Embedded PLC Security Is Happening
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
From 2001, the advent of ICS security, until 2019 PLC security was a "bump-in-the-line". Place a Tofino or other industrial security solution in the network path to secure network communication to and from the PLC.
This was widely understood to be a sub-optimal and temporary solution that would only be deployed in the most critical systems run by highly security concious asset owners. It is much better to have authentication, other protection controls, and detection integrated in the PLC. Better in terms of upfront and lifecycle costs, ease of deployment, and the potential security controls.
Did I say temporary? Maybe semi-permanent?
We are finally seeing security controls integrated into PLCs.
It began with wrap ICS protocols in TLS offerings. Rockwell Automation released CIP Security and Schneider Electric released Modbus/TCP Security in their PLCs. More ICS protocols and vendors are taking this approach. It finally addresses the lack of authentication / insecure by design / access = compromise problem in PLCs and other Level 1 devices. Now we need to see asset owners use this feature.
Earlier this month Mitsubishi Electric and Nozomi Networks took embedded PLC Security to the next level by integrating a module that has access to the backplane data in the PLC in an offering called Arc Embedded. It extends Nozomi's sensor down to the PLC level.
领英推荐
The current features of Arc Embedded are only slightly better than what is available by monitoring network traffic and querying the PLC in the same manner as an engineering work station or HMI would. In the briefing I thought claims of Level 0 - 1 east/west visibility and a couple of other areas were overstated.
Perhaps the biggest benefit of the current offering is the unsolicited response / report by exception approach when a potential security issue arrises rather than waiting for periodic polling. This approach provides more timely security events and alerts with less network traffic.
The most exciting part of Arc Embedded is you have security code with access to the PLC backplane. It's the beginning of PLC Endpoint Detection and Response (EDR). We've had bleeding edge research sessions at S4 on evaluating PLC logic and program changes for attack code and preventing it from loading. Let your imagination run wild with what security controls you could implement with this backplane access.
Sure there will be challenges with false positives, processing power, and latency. Arc Embedded architecture is finally at a place where a PLC vendor (Mitsubishi) could begin to tackle these challenges.
Arc Embedded is available in Mitsubishi Electric’s MELSEC iQ-R family of PLCs. The C intelligent function module is required, as ARC Embedded is a software solution running on that module. It can be purchased directly from Mitsubishi Electric, which is another type of integration.
I'll be watching for similar offerings from PLC competitors. This could be additional Arc Embedded integrations, other OT detection vendor solutions, or possibly a Rockwell Automation, Siemens, or ICS vendor doing it themselves.
OT Cyber Security Principal Consultant at Jacobs Engineering (BIAF)
3 个月Remember Bedrock?
Well, it is an option. If you don't do this then you end up with protocol-specific gateways which artificially map/filter traffic. Bypass the gateway and there is NO security - that's pretty much the NORM in industry. I've been working on CAN Bus, where the protocol folks have been creating a complex Android-based bluetooth per-point security filter yet the physical CANBus still has NO security. One could argue rightly that if an attacker has physical access to the wire, they can do a lot of damage regardless of per-node security.
Foreseeing the unhackable future/ founder of operational zero trust 2012 /Third Party Risk Management specialist/CISO/ Supply Chain Protection (NIS2, DORA) | Strategic Planner | Tech Innovator/
3 个月So isn’t it all about secure access from the engineering station so the uploads or logic can be modified for efficiency purposes. Then you are already in unless you want this done from a not onsite spot which is highly non advisable . The question is how secure is it after quantum computers take over ? And how do you take care of the 30 billion connectivity of IIOT . Trust the cloud and their security? You have seen where that led to with crowdstrike, or the complexity that different vendors bring upon you with these non secure by design devices that can handle encryption due to their limited processing power. #time4achange #tripled
Automation veteran with Allen Bradley / Rockwell expertise (Legacy included)
3 个月Bedrock Automation had security built in.. I believe that they are defunct.. confirmation?? If true, what that showed is that security wasnt that important.. and vendors will not invest in intrinsic security items unless it means more users/business/market share.. full stop... there has to be a business case for it..... and affordable to boot:)
Director of Creating WoW!
3 个月I'm no fan. One, it makes end devices more expensive. Manufacturers will buy the cheaper less secure valve over the more costly one that encrypts the 8 discrete points. Two, factory floor messages are consistent. Using a Dynics ICS Defender to white list all the messages out of a work cell is simpler and less expensive. Three, It will take forty years before a manufacturer can buy every device in the work cell with with encrypted communications. Four, this makes everything more complicated for the manufacturer at a time when labor, especially skilled labor, is harder to come by. Train a guy up on understanding and configuring cybersecure devices and he'll be out the door with with a 50% raise at the next place. I have about 6 more but that's enough for now. John