Cyber security screening of products
More and more products are being produced for production lines and control systems with built-in software, thereby increasing their dependency on IT security. But how do we ensure that the products are adequately secure and will remain so for their entire lifetime?
Terms such as Internet-of-things (IoT) and Industry 4.0 have been used often in recent years, with great benefits being promised by the solutions. They range from fridges that can order groceries when they are about to run out, to systems used for monitoring production lines and goods transportation. There are many benefits to gain, both from a financial and societal point of view. All of these systems are ultimately required to have a reasonable level of reliability – in other words, that they function almost 100% of the time. Increasingly as more and more devices contain software, their function will also become increasingly dependent on IT security. But how do we ensure that the products are adequately secure and will remain so for their entire lifetime?
The shadow effect – IT versus OTAn increasing number of companies are being targeted by cryptolockers, ransomware, phishing attacks and worse. These kind of threats are increasing dramatically, but most large-scale companies are now learning to manage the tools and procedures, as well as the culture that needs to be propagated, to keep the company secure. The biggest challenge is that this deals primarily with IT systems, e-mails, servers, file sharing, employee registers, finance systems etc., that is IT in its original sense – Information Technology.
However, there is an equally large threat directly in the shadow of IT, and that is OT – Operation Technology. These are systems that sit in production lines, control systems of automobiles, signal systems for trains etc. It is the kind technology that most Danish companies include in their products to keep up with the competition and have business models that are based upon servitization. What would happen to your company if all of your products were locked out with one password, which neither you nor the customers knew and with the message that it would cost USD 1000 to obtain this password? Or worse, what if you were the subcontractor for a key customer, and their equipment stopped working because your component was locked? The fact is that most companies have enough on their plates in terms of IT and therefore tend to forget about OT.
Systems and componentsThe idea behind the vast majority of today’s cyber security strategies is 360-degree protection. That is to say that both access control and communication security is taken into consideration as well as incident management etc. on a system level. This is an effective strategy, but often results in a heavy workload in validating all the small components, which the system is built up on.
It is also worth remembering that many system builders do not have detailed knowledge of cyber security and don’t know what to look for on a component level. This is why it is important to have a reliable screening of cyber security for the products. It is also important that this screening has realistic ambitions in terms of what it will be used for. It does not need to have the same security level as for aeroplanes and nuclear power stations, but it is essential that botnet algorithms such as Petya and Wannacry do not have access just because it has not been patched.
Screening – risk analysis and processesThe first element in screening a product is to review the documentation for the product and its intended use. What will the product be used for, and where will it be placed? Is there a firewall for the product? Can it only be installed in specific ways? And is there limited physical access to the product? Once this has been clarified, it is time to make a risk analysis.
What is the risk of a given function being compromised, and what are the consequences if it is? These two values multiplied by each other then become the total risk score. Take for example a pump that pumps cooling water around in an engine and automatically turns off when the temperature goes below a limit value, and which can be activated via a GSM modem that requires a 4-digit password. There is then a fairly small consequence, but a fairly large risk, of this password being misused. Thus giving a total assessment of ‘middle’.
However, if there is no automatic stop function, and this is also controlled via the GSM modem, then the pump can stop too soon, thereby causing the engine to overheat, with serious consequences. Then there would be a high total assessment and a need for mitigation, i.e. to reduce the risk of this happening, for example with a stronger password. There is also a need for a monitoring process within the company of cyber insecurities in the product. If there is a security patch, then there must be a strategy for how this will be implemented into the product.
The testThe final step, and perhaps most interesting for the geeks, is the test. This will normally include 3-5 smaller tests and one analysis. The 5 most normal test types are:
Vulnerability testTo test after known vulnerabilities in software modules, which are used in the product on all the externally accessible interfaces.
Malware testIt is checked whether the product is infected with malware or backdoor viruses from day zero.
Malformed input testThe tester attempts to confuse the product by sending the product thousands of incorrectly formatted messages.
Encryption testAll critical data that is sent to and received from the product is encrypted and not sent as clear text.
Structured penetration testAttempts are made to circumvent the security precautions described in the documentation, such as avoiding have to enter a password.
The tests are intended as a validation that the initiatives, which are described in the documentation of the product, have also been implemented and provide the correct coverage. It is a not a 100% test (otherwise it would never end), but it is a spot check verification of the most obvious holes.
Hereafter, some things that are extremely difficult to catch by testing, for example if there is a piece of code that wishes to send confidential data home every 3 weeks. This type of error is much easier to detect by analysing the code, which is why the last step in the screening of a product is for a professional, specialised in the particular coding language used in the product, to perform a code review.