Rethinking Cybersecurity for Industrial Control Systems
How Edge-Native Applications Increase Safety, Security, and Agility
It's a precarious time for cybersecurity in industrial and critical infrastructure environments. While cyber threats are relentless and constantly evolving, the industrial control systems that operate the instrumentation and equipment in these environments are dated, vulnerable to exploitation, and traditionally difficult to modernize – but edge computing applications offer a new way forward.
Growing threats facing the industrial edge
An industrial control system (ICS) is a complex system that typically includes microcontroller units (MCUs), programmable logic controllers (PLCs), instrumentation, communications and networks, and software used to monitor and control industrial processes. The ICS is the brains and nervous system that control and automate industrial processes in critical infrastructure such as chemical plants, oil pipelines, and power generation facilities, and these systems are increasingly being targeted with cyberattacks.
According to a June 2021 fact sheet published by the Cybersecurity and Infrastructure Security Agency (CISA), "ransomware attacks targeting critical infrastructure have demonstrated the rising threat to operational technology (OT) assets and control systems." Petrochemical plants, water treatment facilities, and even nuclear power plants have been targeted in recent years.
While it's true that all networks and data systems – not just ICS and OT – are facing increased threats and impacts from cybercrime, there are two distinctions that make the threat to these systems particularly dire: MCUs and their the lack of agility, and the possibility of immediate, life-and-death impacts when breaches occur.
Challenges unique to ICS and OT assets
Within typical cloud and IT environments (outside of ICS and OT), cybersecurity has no limiting factors deriving from the technology. With massive storage and compute capacity, security software is smarter and can be updated on the fly to protect against new hacks. There are myriad security products that can be leveraged to detect and keep out malware and bad actors, and these systems have the agility, resources, and capacity for any number of security patches to be installed as new threats and vulnerabilities are discovered.
This is not the case with constrained devices that exist at the industrial edge in ICS and OT.
MCUs, for example, are essentially single-chip computers that control equipment and instrumentation. The software running on MCUs is the primary vulnerability in many legacy control systems. These tiny devices often have little or no password protection and extremely limited storage capacity, and the security software available is limited and static.
Patches and updates, if even possible, are far too infrequent to keep up with the persistent threat posed by ever-evolving cyberattacks.
As MCUs are critical components in most manufacturing and production operations, updating and/or replacing them has traditionally been a manual process that is risky, invasive, and expensive. Yet it's increasingly clear that leaving MCUs unprotected and vulnerable is a security breach waiting to happen, and breaches to ICS systems can have immediate and devastating consequences.
Further, if left unaddressed, the threat is compounded by digital transformation. As the industrial world becomes increasingly connected, ICSs have more exposure to the broader IT ecosystems and have even more vulnerability to emerging cybersecurity threats.
For many organizations, the calculus around maintaining these systems is something like: Which is worse, "bricking" a device (or hundreds of devices) with a patch that shuts it down, or leaving it vulnerable and at risk for hackers to take control of?
The scale of this vulnerability is staggering. MCUs manage an incredible range of critical infrastructure and industrial processes, including those for industrial automation, pharmaceutical production, food processing, water treatment, and chemical manufacturing.
By some estimates, more than a trillion MCUs are in service, with a large percentage in industrial IoT. It would not be possible to physically replace and upgrade that much hardware in any conceivable timeframe.
Fortunately, edge computing apps that serve as platforms between legacy ICS systems and modern cloud applications are now available and offer a better way forward in terms of reducing implementation risks and improving business outcomes.
How edge apps can help
An edge-native application platform, such as the one developed by Nubix, allows companies to build, deploy, and manage applications on constrained devices such as MCUs.
These apps work by using extremely small, pre-programmed, reusable code blocks, which we call tiny services, to bring constrained devices online while providing true isolation. The tiny services are encapsulated in containers, which is a new way to architect an MCU and provides a much safer compute environment.
Nubix's approach safehouses tiny services on MCUs and other devices with limited capacity, and effectively makes them look and act more like microprocessors. While Nubix is a low-code environment, our tiny containers can also be used to deploy customer-developed applications and firmware.
Nubix can be implemented at scale across the entire ICS on hardware already deployed, and the application is updated and redeployed without the current risky process of reflashing the devices – enabling smaller, faster, and safer updates.
Our software provides ICS operators with unprecedented security, connectivity, and visibility into their systems. MCUs and other critical components can be regularly updated and patched, monitored, and audited as threats are identified or as needed to respond to new threats.
As Nubix is a centralized hub out of the box, ICS operators can go a step further than individual device management and manage data and analytics for fleets of devices at scale. Updates can be managed and executed by device or fleet, as well.
Nubix also enables unmatched integration with IoT applications without compromising security. Within environments with IoT applications, communications to constrained devices only occur over encrypted network connections. Edge-native applications and containers are digitally signed and then verified by the device before allowing execution of the application on the MCU.
Business logic, initial setup and configuration code, and analytic algorithms can be updated, removed, or added on an as-needed basis to change the application footprint on these devices – decreasing the attack vectors available over time.
Edge-native apps are the ICS cybersecurity solution you've been waiting for
The unfortunate reality is that hackers and ransomware gangs have been successful in attacking ICS and OT systems, and these attacks will continue until organizations secure all of the vulnerabilities in their systems. The good news is that there is now a way to secure your systems without a major equipment upgrade or shutdown.
Nubix is the leading edge-native application platform for companies to easily build, deploy, and manage applications on constrained devices at the industrial IoT edge. With our technologies, companies can both improve security and take full advantage of the compute that exists at the industrial IoT edge, improving automation and production with better data and analytics.
I'm the CEO and co-founder of Nubix, and I'll be blogging about how our technology is securing critical infrastructure and helping companies optimize operations and improve their bottom line with comprehensive data and analytics. I hope you'll join the conversation – we'd love to hear from you!