Hello ….. trust you are doing well and in good health….. many thanks to all who gave feedback to make my writing better …..
Till now we have covered the following topics, in domain of 5G in your blog http://cybersecinfinity.in/
- Role of API and security issues in 5G – http://cybersecinfinity.in/index.php/2020/11/02/5g-service-based-security-architecture/
- Authentication of subscriber, home network and serving network in 5G – http://cybersecinfinity.in/index.php/2020/11/19/5g-aka-authentication-process-3gpp-33501/
- Chain of trust / digital trust issues in 5G – http://cybersecinfinity.in/index.php/2020/12/30/security-issues-and-chain-of-trust-in-5g/
In this article we shall talk about what the role of the key actors in aspects of cyber security related to Operational technology (OT)/Industrial control system (ICS)
I started my career working in a paper manufacturing plant, my role was to kick start automation and implement distributed control systems(DCS)and SCADA (supervisory control and data acquisition system). The plant at that time had less of automation and had huge man power requirements. Few years back I happened to visit the same plant, I was surprised to see, awesome automation, whole range of SCADA/DCS systems had taken over. The complex wirings and traditional way to approach for telemetry had all gone away. Thanks to the narrow band internet of things(NB-IOT), M2M (depending on the use case) and 5G that made fast and reliable, wireless connectivity really possible.
Sticking to our agenda of various dimensions to look at, we see what is the role of the following actors:-
- OT/ICS field instrument OEM
- Plant operations
- Connectivity provider – ISP
Role of OT/ICS instrument OEM in cyber security
In this tough competitive world, it makes sense to have the lightest of the OS, simple and low cost firmware / hardware but the bad guys out there are really watching at each layer / component and trying to put bugs right into the firmware.
OEM’s really need to work it out bottoms up. All layers of your hardware components using standard protocols like MQTT, ZigB, Zwave or any other proprietary protocols need to be secured and do keep that additional room for compute for security processing. (low cost OT chips they really didn’t had the compute for security processing)
It is worth looking at the minimum below aspects related to the small chips used for OT/ICS.
- Hardware security
- Device software and OS security
- Interface security
- Identity (the AAA )
- Cryptography and off course with that comes the daunting task of keys management
We will focus a bit on hardware security, for things like:–
Importance of secure boot process, its really important to use secure boot as we do not want other party to load an operating system or a different bootloader onto your hardware.
That is why its important that the product’s processor system has an irrevocable secure boot process. Sticking to the basics and always run the secure boot process as default.
The hardware devices have debug interface, there is need to protect the same. Communication should be authorized and authenticated only to entities.
The hardware microprocessor should not allow the firmware to be read out of the products non volatile memory by encrypting the same.
The hardware should be tamper proof and should immediately send a log in case there is any compromise with integrity of the hardware or the secure boot process.
Role of plant operations in cyber security
Plant operations team need to maintain an inventory of all their assets, maintain database of the field assets and keeping the database refreshed and up to date is challenging.
Physical security is one of the most important task when it comes to OT/ICS security.
Configuration parameters of these devices should only be open for configuration to authorized set of users.
Very important in todays context is for the plant operations to keep their OT/ICS software’s up-to-date and the process to sustain the same. The only point to be sure of is to have the upgraded software signed digitally.
Role of an ISP in cyber security
An ISP plays a pivotal role, as they are at a vantage point and see the entire traffic and make the two ends meet (the OT/ICS sensors to its respective application on the cloud or on premise of the plant).
ISP’s need to determine how secure their infrastructure is to provide that service, and it should cover all aspects like the radio should be secure, physically their sites are secure, traffic that lands from radio to the core from their transport network secure from MITM attacks internally and from MITM over the air over the “A” interface, finally the core used to authenticate and authorize the subscriber should have capabilities to uniquely identify each device and ensure impersonation of each tiny device out there in the field is not possible.
Here out of the many security controls that play a pivotal role in securing ISP Radio, Transport, Core network. I would like to focus on SSL pinning, the concept is not new but its important to protect with the strong fundamentals, where you have risk of impersonation. SSL connection tells the client to make an encrypted connection with any identity matching that remote host. Pinning goes one step ahead and tells the client a specific identity they should accept when making a secure connection.
Lets see any example in case of OT/ICS, certificate issues whether well know 3rd party or internal CA exampleplant.com, its possible to pin an identity. When a device tries to connect, they would receive the pinned information. Any further connections, device would take action (device should be compute vise capable of doing so) and uniquely distinguish and stop connection, if we tried to get the client to use a different identity.
All the actors have key roles to play for effective and sustainable cyber security for the OT/ICS critical infrastructure and applications.
Thank you, please share your valuable comments, to make the blog better by your contribution….
References:-
I have consulted the beautifully written articles in the below link and would strongly recommend you to read the same for more and detailed clarity about each topic
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.iotsecurityfoundation.org/tag/iot-security-compliance-framework/
This will bring close various domains conclusively.
Absolutely correct Madhavendra sir
Ԍreate аrticle. Keep writing ѕucһ kind of information on yoᥙr blog.
Im rеally impressed by your blog.
Hellο there, You have performed an incredible job.
I will definitеly digց it and personaⅼly suggest to my friends.
I’m sure they wiⅼl be benefitеd from this website.
It’s truly very complex in this busy life to listen news on Television, thus I only use web for that reason, and get the newest information.
Feel free to surf to my web site hcg diet injections buy online
D᧐ you have a spam problem on this blog; І also am a blogger,
ɑnd I ѡas wondering your situatiоn; we have cгeated some nice practices and we are looking to trade solutions wіth օthers,
be sure to shoot me an email if interested.
My brοtheг sᥙggested I would possіbly likе
this web site. He used to be entirely right. This publish truly made my day.
You cann’t consider just how a lot tіme I had spent for this information! Thank you!
Amazing іssues here. I’m very glad to see your
article. Thanks so much аnd I am ⅼooking ɑhead to contact yߋu.
Will you kindlʏ drop me a mail?
Ӏ am genuinely thankfսl to the οwner of this web paցe who has ѕharеd
this wonderful article at at this place.
Thɑnks for every otһeг fantastic artіcⅼe.
The plɑce else may anyone get that type of info in sucһ an ideal way of wгiting?
I’ve a ⲣresentation next weeқ, and I am оn tһe search
for such informatiοn.
Fiгst off I wouⅼd like to say fantastic Ьlog! I had a
quick question in which I’d like to ask if you do not mind.
I was interested to find out how you center yourseⅼf and clear your mind prior to writing.
I have had trouble cleɑring my mind in getting my
thoughts out there. I truly do enjoy writing however іt just seеms like the
first 10 to 15 minutes are usualⅼy lost just trying to figure
out hоw to begin. Any recommendations or tips? Many thanks!
Sweet blog! I found it while surfing around on Yahoo News.
Do you have any tips on how to get listed in Yahoo News?
I’ve been trying for a while but I never seem to
get there! Many thanks