The Pipedream malware (also known as Incontroller) discovered in April 2022 was specially tailored to automation technology and specific vulnerabilities in certain control systems. It uses the widespread Modbus and OPC UA communication protocols as well as the Codesys development and runtime environment. It allows attackers to read, modify and delete data, which means it could also be used for ransomware attacks in the OT network. A frightening scenario.

Threats for industrial control systems

The list of the top 10 threats to industrial control systems updated by the BSI in May 2022 includes attacks on cloud components that are connected to OT. They are used for data analytics or digital twins, for example. Control systems that are directly connected to the internet are also still among the top 10 threats. The threat from removable storage media and devices that are connected directly to the OT for maintenance purposes, such as USB sticks, notebooks and tablets, remains in first place. Infection with malware via the internet, for example via manipulated websites or email attachments, has risen to second place. Malware such as Pipedream could be smuggled into the OT via office IT systems.

A new addition to the top 10 is the threat posed by vulnerabilities in the supply chain. For example, if there is an exploitable vulnerability in a software library that is used in a manufacturer's PLC, all machines that use this PLC - and therefore all systems that contain such machines - are vulnerable. The threat does not only apply to control manufacturers; machine manufacturers can also introduce vulnerabilities and malware such as Pipe-dream into OT systems. This would potentially affect all of the machine manufacturer's customer systems.
Pipedream can also change PLC programs - if such an attack goes unnoticed, the manufacturing process could be influenced, for example to increase machine wear (just as Stuxnet even destroyed centrifuges) or reduce the quality of manufactured products.

There is no such thing as 100% security

A look at the top 10 threats shows the diversity of current vulnerabilities: Attackers find their way into companies via cloud services, IT systems and directly via OT devices. What's more, growing networking in the sense of the IIoT is leading to more and more new attack paths. It is therefore not enough to simply insert a firewall between the IT and OT networks - companies should also invest in a defense-in-depth strategy. First of all, this means accepting that there will be a successful attack on an OT system at some point. However, by installing several staggered security measures, companies isolate the attack as well as possible and keep damage away from other OT systems. In this way, business-critical processes and safety-critical subsystems continue to run even during an attack.

Security right from the start

The use of defense-in-depth measures is also required by IT security standards such as IEC 62443. This standard is specifically tailored to automation technology and places requirements on secure systems, machines and components. Setting up a defense-in-depth strategy is just one of the measures required: the standard also places requirements on component manufacturers, machine builders/integrators and system operators and their processes - after all, how can a product be secure if it is created by processes that do not include security measures?

Retrofitting security mechanisms (such as after a penetration test) can be very costly or even impossible. As a result, the focus is increasingly shifting to product development with the guiding principle of security by design. In all phases of development, i.e. from the very beginning, companies should implement security measures and build protection mechanisms into their systems in the sense of defense in depth.

Must-haves for the development of secure systems

But what are the must-haves for security by design? Threat analyses, defense-in-depth security concepts, incident response processes and security training are absolutely essential. Here is an overview: In contrast to penetration tests, which check systems that have already been developed for undetected vulnerabilities, threat analyses are used to identify threats or potential attacks at an early stage and proactively plan countermeasures into the development process. The results of the threat analysis are therefore the basis for designing an effective security concept in accordance with the defense-in-depth approach. It is also necessary to be organizationally prepared for an emergency. To this end, an incident response team should be established, which has the emergency plan ready and is therefore the first point of contact for reporting vulnerabilities and attacks. The team also monitors security events outside the company: it promptly checks whether the company's own products and systems are affected when new vulnerabilities become known - particularly in the (software) supply chain - and coordinates the provision of corresponding security updates.

Last but not least, security training is also part of security-by-design implementation. Managers and developers are sensitized to the topic of security and learn how to apply security measures themselves. To ensure lasting learning success, training should not only be based on the very abstract requirements of the standards and potential implementation measures. Tailored training courses are the most profitable: Which measures are actually implemented in the company and how do you apply them?

Numerous Fraunhofer IEM projects with industrial companies show this: Not only should the training be geared to the individual situation of the company, but the corresponding methods must also be tailored and integrated into the existing processes.

A practical example - KEB Automation

Of course, security by design cannot be fully integrated into a company's own processes and projects overnight. In order to proceed step by step, it is advisable to first determine the current situation: Which measures are already being taken, even though they may not have been explicitly defined as security process steps? Are there established processes that can be used as a guide to facilitate the introduction? With KEB Automation, a manufacturer of system solutions in the fields of control & automation, drive technology, motors and gearboxes as well as brakes and clutches, the Fraunhofer IEM has done just that. At KEB, customer inquiries about the security features of the systems are constantly increasing. The aim of a joint project was therefore to examine the current status of KEB's development processes with regard to the requirements of IEC 62443 and, on this basis, to derive and prioritize further activities for implementing the security standard. The company already offers safety products. The development of such systems is subject to strict standard requirements and requires correspondingly mature processes. The Fraunhofer Institute therefore took this area as a basis and analyzed the current KEB development processes in the form of interviews with managers and safety experts. The effort required to adapt to the requirements of IEC 62443 was systematically estimated. Fraunhofer IEM then developed a list of prioritized recommendations for successful implementation of IEC 62443 and the above-mentioned must-haves. These included, for example, organizational measures and the integration of a threat analysis method into the existing development process and its tool chain.

Phoenix Contact relies on threat analysis

There are many methods for threat analysis. In order to comply with IEC 62443, a systematic and repeatable method is required that can be integrated into the company's existing processes and tools. With Phoenix Contact, Fraunhofer IEM has developed a corresponding method and integrated it into the company's tool chain. The automatic tool integration facilitates traceability so that the analysis results can be reused for the design of the security concept and impact analyses are easier when new threats become known. This threat analysis method and Phoenix Contact's entire development process has been certified in accordance with IEC 62443.

Quo vadis security - an outlook

The aim of an ongoing internal Fraunhofer research project is the interdisciplinary development of an integrated tool-supported method that allows engineers to recognize potential dangers and threats to a system in the early phases of its development so that suitable countermeasures can be taken at an early stage. The early integrated safety and security risk analysis is intended to reduce development time and risk. The planned tool support also makes it easier to implement the requirements prescribed by safety and security standards. By evaluating the tool prototype with selected industrial partners, this research project is directly geared towards real needs.

The author: heads the "Requirements Analysis & Design" group in the "Secure IoT Systems" department at Fraunhofer IEM in Paderborn.

© Fraunhofer IEM

The increasing number of ransomware attacks and new malware such as Pipedream clearly show that it is time to take action. Anyone who fails to take security into account is acting negligently. This can also lead to personal liability in the event of damage caused by attacks within the meaning of the Product Liability Act and the duty of care of board members and managing directors. Security by design should be in the best interests of every automation company. The four must-haves - threat analyses, defense-in-depth security concepts, incident response processes and security training - should be among the first steps in the implementation process.