This article focuses on Industrial IoT. Most asset owners in manufacturing are facing the challenge how to deal with legacy system and how to adapt the ICS security principles to modernised environment. I introduce three sessions from S4x23.
New Adventures In Legacy System Modernization
Speaker: Marianne Bellotti
Marianne Bellotti has worked as a software engineer for over 15 years. Every organisation she worked for, including the U.S. government and private companies faced problems of legacy systems, whether the size is large or small, and the age of the organisation is young or old. She has written a new book, Kill It with Fire, focusing on legacy system modernisation based on her extensive experience. As one of the keynotes at S4x23, she presented the essence to the audience.
Bellotti said first that we should start with the realisation that legacy technologies are successful technologies. Legacy technologies remain because they are usable and important. They are the foundation for other systems therefore it has a significant impact when they are changed. But people believe in some myths of modernisation.
First, the technology is regarded as old. It doesn't matter if the technology is new or old.
For example, Python is older than Java, and LISP is older than COBOL. What really matters is whether it is still being developed, can provide security patches, and be integrated into modern protocols. We should beware of Shiny Object Syndrome, that new attractive words make us overlook existing values.
Second is rip and replace legacy systems. This is one of the riskiest migration plans. We need to see how easy it is to roll back the old system if the new technology doesn't work as expected. The purpose of modernisation is to add new value. But rewrites consume a lot of time and money to give organisations what they already have. It also includes engineering and operations retraining/onboarding. New values should start small and accumulate gradually, based on Minimum Valuable Product (MVP) rules.
Third is the migration to COTS, SaaS, and the cloud. COTS and SaaS are good options when you have a common problem that many other companies hack. On the other hand, the more you customise COTS, the less stable it becomes. Managed infrastructure is best when you can do it without economies of scale.
However, be careful with putting everything in one stack and vendor lock-in. Low/no code is great if you're dealing with an internal service with a limited number of users, but it generates a lot of "junk code" that slows down performance and contain vulnerabilities.
She said technology is about people. Technology is to solve problems by people, for people, not the purpose itself. Problems caused by ignoring operations cannot be solved by replacing technology.
It is important that organisation’s leaders understand operational excellence and know the resources required to meet the performance goals of the system. In that case, modernisation is the best strategy for improving in the right way, rather than just replacing "old" technology with "new" technology. We should set goals based on evaluating and monitoring existing systems, define problems, and make investment decisions on where to spend money and time.
Similar organisations may have different problems. As organisations grow, their maturity and strategies change. The tradeoffs in an organisation change all the time. Remember, there are many trade-offs in technology, and improving one characteristic degrades another important one. Teams that can identify value versus investment trade-offs excel at modernisation to avoid unnecessary re-write and migration.
Challenges Of Using IEC62443 For IIoT
Ryan Dsouza, AWS, Principal Industrial IoT Security Solution Architect
IEC62443 is a series of Industrial Automation Control System (IACS) security standards, consisting of a total of 12 documents in four categories: general, policies and procedures, systems, and components. Since 2002, the committee has started deliberating on ICS security, and IEC62443 has been referred to in many industries.
Dsouza, a solutions architect at AWS with over 25 years of digital platform and IIOT experience, discussed the future of OT security through the establishment of a new certification programme of IEC 62443.
The Purdue model that is also referred to in IEC62443 hierarchised IACS into multiple layers at the management level and the field control level, but the integration of IT and OT has progressed with modern technologies such as cloud and OPU UA. Shop floor connectivity is already flexible, and in the near future, hybrid use of edge and cloud will allow any component to connect to any other.
IEC62443 has presented segmentation according to function using the concept of zones that group assets with specific functions and conduits that communicate between them, but IIoT provides new functions and communication paths. In addition, IEC62443 assumes the roles of asset owners, product suppliers, and service providers (integrators and maintenance), but cloud providers are not specified. It is necessary to adapt the concept of zones and conduits to systems involving IIoT and to define the role of cloud providers. Cloud providers are product suppliers, maintenance service providers and system integrators.
For asset owners to use IIoT and increase their competitiveness, we are working to establish a certification system for IIoT components and IIoT systems based on IEC62443. The former is already available, and the latter is in progress.
The IIoT Components Security Assurance Certification covers IIoT devices and the IIoT gateways used in IACS. The application of the 62443 principles to the IIoT environment becomes clear (Extension of 4-1: Product development lifecycle, 4-2: Technical requirement for IACS component). For example, internal zones using compartmentalisation, software update control, remote administration, authentication methods, resilience of components against DoS, etc.
IIoT system certification includes IIoT components and cloud services (Extension of 2-4: Requirement for IACS service provider, 3-3: System requirement and security levels, 4-1: Product development lifecycle). 62443 risk assessment process and zone/conduit model applied to IIoT use cases and applied to cloud-based functions that may impact physical entities.
IEC62443 can also be used for future IACS, but a new interpretation of the concept is needed to get the most out of the IIoT. We must deliver new guidance, certification programmes and training soon to help asset owners grow with the IIoT.
The Purdue Model in a Private LTE/5G World
Abdullah Yousif, Georgia Pacific, Systems Engineer
Georgia-Pacific is one of the world's leading makers of tissue, pulp, packaging and building products and plays a leading role in industrial IoT within the parent company Koch industries group. Yousif has engaged with the 5G use cases that Koch Industries is implementing across its companies and demonstrated their security challenges and how they implement best practises into cellular infrastructure in his session.
He said the traditional Purdue model has collapsed. Because cellular networks are inherently flat, the Purdue model does not extend to cellular, which means there is no context-based segmentation. The company has already implemented AGVs, sensors, cameras, and mobile devices as use cases for private cellular networks and will use AR/VR in the future. Their security concern was the complex requirements of the device ecosystem.
Considering their diverse business, the future connectivity will span multiple communication layers such as Wi-Fi, cellular, satellite, etc. They started from understanding the value props, advantages and key gaps in a use case compared to existing or alternatives. They had defined performance and security as necessary to continue to deliver business value.
Private LTE/5G networks provide new attack surfaces and make gaps in the security of existing networks.
The overlapping technical domains of enterprise networks, cellular networks and IoT devices will create new risks. He supposed the following attacks; MQTT Hijack, IP Attack, Signal Storm, Cloud Lateral Movement, GTP Attack, APN Attack, Handover Attack, DNS Hijack.
Based on the analyses, they implemented segmentation for cellular networks in five steps. 1) Device profiling, 2) Group by context, 3) Define policies per group, 4) Policy implementation via PCRF (Policy and Charging Rules Function), 5) Monitoring.
In most cases, security is considered after integration of a private cellular network, but security should be considered earlier, he said.
In IIoT security, it is essential to understand the universal concept of standards and principles and adapt them to changes in the environment and individual organisations. Solving problems occurred with integration of new technology should be approached from the three perspectives of people, process and technology. Trend Micro had published a technical report to explore a new cybersecurity strategy with analysis of benefit and risk of IIoT based on our experience in contributing to IIoT security projects. Download it here.