Nowadays, cybersecurity in industrial, commercial and residential installations is a source of concern: cyber-threats and attacks increase day by day, and drastic rise of IT security incidents are reported by the Governmental institutions like ICS-Cert or BSI.
Awareness about cybersecurity issues is mandatory to guarantee the availability of system functionalities, the confidentiality of data & protection of intellectual property, the integrity of the application function & components in use and authenticity of controllers & their data.
Cybersecurity is a process, not a product. Security improvements need to be continuously maintained and updated. For these reasons, security is not 100 per cent achievable.
Even when designed with state-of-the-art security measures, the connections to the networks of suppliers, contractors, and partners of a system may still be vulnerable.
Mitigation of cybersecurity threats is a task that concerns all the parts and parties of an energy monitoring and building automation installation. An effort is requested at different levels for:
- Warranting physical access control to security-critical installations
- Providing additional processing power on devices (ie: for encrypting data)
- Dedicating huge configuration effort for the system integrators and installers
- Planning and executing security training for system integrators and operators
- Training end-users to increase their awareness
Each company must find the right balance about expected cybersecurity goals and relevant investments, and costs.
Therefore, manufacturers of data/control automation products have to provide appropriate means of protecting critical parts of their products to system integrator, operator and end-users.
Carlo Gavazzi Universal Web Platform embeds several measures as described in “available onboard security measures.”
These measures do not and cannot replace the responsibility of the system integrator or operator about the application of the security tasks, such as the indication of threats and the definition of necessary measures in order to achieve the desired level of security.
The purposes of an energy monitoring or building automation environment are mainly to measure data, managing information and operating the necessary control tasks with reliability.
However, there are so many risks that can preclude or damage the security of environment parts.
The assets of an energy monitoring or building automation system are Field devices (sensors, meters, actuators), Edge devices (gateways, controllers, responsible of connecting and controlling a subset of field devices among them and to the upper levels), Fog subsystems (in charge of data automation or control tasks over a specific area) and Cloud subsystem (in charge of empowering data/control automation with the scalability provided by cloud resources).
Both single assets and systems can be compromised by cybersecurity issues at different levels.
The operational functions executed on the controller are the purpose of an energy monitoring or building automation environment. It is deployed into Carlo Gavazzi Universal Web Platform through its programming software.
The Edge unit also referred to as Controller or Gateway is the programmable intelligent device and the core of the system. The Edge unit executes locally the automated tasks for controlling actuators or automating data management.
It is the major target for security attacks and its protection and communication interfaces are a priority for system integrators, operators and end-users. The environments of data/control automation systems have to be able to prevent intended or unintended faulty operations and thus the risk asset harming.
Nevertheless, every system needs access during the installation, the commissioning, the operation, or the maintenance. If the whole system is split into subsystems, only authorised personnel has to be allowed to access every subsystem.
Even if cybersecurity is a global concern, there is not a universally-recognised standard. However, threat recognition and countermeasures are usually shared by different standards.
The worldwide accepted IEC 62443 standard defines five different levels of security:
- 0 (SLO): No protection required.
- 1 (SL1): Prevent the unauthorised disclosure of information via eavesdropping or casual exposure. Example: wrong set-up.
- 2 (SL2): Prevent the unauthorised disclosure of information in an entity actively searching for it using simple means with low resources, generic skills and low motivation. Example: no security measures, hacker.
- 3 (SL3): Prevent the unauthorised disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, application-specific skills and moderate motivation. Example: moderate security measures, high-level hacker.
- 4 (SL4): Prevent the unauthorised disclosure of information to an entity actively searching for it using sophisticated means with extended resources, application-specific skills and high motivation. Example: Specific development, knowledge of the application, or corruption of insiders.
The operational functions of an industrial automation system can be damaged or interrupted in different ways. Security measures focus on intentional threats such as sabotage, vandalism or spying although until now unintentional malfunctions caused by faulty hardware, software, commissioning or service have often harmed the assets and must be taken into consideration while designing the system.
Any energy monitoring or building automation is a component of a local or wide-area network, so the following security measures such as anti-virus protection, strong password policies, firewall protection, VPN tunnels for inter-network connections and careful management of removable storage devices should be valid for all standard PCs.
Besides, a well-defined user account management for accessing the system and its interconnecting networks is mandatory. Placing the gateway/controller in a protected environment is mandatory to avoid undesired access to the controller or its application.
A protected environment is achievable thanks to the following measures:
- Physical locking. Locked cabinets with no chances of directly accessing the protected units.
- Managed LAN. The intranet network has well-defined user rights and no direct access from outside.
- VPN access. Internet access protected by a firewall and VPN tunnelling. Moreover, the following additional practices are needed:
- Independency. Keep the trusted network as small as possible and independent from other networks.
- Fieldbus Protection. Protect the cross-communication of controllers and the communication among controllers and field devices via standard communication protocols (Fieldbus systems) by appropriate measures. Very often, they are not protected by additional measures, such as encryption. An open physical or data access to Fieldbus systems and their components is a serious security risk.
- Locking. Lock such networks and strictly separate them from commonly used access.
Cybersecurity is a process, not a product. A great part of the reported security accidents is caused by a faulty set-up or system operation. System integrators and end-users have a crucial role in security protection. Thus, both have to know the possible threats and the infra-structural measures necessary to avoid those threats.
In order to achieve this goal, it is advisable to join special training by security specialists. Several active parties and suppliers are involved in setting up and operating an energy monitoring or building automation system.
They are mainly the suppliers of software & hardware components, system integrator or builder of the industrial control applications and operators. All of the mentioned parties have to make a certain effort in order to protect the application against attacks.
A system is as secure as the weakest part. A lacking training to end-user could compromise the most secure installation. Nowadays cyberthreats assume many different shapes: criminal cyberattacks, malware, social engineering.
The vulnerabilities of products and systems, wrong behaviours of users, insufficient security policies and an increasing presence of hacking tools and unethical hackers are potential variables have made it not possible to reach 100 per cent cybersecurity.
Cybersecurity is not only about devices: it is about people leveraging social networks and habits. For those reasons, while a company defines its approach to cybersecurity, the target is finding the right balance between the acceptable risks and the mandatory countermeasures.
Article by Alessio Costantini, International Product Manager – Carlo Gavazzi Controls.
Check out these articles:
CLICK HERE FOR LATEST NEWS.
READ CURRENT AND PAST ISSUES OF IAA.
KEEP YOURSELF UPDATED, SUBSCRIBE TO IAA NOW!