Conducting Gap Assessments to Secure Control Environments’ Cloud-based Solutions

Originally posted on the Claroty NexusConnect Blog.

The advancement of remote access technologies, machine learning, and artificial intelligence solutions is moving the industrial and automation industry toward cloud technologies faster and faster.

Some current examples of automation AI/ML platforms include:

• ABB Ability Genix Industrial Analytics and AI Suite,
• Siemens Machine Learning Platforms
• Schneider Electric AI Hub

Some examples of cloud-based industrial and automation solutions include:

• GE Digital’s Proficy Smart Factory MES
• Phoenix Contact’s Cloud computing
• Inductive Automation’s Ignition Cloud Edition

Organizations that are not prepared to understand these solutions are going to rely exclusively on their vendor and integrator teams to design, deploy, and maintain them. These solutions typically address security concerns in their deployment documentation. However, the ISA-62443 series of standards specifies that the owner/operator is responsible for the risks incurred by each of these solutions. These respective responsibilities are important to grasp and document.

To address these challenges each owner/operator requires a new set of skills. These skills start with personnel that understand cloud technologies. Unfortunately, the industry has a history of accepting new technologies and using their current personnel to implement them. The trust placed in vendors and integrators is not unfounded. But these vendor/integrator teams will implement the technologies following the requirements outlined by the owner/operator’s project team. To do this correctly the appropriate stakeholders need to be identified and tasked. This is required to ensure business continuity, reliability, and safety of the solution.

To understand these risks, we should review some of the cloud service challenges companies have experienced. The following is a list of compromised cloud credentials and exploited services that have impacted corporate and industrial organizations. These incidents have leaked data and negatively impacted operations.

• In March 2021 a hacker accessed the online platform of Verkada Inc., a cloud-based physical security platform. The threat actor accessed client customer data, video/image data, account credentials, and client site WiFi credentials. This compromise occurred because of an issue with an exposed customer support server. This breach is an example of how the management of a cloud service can have consequences across multiple clients and the solution’s online services and onsite resources.
• In July 2019 a company terminated an employee, but failed to disable their access to their AWS environment. After being fired, the terminated employee used their administrative credentials to retaliate. The former employee used their credentials to turn off all the company’s cloud services, then changed the email address and password for the root account of the AWS subscription. AWS was initially unable to recover the services. Fortunately, the former employee provided the new credentials and the services were restored. Had the employee selected a random password without saving it, the results would have been completely different.
• On May 11, 2023 CISA released an ICS Advisory for multiple vulnerabilities in the Siemens SIMATIC Cloud Connect 7 solution. This product is an industrial Internet-of-Things (IoT) gateway that provides owners/operators with the ability to connect their control environments with a wide variety of cloud platforms. The advisory describes device vulnerabilities that include hard-coded passwords, denial-of-service, and exposure of sensitive information vulnerabilities. The severity of these vulnerabilities earned them a CVSSv3.0 score of 7.2.

Understanding these and similar implementation risks is required when adding cloud services to an organization’s Cyber Security Management System (CSMS) program. Cloud-based risk management requires updating policies and procedures, assignment of organization responsibilities, planning and implementation of awareness training, and selection of countermeasures to be implemented by the owner / operator.

According to ISA/IEC 62443, the CSMS risk assessment process starts with an initial high-level risk assessment, also referred to as a gap assessment. The gap assessment requires gathering information about the cloud service, some of which must be provided by the product/service provider and the rest will be gathered by the project stakeholders.

Here is a breakdown of responsibilities for providing information for the gap assessment. Overall, the owner/operator is responsible for ensuring all the information collected is complete. The owner/operator’s project owner should review the data and ask clarifying questions until each section is completed. Stakeholders for this project include:

• Project Overview – Owner / Operator
• Cloud Service Description – Product / Service Provider
• Product / Service Foundational Requirements – Product / Service Provider
• Zone and Conduit Characteristics – Owner / Operator

These stakeholders will outline the full details about the project to include the cloud services and resources. The high-level data collected includes a description of the project, timelines and milestones, team leaders and administrators, and a list of components. Details about the cloud environments include identification of the cloud service providers, type and model of services, regions assets will be deployed, container services selected, and known countermeasures. The team will also have to identify regulatory requirements along with the capability and target security levels of the solution.

While it may seem like a lot of details, this list is just the starting point to completely understand the cloud-based solution. The vendor/integrator providing the solution needs to include additional details about how their cloud services and accounts are managed. This includes access management, roles and responsibilities, data flow, and other information to help understand the maturity of the solution. This task can seem daunting and there are a lot of details that can get lost in the mix. Thus, the project team needs to organize these efforts and there should be preparation before starting the task.

To aid in conducting a gap assessment for a cloud project the CloudSec-IACS project was started by the Cutaway Security team. This project provides a template that can be used to designate stakeholders and guide them through the information collection process.

The template provides a list of topics the team should collect to fully understand the solution and conduct a full gap assessment. Once completed, the gap assessment can be used to select the appropriate solution and countermeasures while providing the appropriate implementation requirements to vendors / integrators. Hopefully this helps your team secure your new cloud-based solutions.

If you have suggestions to improve the CloudSec-IACS project, please add an issue to the Github project.

Go forth and do good things,

Don C. Weber