The term Industry 4.0 was first used at the Hannover Fair a few years ago. The name is a reference to the latest industrial strategy which has been termed the fourth industrial revolution. It entails the computerization of manufacturing via the use of cyber-physical systems connected with each other through the Internet of Things. This strategy can significantly enhance the efficiency of manufacturing, but it also brings new potential dangers threatening industrial companies with considerable losses. That is why Kaspersky Lab has developed a new solution to provide industrial cybersecurity – Kaspersky Industrial CyberSecurity.
Currently, the production at 24 of the top 30 companies from the Fortune Global 500 is based on automated process control systems (PCS). Economists estimate the industrial automation market is now worth about $60 billion a year. It goes without saying that the widespread use of these technologies has not gone unnoticed by cybercriminals – the cost of cyber-penetration is immeasurably smaller than that of a physical attack, while the damage can be far more serious. According to a report by the US organization ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team), in 2014 there were 238 PCS-related cyber incidents, 8 of which resulted in damage exceeding $1 million. And these are only the documented cases – most companies prefer to conceal such incidents as well as the extent of the losses. Recently cybersecurity experts witnessed a number of direct attacks on the ICS/SCADA system with very real damage inflicted.
There is no longer any doubt that automated process control systems need to be protected. The industrial security systems market is still in its infancy, but is developing fast. It is currently estimated at $2.2 billion, while demonstrating annual growth of 13%. If Industry 4.0 continues to develop at its current rate, growth in the security solutions market for industrial systems is inevitable over the next few years.
Kaspersky Lab’s decision to start developing solutions for industrial cyber security was not spontaneous. First, we gained an understanding of the problem and realized we had our own views on how best to address it. We already had a wealth of experience in the Enterprise sector, including protection of systems in industrial processes. And it was clear that there was an obvious need for such a solution.
Businesses are becoming increasingly serious about the risks of cyber incidents. Two years ago they ranked cyber risks 18th in a rating of threats jeopardizing their business; today those risks are ranked 5th. The only things deemed more damaging are the loss of key suppliers, natural disasters, changes in legislation, and fires.
Threats to industrial systems
What are we planning to protect industrial systems from? Our experts see three main risks:
Unintentional infection of an industrial network
In theory, industrial information networks should not be connected to office networks, and should definitely not have direct access to the Internet. However, practice shows that not all employees understand the importance of isolation. Sometimes, without intending to cause any harm, staff will connect infected removable drives to industrial computers or access the Internet to update software on the server. As a result, malware manages to penetrate the industrial network.
Fraudulent activity by employees
It’s not unusual for people who are professionally versed in industrial systems to try and use that knowledge to trick their employer. For instance, gauges or sensors can be adjusted to hide the fact that several dozen liters of a petroleum product remain at the bottom of a storage tank after being drained. These kinds of activities can cause serious harm to a business.
Finally, there are targeted actions that are intended to cause damage. The reasons may vary from competition to extortion. For example, a hacker penetrated the network of a South Korean nuclear power plant and began to extort money via Twitter. More recently there have been many more high-profile attacks.
Our solution to the problem
Industrial systems are basically made up of three components:
- industrial networks
- industrial endpoints (e.g., SCADA computers)
If you want your industrial system to be reliable, all its components need to be protected. If any elements are not protected properly, experienced cybercriminals may find a vulnerability and exploit it.
Our solution is capable of protecting all three components. Kaspersky Industrial CyberSecurity can analyze not only events related exclusively to information systems (connection of new devices, suspicious connections between different elements of SCADA systems), but also information at the process level. For example, it can monitor illogical or untimely commands sent to the controllers, and distinguish standard commands from potentially dangerous ones (e.g., identify a command issued to the industrial controller to open a disconnector at a power station). In other words, it can perform complete monitoring of the technological process.
Kaspersky Industrial CyberSecurity is not just an adaptation of existing Kaspersky Lab products for the needs of industrial systems. Yes, part of it is an upgraded version of products designed to protect servers (in particular, SCADA), but this only accounts for 30% of the solution. The system for industrial controller protection and the industrial network monitor have been developed from scratch.
At the development phase we put together a team of industrial implementation experts that can adapt the solution to meet the specific needs of a customer, analyze the infrastructure risks and assist with implementation.
Within the framework of Kaspersky Industrial CyberSecurity we also offer training to instruct customer employees on how to respond to threats, the types of threats they may face, and what they can do to minimize the risks. The training sessions include the basics of industrial safety, social engineering-based attacks on industrial networks, as well as the Kaspersky Industrial Protection Simulation game giving a graphic insight into combating cyber-attacks and ensuring continuity of business processes.
The advantages of our approach
You may ask: “What is so good about your approach?” After all, some industrial equipment manufacturers develop their own security systems that are quite effective. However, these manufacturers are focused on physical and functional safety while they lack experience in the field of cybersecurity. Furthermore, manufacturers often use equipment produced by different vendors, and their systems are not always compatible with each other. Kaspersky Industrial CyberSecurity, meanwhile, allows the entire technological network to be analyzed as a single unit.
More importantly is the fact that our solution does not require any changes to the technological process. Kaspersky Industrial CyberSecurity operates in passive mode. It can also be deployed quickly in an operational environment and immediately starts analyzing what is happening on the network.
Before unveiling the solution we conducted several pilot deployments. Take the pilot project at Taneco, for example: during the first month our system detected an attempt to access the company’s industrial network from an external device, and two attempts to tamper with sensors.
At the current time, our solution continues to successfully protect those customers who participated in the pilot program. More information about the solution and our approach is available here.