Industrial Information Security: Challenges and Strategies

Currently, with the deepening integration of the two industrial sectors in our country and the acceleration of intelligent manufacturing, emerging technologies represented by 5G, industrial internet, artificial intelligence, big data, cloud computing, and edge computing are rapidly penetrating and integrating into the industrial production field. While this brings about a transformation in the industrial production system and operational models, injecting strong momentum into industrial production development, it also poses new challenges to industrial information security, leading to a continuous rise in industrial information security risks, frequent occurrences of industrial information security incidents, and an increasingly severe industrial information security situation.

「 1. The Significance and Connotation of Industrial Information Security

Industrial information security is the general term for information security in the industrial sector. Yin Libo, director of the National Industrial Information Security Development Research Center, pointed out in the article “Deeply Grasping the Connotation, Characteristics, and Focus of Industrial Information Security in the New Era” that “the essence of industrial information security is to ensure that the processes for completing industrial production tasks are not tampered with or destroyed, to achieve a normal production process and complete the established production goals, and to ensure that the flow of elements in the production execution process is not monitored or stolen; the goal of industrial information security protection is to ensure that the communication networks and internet services required for industrial enterprises’ production are uninterrupted, that industrial production equipment, control systems, and information systems operate reliably and normally, and that the data throughout is not damaged, altered, or leaked due to accidental or malicious reasons, thus ensuring the continuity of industrial production and business operations.

Industrial Information Security: Challenges and Strategies

Figure 1 Industrial Information Security Concept Relationship Diagram (Source: Industrial Information Security Industry Development Alliance “Industrial Information Security Standardization White Paper (2019 Edition)” )

「 2. Types of Industrial Information Security

Industrial information security involves various aspects of the industrial sector, generally including industrial control system security, industrial internet security, industrial big data security, industrial cloud security, industrial e-commerce security, and critical information infrastructure security.

1) Industrial Control System Security

Industrial control systems (ICS) are a collective term for various types of control systems, including those used in industrial production such as data acquisition and monitoring control systems (SCADA), distributed control systems (DCS), programmable logic controllers (PLC), and remote terminal units (RTU). Traditional ICS systems emerged before the internet, using dedicated hardware, software, and communication protocols, designed primarily to ensure high availability and business continuity, lacking effective security defense measures and almost never considering the communication security issues necessary for interconnectivity. As industrial enterprises push for digital transformation and intelligent manufacturing, and the large-scale use of new technologies and applications like cloud computing, big data, and the internet of things, ICS systems are transitioning from closed and independent to open, from standalone to interconnected, and from automation to intelligence, bringing security risks related to devices, networks, control, and data.

2) Industrial Internet Security

The industrial internet is an ecosystem formed by the comprehensive and deep integration of the new generation of information technology (IT) and traditional industrial operational technology (OT). It is a key information infrastructure for the development of industrial intelligence and has been explicitly included in the “new infrastructure” scope by the National Development and Reform Commission. The industrial internet connects industrial systems with the internet, breaking the relatively closed and trusted manufacturing environment of traditional industries, intertwining cybersecurity and industrial safety risks, and bringing various security issues and challenges including device access security, network communication security, platform service security, application security, and control and data security.

Industrial Information Security: Challenges and Strategies

Figure 2 Industrial Internet Security System (Source: Industrial Internet Industry Alliance “Compilation of Typical Security Solutions for Industrial Internet (V1.0)” )

3) Industrial Big Data Security

Industrial big data refers to the total data generated and used throughout the lifecycle of products and services in the industrial sector, including data generated and used by industrial enterprises in research and design, production and manufacturing, operational management, and maintenance services, as well as data on industrial internet platforms. In recent years, the application of industrial big data in China has made significant progress, with data-driven new models and new business formats continuously emerging in areas such as demand analysis, process optimization, and energy management. However, this also comes with new security risks, such as storage risks, privacy breaches, APT attacks, platform vulnerabilities, and data leaks. Furthermore, countries are increasingly emphasizing data and privacy protection, successively enacting data security-related regulations, such as the EU’s General Data Protection Regulation (GDPR), and China has officially released and implemented “Data Security Protection Level 2.0”, which also poses data compliance issues for industrial big data.

4) Industrial Cloud Security

Industrial cloud, along with the industrial internet, industrial internet platforms, and industrial apps, is part of the infrastructure for intelligent manufacturing. In recent years, as cloud computing has entered a popular phase, more and more industrial enterprises have begun to adopt cloud computing models to deploy information systems, making industrial cloud a trend. Industrial clouds connect to production systems, bringing efficiency improvements and cost reductions to industrial enterprises, but due to the immense value of the critical business systems they carry, the security risks of industrial clouds are increasingly prominent.

5) Industrial E-commerce Security

Industrial e-commerce refers to the process in which industrial enterprises conduct transactions, exchanges, and deliveries of goods, services, resources, capabilities, and information among themselves and with upstream and downstream enterprises, customers, and partners using information technology. Its essence is to reshape business processes using information technology and network resources. Currently, as many industrial enterprises actively explore innovative transaction methods, business models, organizational forms, and management systems relying on industrial e-commerce, regions such as Guangdong, Shanghai, and Hubei are also actively promoting the intensive, networked, and branded transformation of regional industrial clusters based on industrial e-commerce. However, with the rapid rise of industrial e-commerce, they also face a series of information security risks such as data being tampered with, lost, or destroyed, false transactions, and system failures.

6) Critical Information Infrastructure Security

According to the definition by the International Telecommunication Union, national critical information infrastructure refers to the information systems that support the physical national critical information infrastructure. In recent years, new technologies represented by 5G, cloud computing, big data, the internet of things, and industrial internet have been rapidly applied, with more traditional energy, electricity, transportation infrastructure, and bidding platforms connected to the internet, becoming an organic part of pervasive critical information infrastructure. These critical information infrastructures are the nerve center of economic and social operations, the top priority of cybersecurity, and potential targets for focused attacks; therefore, effective measures must be taken to ensure security protection.

「 3. The Situation and Challenges of Industrial Information Security

Compared with traditional network security, industrial information security is significantly different. The target value of industrial systems is much higher, and the complexity of their security systems far exceeds that of traditional IT network systems. In terms of guaranteeing target objects and security demands, it has its own particularities, often integrating multiple security requirements, including information security, functional safety, and production safety, with a greater focus on maintaining the reliability and stability of the production operation process. Furthermore, the sources of risk are more diverse, and the consequences of security incidents are more severe, potentially leading to equipment failures, system paralysis, production stoppages, and even safety accidents that could cause environmental pollution and casualties. Currently, with the accelerated development of industrial digitization, networking, intelligence, and service orientation, the overall situation and challenges faced by industrial information security are becoming increasingly severe.

1) Lack of Relevant Standards for Industrial Information Security

In recent years, although our country has successively released and implemented a number of foundational security standards for industrial control systems, filling the gap in industrial control system security standards, there are still gaps in industrial information security standards. For instance, the standardization work for industrial internet security is still in its infancy, with standards for network security, data security, and platform security of the industrial internet still under development. The Ministry of Industry and Information Technology recently issued the “Guiding Opinions on the Development of Industrial Big Data”, proposing various requirements such as accelerating data aggregation, promoting data sharing, deepening data applications, improving data governance, strengthening data security, promoting industrial development, and enhancing organizational guarantees, but the related standards for industrial big data still need improvement. Moreover, there has not yet been a formally released framework standard for industrial information security systems, making it difficult to effectively guide the information security construction of industrial enterprises.

2) Insufficient Attention to Information Security

Industrial enterprises generally exhibit a tendency to prioritize development over security, lacking sufficient attention to industrial information security, which often remains superficial and merely rhetorical, lacking effective information security management mechanisms and response measures, with insufficient investment in funds and personnel, resulting in industrial information security protection capabilities lagging behind industrial development capabilities.

3) IT and OT Managed by Different Departments, Difficult to Achieve Effective Collaboration

In many industrial enterprises, IT and OT devices and systems are typically managed by different departments, operating independently and causing significant differences in the security skills and motivations of IT and OT personnel. IT personnel are enthusiastic about software innovation and the power and processes of programming, but lack enthusiasm for how to apply these in the factory workshop; while OT personnel have engineering or manufacturing backgrounds and tend to be pragmatic in maintaining machine operations. This also leads to difficulties in achieving effective collaboration in industrial information security protection between IT and OT departments in the context of the accelerated integration of IT and OT systems.

4) Lack of Security Talent and Limited Security Skills

On one hand, there is a severe shortage of professionals who understand both information security and the industrial system environment, which restricts the enhancement of information security awareness and protection technologies. On the other hand, since industrial control devices must ensure 7×24 hours of high availability, they often do not allow for frequent debugging; even in the event of equipment failures or security incidents, recovery must occur in a very short time. Many industrial control systems have inherent flaws in their design, commonly featuring security vulnerabilities, and control protocols and software often lack security functions such as authentication, authorization, and encryption, thus increasing the difficulties in industrial information security protection.

5) Complex Involved Parties, Difficult to Define Security Protection and Supervision Responsibilities

For example, industrial internet business and data circulate between multiple levels, including the device layer, data acquisition layer, basic network layer, IaaS layer, industrial internet platform layer, and industrial application layer, involving multiple parties such as industrial enterprises, equipment suppliers, basic telecom operators, IaaS network service providers, industrial internet platform operators, and industrial application providers, making security responsibilities difficult to define. Furthermore, at the regulatory level, since the industrial internet involves numerous industries including manufacturing, energy, and water services, covering equipment safety, control safety, network safety, platform safety, and data safety, in this integrated state, regulatory functions for safety management and coordination are dispersed among various industry主管部门, lacking a regulatory system with clear responsibilities and powers.

6) Frequent Large-scale, High-Intensity Industrial Information Security Incidents, Industrial Sector Becomes a Major Target for Cyber Attacks

According to statistics from the National Cybersecurity Center, there were 17 publicly reported ransomware attacks in the industrial sector from 2017 to 2018, with the manufacturing industry being the primary target. According to the “2018 Data Breach Investigations Report”, there were as many as 536 data breach incidents in the global manufacturing sector, ranking sixth in the industry, with 375 incidents involving large enterprises, ranking first in the industry. As the value density of industrial enterprises increases and their reliance on networks grows, they will increasingly become the “ideal targets” for ransomware attackers. Table 1 lists the top ten industrial information security incidents from 2018 to 2019.

Table 1 Top Ten Industrial Information Security Incidents from 2018 to 2019

Industrial Information Security: Challenges and Strategies

Source: National Cybersecurity Center “2019 Industrial Information Security Situation Outlook Report”

「 4. Protection Technologies and Strategies for Industrial Information Security

In the face of the increasingly severe industrial information security situation, on one hand, the state should accelerate the formulation of relevant industrial information security policies and standards for industrial internet, industrial big data, and industrial cloud, constructing a regulatory system with clear responsibilities and sound systems; on the other hand, manufacturers of industrial control devices and systems, as well as providers of industrial cloud platforms, industrial big data platforms, and industrial internet products and platforms, should enhance the security and protective capabilities of their products and platform services; at the same time, industrial enterprises should also enhance their awareness and capabilities for information security protection, shifting from passive defense to active defense, establishing effective security management and response mechanisms. When necessary, they can also collaborate with professional industrial information security service providers to jointly build a solid defense against industrial information security.

Currently, the protective strategies against threats and risks to industrial information security mainly include:

(1) Security Risk and Vulnerability Assessment. That is, identifying and defining security risks and formulating security strategies, including evaluating and formulating security strategies and plans, security risk, compliance, and vulnerability assessments, and security governance policies and requirements. Most industrial security service providers offer such services. For example, IBM provides security intelligence operations and consulting services that can help promptly identify critical attack scenarios that may threaten OT devices, ensuring the security of the OT framework, improving its cybersecurity maturity, while establishing rapid detection and response plans and procedures for OT security incidents, and meeting various industrial control standards and industry norms.

(2) Network Segmentation and Boundary Isolation. That is, achieving external important information flow and access control through physical isolation of internal and external application areas and access control based on trusted processing units. For example, to effectively achieve boundary security protection between the internal network and the external network, and between the industrial control network and other networks, one or more boundary security devices are generally deployed at each network boundary, including industrial firewalls, industrial network gateways, unidirectional isolation devices, or enterprise-customized boundary security protection gateways.

(3) Device Security Hardening. That is, hardening devices and establishing mechanisms for discovering and updating vulnerabilities in devices and operating systems to ensure timely identification of relevant security vulnerabilities and patch upgrades. If necessary, hardware-based trusted computing and verification technologies can be used to support the secure boot of devices and the confidentiality and integrity protection of data transmission.

(4) Industrial Host Protection. The industrial hosts in the industrial field mainly include engineering stations, operator stations, servers, storage, and other host devices of industrial control systems, responsible for the workflow and process management, status monitoring, operational data collection, and important information storage of industrial control systems, serving as the command center of the entire industrial control system, and thus are often the main risk points in the industrial network. Threats such as virus intrusions and human errors mainly enter the industrial system through host devices. The protection mainly adopts “application whitelisting” technology, reinforcing industrial hosts through whitelisting software, establishing a security “whitelist” baseline for industrial hosts, ensuring that trusted programs and processes are allowed, while known and unknown malicious programs are blocked, protecting industrial hosts from virus or attacks targeting security vulnerabilities.

(5) Control Security and Protection. Generally, it starts from control protocols, control software, and control functions, strengthening technologies such as authentication, authorization, protocol encryption, protocol filtering, and malicious tampering, and ensuring robustness testing of control protocols, software security testing, and hardening before use.

(6) Data Security Protection. Generally, various protective measures can be taken in a coordinated manner, including data encryption, access control, identity authentication, data desensitization, and business data isolation, covering the entire lifecycle of data collection, transmission, storage, processing, desensitization, and destruction.

(7) Situation Awareness. That is, a comprehensive analysis and decision-making process for collecting, analyzing, predicting, and responding to security data across industrial production and office networks; using big data analysis, machine learning, and other technologies to analyze and model security behaviors, predict, respond to, and trace threats and attacks, and visualize the overall security state to provide data support for security decision-making in enterprise security operation systems.

(8) Defense in Depth. The concept in security management refers to creating multiple layers of overlapping security protection systems to form multiple lines of defense, ensuring that even if one defense line fails, others can compensate or correct it. Currently, deploying defense in depth is also a practical method for the industrial sector to respond to security threats, and many industrial information security service providers offer defense-in-depth solutions. For example, Siemens’ defense-in-depth solution provides comprehensive protection from factory security to network security, and then to system integrity. Factory security focuses on the physical protection of automation systems and information security management, with security services including processes and guidelines for implementing comprehensive factory protection; network security refers to secure communication within industrial networks, primarily aimed at achieving continuous and secure communication through professional planning, design, and implementation of efficient network structures; system integrity emphasizes comprehensive protection against unauthorized configuration changes and unauthorized network access at the control layer through integrated information security functions.

Source: Smart Manufacturing Garden

Recommended Reading

[Benefits]

Over 70 research institutes and universities are using it! This research tool has become popular.

Industrial Information Security: Challenges and Strategies

[Hot Topics]

Celebrating the 100th Anniversary of the Founding of the Communist Party of China – Academician Messages

Industrial Information Security: Challenges and Strategies

[Hot Topics]

2021 Academy of Engineering Academician Election Enters the Second Round of Review Candidate List

Industrial Information Security: Challenges and Strategies

Industrial Information Security: Challenges and Strategies

Leave a Comment