Vulnerability scan for Industry 4.0 with LARS

Not a day goes by without Industry 4.0 being touted as the future of the manufacturing industry. And it's true, the digitization of production environments is already gaining traction, in some sectors more than others. And with all these developments, everyone is concerned with the security of the brave new interconnected world. Now standard hardware and software are in control of motors, switches and pumps, the security risks must be kept in mind by automation engineers. This requires a methodological approach, which is best adapted and linked to a central ISMS policy. Specifically, a tool like Light And Right Security (LARS) can help companies to secure Industrial Control Systems (ICS). LARS was commissioned by BSI in 2014 and developed by Sirrix AG in cooperation with TÜV SÜD Rail GmbH. It helps companies to analyze existing ICS environments and current security measures in a simplified form. The components can be divided into categories such as “links à external network à field level” and LARS automatically displays common configuration errors and threats. Remote access is also detected. LARS divides the components into field level, control level and management level and assigns different attributes to each level. For example, encryption is not always possible at the field level and security measures include cross checking procedures. In contrast, encryption is possible at the system level. LARS recommends using encryption in addition to connection via the DMZ and other security measures.

The authors emphasize that LARS is not intended to replace a complete Information Security Management System (ISMS). The tool is designed to facilitate securing ICS infrastructure by providing a schema for easily analyzing and categorizing existing systems. LARS is not suitable for very large ICS environments as it is designed for small and medium sized companies which currently have limited exposure to ICS Security. The methodology has been significantly simplified compared to conventional protection requirements and risk analysis. Consequently, there are fewer security and analysis knowledge barriers to using LARS and savings in personnel costs. Once LARS has collected data, various reports can be generated by the user. This includes a list of measures that need to be implemented to achieve a higher security level. Once the measures have been implemented, the security level can be reassessed based on the changes.

Put simply, LARS acts as a reminder: Categorization helps companies not to forget any components and common threats associated with them. By sorting measures into traffic-light coded groups (implemented, partially implemented, not implemented and not relevant) companies can easily see where action is required. Measures which are not implemented are marked in red and companies can easily see that action needs to be taken. Predefined reports including an asset inventory and a prioritized list of measures can help users to coordinate and share information with other departments and the management. LARS also includes mapping to the ICS Security Compendium of BSI and standards such as IEC 62443, ISO 27001 and the basic protection catalogs of BSI.

In many companies, employees in the automation environment would like to implement more security or at least assess ICS vulnerabilities. Due to lack of know-how and because the task can seem daunting and time-consuming, efforts are not often realized without regulatory pressure. LARS was designed to help out in this kind of situation. With this tool, anyone can get started right away without deciding first which standards they want to comply with. They will still be pointed towards a methodology which can be used in the future for a complete ISMS. A clear conclusion: LARS can only be recommended.