Proven cyber security for industrial systems
Etteplan provides a new kind of service for industrial cyber security needs. A dedicated business unit combining security design and test automation operates from three locations, and it is part of the Software and Embedded Solutions services. We interviewed the unit director Mikko Lindström about specific issues related to industrial hardware and system security and how the new service addresses them.
If you think about cyber security of industrial devices in general, how do today's threats look like?
Mikko: The Internet and IoT have changed the security landscape, and, for example, the cyber security of different bus solutions is a serious challenge. There is still a general misconception that equipment in industrial systems would operate only on the internal network with no external connections. This is simply not the case, as devices tend to be parts of larger entities and they have to provide information out of them. Often, people tend to be too blue-eyed in this respect.
How can these threats be managed?
Mikko: It is essential to bring cyber security to the designer's desk, so that security is included right from the start. This is the core idea behind our new unit. Etteplan can also provide the equivalent as a service if the customer does the product design in-house. In such a case our cyber security designer would work at the customer's premises throughout the project lifecycle to ensure that security is taken fully into consideration. Design for Testability (DFT) is a common target in electronics and software design, but when aiming at cyber secure software we use the term Secure by Design.
How does Etteplan test cyber security?
Mikko: Cyber security testing consists of both automated and manual tests that get their input from a threat modeling workshop at the start of the project, for example. This generates malicious user stories to the product backlog.
As a matter of principle, our project testing plan always includes cyber security testing, but sometimes customers question the need for it under cost pressure. Of course, we would then discuss the issue.
What does a malicious user story mean?
Mikko: Together with the product team we identify the worst threats the team then uses to create so called malicious user stories. In practice, the team strives to create scenarios from the viewpoint of potential attackers. This can be compared, for example, to negative testing, where a user inputs incorrect information and monitors how the system recovers.
Against these stories, we make test plans and start solving how to prevent the attacks from succeeding. This way threats are taken into account during the software’s entire life cycle. We have organized threat modeling workshops for several customers where we have taught how to integrate so called DevSecOps thinking throughout the project lifecycle.
What does test automation mean?
Mikko: In short, a separate program is made for the software under testing, and combined with continuous integration tools. The program executes test cases without human interference.
What are the benefits of test automation?
Mikko: There are several benefits in automated testing, provided it is used properly. First of all, automation ensures accurate traceability, as all operations conducted by the test program leave a trace. Secondly, it guarantees repeatability, because the machine always does the same thing exactly in the same way, while human work always involves variation. In addition, it is more efficient because the tests and their parts can be reused to test different functionalities.
Test automation systems increase the transparency of software maturity. Testing metrics are easy to visualize. Also, you can keep track of the number of bugs the software under testing still has, and whether something changes when the software is updated.
A test automation system is always a long-term investment, as the more software versions are tested, the more time and money you save. As the features of the software change, the test automation system itself needs to be maintained and developed. You need to ensure that the testing continues to address the right things and keeps finding potential bugs.
Can you give an example of how Etteplan has automated cyber security testing for industrial systems in particular?
Mikko: For example, we have developed our own product to test security in industrial bus solutions, and no such product existed before. This is significant because even newer industrial systems use old buses such as CAN, Profibus, and RS232.
At the time they were created, there was no idea that they should be protected somehow. The buses contain several known vulnerabilities that are included in our test product, which checks whether they can be exploited also in the solution being tested.
What illustrative examples of the new unit’s projects can you tell?
Mikko: For example, we have organized a hackathon event, conducted a security chip evaluation and penetration testing for our customers.
For many customers, the big thing is to protect their own IPR in the software of their embedded product. For them, we perform so called reverse engineering, that is, we try to dig up the source code of the product or open up something that should be protected by a license. If we succeed, we will look at how the code can be modified or retrieved or reinstalled to the device in a modified format. Based on our review, we propose changes so that IPR can’t be violated anymore. In addition, we conduct, for example, gap analyzes in relation to a forthcoming security standard or regulation, and identify what deficiencies exist today and how they can be remedied.
What weaknesses are commonly revealed?
Mikko: In embedded systems, the customer often thinks that password protection is enough. However, if the architecture is poorly executed and password protection can be compromised, everything becomes possible for the attacker. A hacked device can be harnessed into a botnet or as an attack vector to a larger system.
In a system with a well-designed architecture, password protection is only one part of multi-layered protection that requires a lot of time and effort for an attacker to break. For example, we have expertise in systems hardening and we can guide how hardening is done.
What are the key principles of a cyber secure design?
Mikko: A good model is the classic CIA triad. It means that the system must maintain the confidentiality, integrity and, availability of information. There is a lot of talk about this, and it is a keep-it-simple model implemented in industrial environments as well.
It is important to remember availability because the system always exists for users. If usage is made difficult and access to information is poor, a person is likely to cut through in the processes, which destroys the security of the whole solution.
What can make businesses and people realize the importance of cyber security in industrial environments?
Mikko: The traditional intimidation approach is not at all sensible. You need to understand the right business critical threats and start tackling them. We always think on a project-by-project basis what are the biggest threats to the customer. If you try to make completely shockproof systems, it costs quite a bit.
Etteplan brought together software testers and security experts at its three centers of expertise in Tampere, Hyvinkää, and Espoo. The teams serve customers throughout Finland. Measured by the number of employees, about 60 people are involved initially. The new service leverages Etteplan's long-standing experience and expertise in industrial device design, as well as embedded solution cyber security and testing.