New requirements and concepts for securing critical infrastructure against cyber-attacks

Authors: Prof. Dr. Matthias Hartmann, Dr. Bastian Halecker

Conceptually, smart ecosystems are the logical consequence of linking innovation, information and communication technologies (ICT), and geographical realities such as smart cities. Smart ecosystems have been driven by the extensive growth of mobile Internet, smartphone applications, social software, and open-source hardware. The combination of hardware and software technologies with the interconnection of things (i.e., infrastructure objects via the Internet) results in smart ecosystems. When physical objects are installed with sensors, assigned an IP address, and receive instructions from information processed via the Internet, they become “cyberized” and can be called cyber-physical systems (CPS). CPS are the technological basis of the Internet of Things (IoT) or, in an industrial context, the Industrial Internet of Things (IIoT), which are also known as Industry 4.0.
Driven by increasing digitization, the cross-linking of CPS within ecosystems via permanent connection with the Internet raises cyber security issues that have become critical in the infrastructure of smart ecosystems. Furthermore, regular shifts, such as EU programmes for critical infrastructure protection or Germany’s first draft of a new security law, require the security of critical infrastructure such as energy, water, communication, transportation, government agencies and emergency systems, particularly against cyber-attacks. Again, the increasing connectivity and interdependencies between critical infrastructure elements increases the complexity of managing critical infrastructure, raising the risk of cyber security threats. Initiatives should prevent infrastructure “black-outs” and ensure social and economic welfare within smart ecosystems. To properly secure critical infrastructure and withstand cyber-attacks, infrastructure providers need to measure the systems and their standard controls. Assessment can help providers obtain a clearer view of infrastructure performance and ascertain response to vulnerabilities and should be one of the main parts of any plan or programme for infrastructure protection.

Recent security issues can be categorized into two incident types:
The two categories are independent for the most part but are increasingly becoming intertwined, mainly due to the rapidly increasing interconnection of things (i.e., CPS within infrastructure). Thus, both categories are facing similar increases in cyber security issues.

Currently, the main challenge is that both incident categories are managed by two different types of experts within companies.
The first expert group is existing IT security teams. These teams have a good understanding of how to secure IT applications and IT infrastructure, but are facing increasing cyber-attacks and growing regulatory pressure. In addition, it has become increasingly difficult for these teams to oversee all activities and grasp the systems consequences of security incidents and activities due to the almost universal interconnectivity of IT devices. The other expert group is manufacturing and infrastructure engineers. These engineers have good insights on how to secure machines and buildings from architectural, construction, and work safety perspectives but lack knowledge of cyber security issues. However, with increasing connectivity through IIoT or Industry 4.0, the IT and electrical communications disciplines are merging. Accordingly, two main challenges have arisen: 1) the need for proper security of electrical communications infrastructure for production sites and infrastructure buildings and 2) appropriate security of the connection between conventional (electrical) communication and information technology.

There are several established concepts (i.e., standards) in regard to systematic viewing and structured assessment of current situations and prioritisation of security activities. The following frameworks or regulations can be used as guidance for IT management when securing IT infrastructure:

Although many frameworks or regulations exist, none specifically address the scenario of multiple independent systems within smart ecosystems.

Industrial control systems utilise different classes of automation systems, primarily process control systems (PCS), distributed control systems (DCS), and SCADA systems. These main systems used in critical infrastructure are increasingly becoming the targets of cyber-attacks due to their increasing connection to corporate networks and thus the Internet. The critical nature of these systems makes them attractive for attacks from cyberspace. Security incidents in the critical infrastructure field have increased 66% annually since 2009 [8]. These systems are a valuable and, in many cases, easily accessible target for those who want to cause disruption to physical systems and infrastructure. As described above, infrastructure providers, especially management, were previously rarely involved in information security issues because Internet-based activities (i.e., interconnection) were not yet a comprehensive part of their operations environment. Furthermore, the interdependencies that exist among different infrastructures are pervasive and tackling all of them is difficult. Technical personnel on the shop floor have to be aware of Internet technologies and related security risks. Personnel are still the weakest link in security. Due to different education roadmaps, office personnel and Internet experts do not always understand the needs of computer numerical controlled (CNC) machines and vice versa.
The first use of e-manufacturing (i.e., use of the Internet in manufacturing) was the remote maintenance of machines. Later, these remote control systems were disconnected from the Internet to avoid cyber-attacks on shop-floor control systems. Automation systems administrators must deal with many security deficiencies due to the increasing pervasion of complex, modern ICT in control systems. The Stuxnet worm that struck an Iranian nuclear facility in 2010 is an example of how office software can be used to infiltrate the industrial control systems. Other examples of incidents in critical infrastructure are:
Current data from SCADA Strangelove indicates that about 150,000 industry control and automation systems, mainly from the United States and Germany, are online and a huge number of these can easily be hacked. Additional unsecured industry systems can easily be identified via the Shodan search engine. Repository of Industrial Security Incidents (RISI), an online database of cyber security incidents, provides an even more comprehensive view on incidents that have occurred in critical infrastructure.
As more objects within critical infrastructure become cyberized and automation systems are connected to the Internet, all infrastructure is under constant threat. This raises the question of how to secure smart production, smart building, transportation infrastructure, and the smart grid.

The described challenges in terms of security issues and cyber-attacks on infrastructure in smart ecosystems are becoming a reality. Based on profound insights gathered in this paper and considering the main frameworks and regulations for cyber security, the following five stages can be used to secure critical infrastructure in smart ecosystems:
Stage 1: Remain in control of communication systems used in electrical, hydraulic and pneumatic connections and ensure they are not connected to IT systems.
Stage 2: Use electrical, hydraulic, and pneumatic systems and IT that are not IP-based to control operations and encapsulate the entire system.
Stage 3: Migrate electrical, hydraulic, and pneumatic systems into IT systems that are not IP-based.
Stage 4: Use IP-based IT to control operations through a single point of contact (SPOC) that is under strict surveillance.
Stage 5: Use CPS on an IP-basis and control the operations with security information and event management (SIEM).
The trend will progress consecutively from Stage 1 to Stage 5. The question is how fast industrial development will reach Stage 5. Management of critical infrastructure must obtain more know-how about IP-based technologies and change their systems in the direction of controlling CPS.
SIEM is an essential prerequisite for a networked and open society. With freedom comes moderate surveillance of the information flow. The standards already accepted within road traffic control and building monitoring should be employed as a clear prerequisite for information management within smart ecosystems. SIEM plans will be based on ISO 27044, and a draft of the plans already exists. ISO 27035 provides suggestions for implementing SIEM, which is the technical basis for information control. SIEM can also be derived from SANS Institute’s critical security controls for effective cyber defence, which are highly recommended for controlling CPS-based industrial infrastructure in smart ecosystems.

Prof. Dr. Matthias Hartmann teaches production and logistics, information management and innovation/technology management. He finished his doctorate on business evaluation of high-tech companies and consulted service companies for many years. Prior to his appointment he worked for the global management consulting firm A.T. Kearney.

Dr. Bastian Halecker is the CEO of Nestim – A company that match entrepreneurs, managers and ecosystems to create innovations at the core of the digital age.

[1] A. M. Townsend, Smart cities: Big data, civic hackers, and the quest for a new utopia.
[2] M. Hartmann and B. Halecker, “Management of Innovation in the Industrial Internet of Things,” Budapest, 2015.
[3] W. Miron and K. Muita, “Cybersecurity Capability Maturity Models for Providers of Critical Infrastructure,” Technology Innovation Management Review, vol. 4, no. 10, pp. 33–39, http://timreview.ca/article/837, 2014.
[4] J. M. Yusta, G. J. Correa, and R. Lacal-Arántegui, “Methodologies and applications for critical infrastructure protection: State-of-the-art,” Energy Policy, vol. 39, no. 10, pp. 6100–6119, 2011.
[5] S. Lass and D. Fuhr, “IT-Sicherheit in der Fabrik,” Productivity Management, vol. 18, no. 2, pp. 29–32, 2013.
[6] E. D. Knapp and J. T. Langill, Industrial network security: Securing critical infrastructure networks for Smart Grid, SCADA and other industrial control systems, 2014.
[7] B. Miller and D. Rowe, “A survey SCADA of and critical infrastructure incidents,” in the 1st Annual conference, 2012, p. 51.
[8] V. Bourne, “Critical Infrastructure Readiness Report: Holding the line against cyberthreats,” The Aspen Institute; Intel Security, 2015.
[9] D. Kotarski, “Fabriksicherheit für die Industrie 4.0,” Productivity Management, vol. 19, no. 3, pp. 25–27, 2014.
[10] BSI, “Industrial Control System Security – Top 10 Bedrohungen und Gegenmaßnahmen,” 2014.
[11] M. Hartmann, O. Kracker, F. Behr, and B.-U. Bluschke, “Zukunftspotentiale des E-Manufacturing: Empirische Marktstudie,” HTW Berlin, 2003.