing of the Cyber Physical System, taking into consideration the IT and ОТ technology usage, emerging threats and vulnerability landscape.

Emerging Technologies and Opportunities for Securing Cyber Physical Systems

CPS security will continue to evolve as the Industry 4.0 vision starts gaining more traction. There are many emerging technologies that open up new challenges/opportunities in the area of Cyber Physical System security. Here are a few of the main emerging technologies that can have an impact on CPS security and solution design in the near future.

Quantum Computing Safe CPS design

With Industry 4.0 gaining a lot of attention and momentum, CPS will become mainstream, with multiple deployments expected in the coming years. At the same time, there are lots of new technology trends that can have an impact on the security of CPS systems. Quantum computing advances can impact the security of IT and ОТ systems and, if the developments stay at the same pace, many existing encryption algorithms will become easily compromised, leading to potential compromise of the security of Cyber Physical Systems. With this trend in mind, it is advisable for modern Cyber Physical Systems to be designed with cryptographic agility, allowing the configuration of cryptographic cipher key size (e.g., key size of 3072 and above for RSA algorithms) and cipher algorithms to handle the advances in quantum computing without major changes to the product. It is highly recommended that important data at rest is protected by strong encryption algorithms and strong key sizes. Please see references for more information on quantum computing and impact on security.

Blockchain for Supply Chain and Identity Management

Blockchain is a new technology that has promise to solve many problems in the area of identity management and supply chain security. Because of its distributed nature, Blockchain can be a good option for enhancing supply chain security of Cyber Physical Systems by tracking the components during transit across all supply chain phases. There is lot of interesting work taking place in the industry in the area of Blockchain, and many research papers are available on the Internet. It is important to look at the maturity of the Blockchain-based solutions and to leverage this to secure Cyber Physical System implementations, especially around identity management and secure supply chain.

Advanced Security Hardware Accelerators

With increasing adoption of CPS and IOT technologies, it is important for the industry to look at hardware-based accelerators and security co-processors for cryptographic functions and advanced security features. Hardware- based accelerators have the advantage of low power consumption and increased security but come with a disadvantage of difficulty in upgrading, especially if a new vulnerability is found. There is also a need to look at new energy-efficient cryptographic algorithms that can be run on battery-operated backed-up devices, while requiring very little maintenance. The area of advanced security hardware accelerators that are tailored to the needs of CPS could be a good research area for the future.

Advanced Security Analytics for Cyber Physical Systems

The Cyber Physical System design is very complicated due to the interconnection between physical electromechanical machines and IT infrastructure. The CPS threat landscape is complex, with the impact of an attack being significantly greater when compared with a similar attack in the cyber space, with Stuxnet being a good example. This complex threat landscape and attack patterns create new opportunities for research activities around near real-time security analytics and advanced machine learning algorithms, that have the potential to detect newer attack patterns and anomalies with a very high levels of accuracy.

Industry-Specific Reference Threat Models and Threat Intelligence

CPS is an evolving area and the reference architecture and implementation varies from industry to industry. It is a big opportunity for researchers and standard bodies to create reference threat models, identifying top-ten threats and associated mitigations along similar lines to the Open Web Application Security Project (OWASP) Top 10 for web applications and OWASP Top 10 for IoT devices. This body of work should ideally be made available to all key stakeholders and can be created with the help of researchers, threat intelligence and key industry security experts. A widely and easily understood threat landscape, attack vectors and mitigation information can help system integrators, service providers and operators to secure Cyber Physical Systems, using standard implementations of technical controls and secure product design, which, in turn, can help the Industry in securing the critical infrastructure.

Converged Edge Computing

With IT systems being increasingly used in the edge (e.g. manufacturing floors), there is an opportunity to look at new system designs and solutions to standardize and modernize the Cyber Physical Systems. There is a new line of infrastructure products/solutions, like Hewlett Packard Enterprise's Converged Edge computing hardware that converges ОТ functionality, such as data acquisition and control, with traditional IT capability. These systems are designed for the harsh environments found on typical factory floors and can run unmodified versions of complex enterprise applications while supporting both wired and wireless connectivity. These new systems, with general-purpose x86 and ARM processor, also support multiple Input/ Output modules to interface directly with sensor and actuator devices. The benefit of this convergence results in greater security, higher performance and lower operating expenditure, through lower space and energy requirements. Such types of modern infrastructure design can help in simplifying the Cyber Physical System solution stack, thereby helping the overall security.

 
Source
< Prev   CONTENTS   Source   Next >