PROTECTING CONNECTED DEVICES AGAINST …files.informatandm.com/uploads/2017/5/CSA_Group...Service...
Transcript of PROTECTING CONNECTED DEVICES AGAINST …files.informatandm.com/uploads/2017/5/CSA_Group...Service...
North America | Europe | Asia • www.csagroup.org
A cyber-attack can compromise the safety
function of a device (or control system) in
a one or more ways: The device could be
jammed so it will not activate and perform
its safety function when needed – creating
a high-level risk condition. An attacker
could hijack the device to make it appear
to be functioning properly when it is not,
disguising a serious vulnerability. A hijacked
safety function can also be manipulated to
trigger false positive alarms or inappropriately
engage the safety function (e.g. close
and open valves, turn lights on and off
and activate sirens). If the manipulation
seriously abuses the system it can damage
equipment and potentially endanger lives.
Even if the compromised device or system
can still perform its safety function, it could
be rendered inaccessible or raise false
alarms that require service attention.
To mitigate these risks, the Functional Safety
Design Lifecycle and testing & certification
of critical functional safety features must be
extended to also encompass evaluation of
security features. To achieve fully integrated
network security, each individual IoT and
IIoT device or control system must be
designed within the framework of a Security
Development Life Cycle and tested and
evaluated against accepted and applicable
cybersecurity standards.
The Emerging Internet of Things – Advantages and Vulnerabilities
Commercial and residential building
systems, as well as industrial control
systems, increasingly include online
capabilities to enable operators and
service providers to remotely monitor,
control, and analyze system safety,
security and performance.
PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK INCREASING THE SECURITY OF INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS
By Matt JakucProduct Group Manager, Cybersecurity Technical LeadCSA Group
The rise of cyber related attacks on Internet of Things (IoT) and the Industrial Internet of Things (IIoT) infrastructure has made it increasingly
vital to have cybersecurity protocols in place to support functional safety and safety-related solutions in commercial or residential buildings
and industrial processes. As building and process automation increasingly involves linking equipment together in an open network architecture,
the safety and security risks created by Internet connectivity should be a foremost concern of stakeholders such as product design professionals,
building managers, owners and system integrators.
Functional safety verification is essential in equipment that responds to operator inputs because an automated, safety-related device or control
system that responds incorrectly may create a hazard. A cyber-attack on the integrity of a controller can jeopardize the functional safety of a
device or control system in an open network architecture.
North America | Europe | Asia • www.csagroup.org
The creation of intelligent buildings and
industrial processes utilizing open network
architecture is driven by the concept of the
Internet of Things (IoT) and the Industrial
Internet of Things (IIoT) – which sees
manufacturing utilizing IoT technologies for
quality control, sustainability and overall
process improvements – with a multitude
of individual devices and control systems
supporting overall system connectivity.
The advantages of fully integrated online
or cloud-based systems to operators
and other stakeholders are significant:
• System performance can be monitored
continuously.
• System operation can be more easily
controlled to optimize efficiency and
cost-savings.
• Preventive diagnostics can be performed
to predict failures and improve scheduled
maintenance routines.
• Faults can be immediately detected so root
causes can be identified and addressed
quickly, minimizing disruption or potential
damage to the system.
• Robust system data can be compiled and
analyzed to identify opportunities for future
system and operational improvements.
The market for connected devices for
Industrial Automation Control Systems (IACS),
as well as commercial and residential Building
Control Systems (BCS) is expanding rapidly.
Data compiled by IHS Markit and reported
by the Continental Automated Buildings
Association (CABA) predicts that, by the year
2025, there will be approximately 70 billion
IoT-connected devices with an estimated
18 billion devices shipped per year.1
This rapid growth and clear advantages and
opportunities of intelligent buildings is not
without significant security and safety risks,
and vulnerabilities that must be addressed.
An October of 2016 Distributed Denial of
Service (DDoS) attack in the U.S. dramatically
demonstrated the impact of a malicious
attack on unsecured Internet-connected
devices. In this extreme case, vulnerable
household IoT devices were infected with
malicious code or malware known as a
“botnet”. Hackers coordinated those devices
to send an overwhelming volume of traffic
to servers operated by an important Domain
Name System (DNS) provider, disrupting
much of America’s Internet and legitimate
traffic to many of the most popular Web sites.
While unprecedented in its scale and overall
impact on U.S. Internet infrastructure, the
October attack illustrates the potential
vulnerability of intelligent building and
automated industrial control systems
based on IoT devices.
Assuring Functional Safety and Security
The adoption of open networks and IoT
devices increases vulnerability to cyber-
attack, underscoring the importance of
assuring the full integrity of functional
safety across a networked building or
industrial process system. To achieve this
goal, extensions of the Functional Safety
Design Life Cycle and Functional Safety
Testing & Certification must be considered
for each connected device. This can
include the implementation of a Security
Development Life Cycle and potentially
the addition of a Cybersecurity Product
Evaluation. The goal is to establish a level
of confidence in the security features of
the IoT device through an established and
reliable quality assurance process.
PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK
1 CABA Intelligent Buildings and the Impact of IoT, Key Trends in IoT and Commercial Building Technology Markets; IHS Markit for the Continental Automated Buildings Association;
© Continental Automated Buildings Association, 2016.
North America | Europe | Asia • www.csagroup.org
While operators and the service providers
who support them must be concerned
about a host of negative consequences
of cyber-attack, including…
• Breach of data security
• Interrupted operations
• Loss of revenue
• Unplanned recovery expense
• Liability or legal action for negligence
• Tarnished reputation
…a cybersecurity breach poses no greater
threat than the loss of functional safety,
which can place workers, residents and
communities at risk of injury or even
death, while also threatening property
and the environment.
Vulnerabilities Are Widespread
The potential for cybersecurity attack exists
across a wide range of devices currently
used in intelligent building and industrial
control systems. By exploiting the vulnera-
bility of an unsecure controller or other
device, attackers could take control of all
connected equipment on a network. The
potential risk can be magnified if the initial
breach exposes weaknesses in equipment
that was not designed to operate in an open
network environment.
Design Weaknesses May be Exposed
A simulated cyber-attack on an electrical
power generator connected to a substation
dramatically demonstrated the risk created
when appropriate security measures are not
incorporated in an original equipment design.
Although conducted in 2007, the results of
the simulation continue to be a point of
reference in industry and governmental
discussions of power industry security needs.
During the simulation, which was conducted
by the Idaho National Laboratory, researchers
targeted a vulnerable programmable device
to gain access to and control of protective
relays on the generator. Because the
equipment design did not include measures
to prevent the relays from being abused, the
researchers were able to open and close the
breakers rapidly and out of sync, creating
extreme torque conditions. The generator
bounced and vibrated violently, eventually
throwing parts up to 80 feet before it was
destroyed.2 In an actual attack, serious
injury to operators, or even death, could
have occurred.
Improper Implementation Can Undermine Secure Technology
Even when the technology used in a product
is inherently secure, failure to implement
suitable security measures during the
product design process can leave connected
equipment and networks vulnerable to
attack. Wireless protocols widely used in
intelligent building and smart home devices
are one example, affecting millions of
devices worldwide.
Researchers in 2015 and 2016 reported
finding security flaws in many building
automation devices using the Z-Wave
and ZigBee wireless protocols, which are
incorporated in the designs of smart door
locks, alarms, detectors, light bulbs and
lighting controls, motion sensors, switches,
HVAC systems and valve actuators and
other IoT devices.
While the protocols themselves are
secure, investigation revealed the product
manufacturers did not always utilize
secure encryption keys when they were
implemented in product designs, leaving
devices vulnerable to attack.3, 4
In one case involving the Z-Wave protocol,
compact fluorescent light (CFL) bulbs without
encryption were damaged by attackers who
cycled them off and on using specific timings.
The resulting thermal stress destroyed the
bulbs within hours. Loss of facility lighting
or another networked system can disrupt
building operations and compromise security
and safety. A similar attack on a connected
thermostat under cold winter conditions
could cause building water pipes to freeze
and burst, resulting in significant damage,
disruption and property loss.
These examples demonstrate the importance
of implementing a Security Development Life
Cycle to support the design of secure IoT
devices from the beginning of the product
development process, similar to the
Functional Safety Design Life Cycle. It also
reinforces the importance of verifying the
implementation of effective security through
Cybersecurity Evaluation, conducted as part
of Functional Safety Testing and Certification.
By making security an integral part of the
design process and conducting the
appropriate testing to verify proper
security measures have been implemented,
manufacturers and their customers can be
confident that devices support the ultimate
goal of fully integrated security and safety
across the entire intelligent building or
industrial control network.
Supply Chain Mandates
Stakeholders in the intelligent business
supply chain who are key to driving business
forward– including system OEMs, Tier 1
suppliers, system integrators, contractors
and other downstream participants – are
increasingly demanding evidence of a
Security Development Life Cycle and rigorous
cybersecurity evaluation. All supply chain
participants are expected to take measures
PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK
2Aurora Generator Test, Wikipedia. Retrieved January 17, 20173 ShmooCon 2016: Z-Wave Protocol Hacked with SDR, Hackaday, January 16, 2016. Retrieved January 17, 20174Researchers exploit ZigBee security flaws that compromise security of smart homes, Network World, August 11, 2015. Retrieved January 16, 2017
North America | Europe | Asia • www.csagroup.org
to ensure that devices systems support the
security requirements of end users or their
service partners.
The impact of these mandates is wide-
spread, spanning diverse industry supply
chains including HVAC, fire control, access
control, lighting, industrial controls, IT/AV,
and more. However, requirements within
these vertical supply chains are based
on the overarching technology horizontal
requirements defined within the IEC 62443
Series cybersecurity standards.
Supply chain mandates may include
requirements that products be suitable for
use in of “SIL-rated” systems. SIL refers to
the Standard Integrity Level that is assigned
during functional safety evaluation to confirm
the requirements of the IEC 61508 standard
are met. IEC 61508 is the international standard
for safety-related systems associated with
electrical, electronic and software-based
technologies. Similarly, supply chain
requirements may include achieving a
specific security level defined in the
IEC 62443 Series cybersecurity standards.
The close relationship between cybersecurity
and functional safety evaluations is further
described below.
IEC 62443 Cybersecurity Standards
IEC 62443 Series cybersecurity standards
were developed as technology-horizontal
control system standards with broad industry
applicability. This series of standards covers
component technical requirements, system
technical requirements, product supplier
development lifecycle practices, integrator
practices, and onsite end user management
and operation of a cybersecurity program.
While not deliberately industry-specific, the
IEC 62443 Series standards reflected the
initial input of industrial Automation Control
Systems (IACS) participants in the standards
development process. However, the
standards are also accepted as technically
applicable to building control systems and
could be used to assess cybersecurity in
intelligent building systems.
The IEC 62443 Series Includes:
• IEC 62443-4-2 Security for industrial
automation and control systems –
Technical security requirements for
IACS components
• IEC 62443-3-3 Security for industrial
automation and control systems – System
security requirements and security levels
• IEC 62443-4-1 Security for industrial
automation and control systems –
Product development requirements
At the end of 2016, only the IEC 62443-3-3
standard pertaining to control system
security requirements and security levels
had been approved and published by IEC.
Standards for technical security requirements
for components (IEC 62443-4-2) and product
development requirements (IEC 62443-4-1)
are expected to be approved and published
in 2017.
Cybersecurity Evaluation
CSA Group offers cybersecurity analysis
and testing as part of the Functional Safety
Testing and Certification of IoT and IIoT
products and systems. The Cybersecurity
Evaluation process provided by CSA Group
includes the rigorous analysis and testing
called for under the IEC 62443 Series
standards and other cybersecurity
frameworks required by supply chains
and end use customers.
An Extension of Functional Safety Evaluation:
Cybersecurity analysis and testing should
be performed by qualified third party testing
organizations as part of the overall product
functional safety evaluation, which helps
assure that an automated, safety-related
device or system operates correctly in
response to its inputs, protecting operators
and/or property and the environment from
any hazard.
For example, a sensor that measures the
temperature of electric motor windings and
de-energizes the motor before it overheats
provides functional safety. In contrast,
insulation material that helps protect
the motor and its surroundings against
the same overheating does not provide
functional safety because it does not
respond to inputs.5
IEC 61508 is the international standard
for safety related systems associated
with electrical, electronic and software-
based technologies. The principles of
the standard can also be extended to
assess mechanical elements if they are
used in the safety function.
The IEC 61508 standard defines requirements
for determining level of risk using Risk/
Process Hazard Analysis (PHA) and identifying
the relative level of risk reduction required: the
Safety Integrity Level (SIL). It also describes
the lifecycle process for ensuring that
systems are designed, validated, verified,
operated and maintained to perform a
specific function or functions and assure
that risk is kept at an acceptable level.
Cybersecurity Evaluation parallels the
Functional Safety Testing and Certification
process, using specific security frameworks
and the IEC 62443 Series and other applicable
PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK
5 The adequacy of insulation or other product design elements should be evaluated for conformance with the requirements of the applicable industry standards for safety or performance during the product testing and certification process.
North America | Europe | Asia • www.csagroup.org
standards. The evaluation process first
identifies and assesses applicable risks
and the necessary SILs. The effectiveness
of security measures is then evaluated,
taking into account any related design
considerations. The overall Cybersecurity
Evaluation includes assessment of the
security of the product development process
as well as the implementation of security
measures in the product itself.
Analysis and Testing
The Cybersecurity Evaluation process
typically includes the following analyses
and tests:
Gap Analysis and Risk Assessment
Analyses of the supplier’s Information
Security Management System (ISMS) and
Security Development Lifecycle (SDLC) are
performed to identify strengths, weaknesses,
and recommend any procedural and policy
changes that should be addressed in order
to support a secure SDLC process and
demonstrate supplier due diligence in
mitigating security risk. This analysis
and the resulting recommendations are
designed to identify and address security
threats early in the product life cycle,
before devices enter production.
Vulnerability Identification Testing (VIT)
The objective of VIT is to ensure that
connected devices are free from known
vulnerabilities. Security weaknesses are
defined and detected and the effectiveness
of proposed countermeasures is forecast so
actual effectiveness can be evaluated upon
implementation. Vulnerabilities are analyzed
to determine their impact on applicable
functional safety requirements, which are
established as part of the overall Functional
Safety Testing and Certification process.
Penetration Testing – Penetration testing
evaluates the security of a connected
system by attempting to exploit potential
vulnerabilities. This internal testing of the
system, network or software helps identify
security weaknesses so they can be fixed
before being exposed to an actual attack.
Effective penetration tests are designed
to simulate an attack involving a specific
objective. The test findings reveal how
security was breached so appropriate
preventive counter measures can
be adopted.
Communication Robustness Testing (CRT)
CRT evaluates product resilience when
subjected to network stress testing,
identifying network-based security
vulnerabilities. The test provides a
measure of the extent to which network-
based protocols can defend themselves
against incorrectly formed messages and
inappropriate sequences of messages used
to attack the system. CRT identifies the
presence of common programming errors
and known denial of service vulnerabilities
specifically for networking protocols, which
impact the robustness of embedded devices
that use those protocols.
Conclusion
The widespread adoption of IoT technology
in networked infrastructure has increased
the potential for cyber-attacks that can
compromise safety-related devices and
control systems. Around the world,
cybersecurity breaches are increasingly
occurring and contrary to popular belief,
they cannot be solely attributed to savvy
hackers or aggressive cyber-attack
strategies. Insufficient knowledge of reliable
mitigation processes including the critical role
of functional safety testing and evaluation
of security features is equally responsible.
Products and systems used in intelligent
residential and commercial buildings, as
well as automated industrial processes, that
are designed and evaluated to ensure they
meet strict requirements of both functional
safety and cybersecurity standards can
help to mitigate these risks. Ensuring your
devices and components are suitable for
SIL-rated systems are now commonplace
for participants across diverse supply
chains. By integrating the CSA Group
Cybersecurity Evaluation with Functional
Safety Evaluation into the certification
process, device and system controller
suppliers can potentially out-pace rapidly
expanding cybersecurity threats and help
provide assurance to key stakeholders that
their products provide a higher level of
resilience to cyber-attacks.
About CSA Group
CSA Group is a global testing and certification
service provider offering widely recognized
and accepted CSA certification marks
that appear on billions of products around
the world. CSA Group is accredited by
international technical authorities, including
the U.S. Occupational Safety and Health
Administration (OSHA) as an NRTL, the
Standards Council of Canada (SCC), the
United Kingdom Accreditation Service
(UKAS), and more.
CSA Group is a world leader in providing
Cybersecurity Evaluation along with
Functional Safety Testing and Certification,
including evaluation services for products for
the intelligent building, industrial automation,
HVAC, lighting, electrical, IT/AV, plumbing,
safety and security, and other industries.
The CSA Certified™ advantage – helping
manufacturers get the market access they
need for over 95 years. Contact CSA Group
to obtain more information about our global
Cybersecurity Evaluation and Functional
Safety Testing and Certifications services.
ADDRESSING CYBERSECURITY RISK IN THE DESIGN OF CONNECTED DEVICES FOR INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS
Contact Us
1.866.797.4272
www.csagroup.org