NATO agency offers details on securing industrial automation and control systems in critical energy infrastructure

The NATO Energy Security Center of Excellence (NATO ENSEC COE) released a guide last week that provides an analysis of technology-based threats, both intentional and unintentional, to the safety, reliability, resilience, and performance of critical energy infrastructure. 

Based on studies and site visits to operators of critical energy infrastructure from 2011 to 2021, the guide offers advice on how to implement a digitalized solution when ‘analogue based operators’ decide to modernize their control systems. The guide scans industrial systems that monitor and control the physical processes in critical energy infrastructure and discovered that they are not uniform as there are operations that are more digitalized while others are older, more analogue, or manually controlled.

The guide also looks into the criminally motivated cyber-attacks, like the ransomware attack on a major fuel pipeline in the Eastern United States last May, which forced operators to shut down an 8000 km long pipeline. The incident has initiated a review in the U.S. and in other countries of the cybersecurity of control system architectures used in industrial operations. 

The recommendations in the guide are applicable to any asset owner that relies on industrial automation and control systems (IACS) for the control and monitoring of a physical process. “We need to employ comprehensive cybersecurity measures to protect our IACS in the hope that as asset owners we do not wake up one day with news that our critical systems and operations are compromised and cannot be trusted,” Vytautas Butrimas, wrote in the guide. Butrimas is an industrial cybersecurity subject matter expert for the NATO ENSEC COE, co-chairman at the International Society for Automation (ISA) 99 MLM Work Group 13, and co-moderator of the SCADASEC list.

Industrial systems were designed with an emphasis on safety and reliability with little regard for cybersecurity, Butrimas said.“However, this design approach introduced serious vulnerabilities that if exploited by a cyber-attack could result in serious physical harm in terms of injured personnel, damage to property and to the environment,” he added.

“While the work of hardening Office/Enterprise IT cybersecurity has developed into a level of maturity over two decades, developing measures for reducing the cyber risks to critical industrial operations have only just begun,” Butrimas said. “Furthermore, the task is made difficult in that IT data-centric cybersecurity measures tend to dominate solutions that do not fully apply to industrial environments where protection of a physical process is the priority,” he added.

The guide extensively covers IACS operator considerations with initial self-awareness questions, while analyzing how identified assets can be protected from identified threats. It also lists tools available in the cybersecurity program toolbox, such as asset management system, standards, documentation, evaluating and improving the level of maturity in industrial cybersecurity, secure coding practices for programmable logic controllers (PLCs), patching and updating software and firmware, and industrial cybersecurity operations center (ICOC).

It also looks into the introduction of Industry 4.0 or industrial Internet of Things (IIoT) that brings in newer challenges, as they integrate manufacturing with business functions. Many sensors are added to collect data on the machine-to-machine activity for data analysis. It is argued that the results of this analyzed data can be applied to improve efficiency, save on costs, and remain competitive. 

“This is thought to be achieved through a focus on detecting serviced faults before they can negatively impact customers, provide critical data to support management’s decision making and drive predictive analysis and machine learning capability approaching artificial intelligence to support operations,” Butrimas said. “To connect all this activity together will be a network that will even include wireless communications,” he added. 

He also pointed out that some have questioned the claims behind all the benefits proposed by supporters of Industry 4.0. For example, it is difficult to understand how much the implementation of Industry 4.0 technologies in an industrial enterprise will cost, in addition to how well the issues of trust in sensors be handled. 

Another important factor that will influence the success of those working to enhance energy security and resilience of critical energy and other sectors of infrastructure is climate change, Butrimas said. 

Risks to national security interests may escalate as the physical impacts increase and geopolitical tensions rise on how to respond to the problem, according to Butrimas. “New research on the cost-effectiveness of proposals to address climate change goals is required in order to develop effective plans and successful implementations of solutions. Solutions, which are likely to be heavily reliant on new and advanced technologies applied to increasingly complex and dynamic systems, which, together with powerful added functionality, will come with exploitable vulnerabilities,” he added.

In addition to the NATO guide, a public interest researcher called upon the Department of Energy (DOE) in December last year to ensure that mandatory measures address the risks and vulnerabilities in the critical electric infrastructure sector. 

The researcher, Michael Mabee, called upon the DOE to ensure that mandatory standards address the risks and vulnerabilities presented by the import and installation of equipment or systems originating from adversaries of the U.S., including the People’s Republic of China. These standards must apply to the entire critical electric infrastructure, including generation, transmission, and distribution.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.