The State of Industrial Cybersecurity Report 2018, from the Kaspersky Lab, found that 54 per cent of respondents who had experienced a cyber-attack on their industrial control system (ICS) noticed damage to their products or services. Industrial control systems are critical to business success, so how can we protect them better? Here Emil Pricop, senior lecturer at the Automatic Control, Computers & Electronics Department of the Petroleum-Gas University of Ploiesti, Romania, and freelance scientist for Kolabtree, explains how biometrics can increase the physical security of industrial control systems.
Control systems are critical components that run the air conditioning in our homes, the safety of our cars, and even industrial facilities — whether it’s a petrochemical plant, oil refinery, power plant or water and sewage treatment plant. In the last decade, the control systems became one of the preferred target for cybersecurity incidents. The attacks can be devastating for a business in more ways than just financially — they can completely disrupt processes, risk human safety, cause environmental harm, result in the leak of confidential information and ultimately lead to the shut-down of an entire facility.
There are a large number of cybersecurity measures that can be taken, ranging from access control lists, intrusion detection systems and next-generation firewalls (NGFW). All the mentioned measures are inefficient if the physical security of the industrial control systems is not properly assured.
Radio frequency identification (RFID) is one way of providing physical security for an ICS. Authorised personnel are given a card that enables access to the correct parts of a facility. However, cards can be stolen and used by someone else, and to prevent this, businesses are turning to biometric techniques.
DNA analysis is an extremely accurate biometric technique, but it is certainly not a practical one as it is invasive and time consuming. Voice recognition is less time consuming, but it still takes over three seconds to verify the user, which would be too slow if immediate action was needed. It can also be inaccurate — a person’s voice can change if they are ill, or a recording could be used to trick the system.
Fingerprint analysis is one of the oldest biometric methods and one that is affordable and well accepted. An alternative is palm vein template recognition, a non-invasive collection technique, where users can scan their palms for access.
Iris scanning is also growing in popularity — each person has a unique iris, which stays the same throughout their lifetime. However, iris scanning can be difficult. People’s eyes rarely stay still, and the shape of our eyes essentially forms a curved reflective surface that is partially obscured by our eyelids and eyelashes.
Facial recognition is likely to become the biometric method of choice for ICS security. It can be incorporated with existing surveillance systems and integrates well with artificial intelligence. To use it, businesses must have access to high levels of processing power, a large amount of storage space and good lighting conditions.
Two steps to safety
To improve accuracy, businesses can opt for a multi-factor biometric identification system, which uses more than one measurement. One problem with this is that in emergency situations when the user needs to issue a quick command, the system may be too slow.
A possible solution is storing the data in advance, so that only one rapid measurement is needed at the time of access can speed up the process. Businesses must consider how they store this data, so that it cannot be copied or stolen by a cyber-criminal — storing only part of the information is one way of addressing this. Researchers at the Seektron Company and Petroleum-Gas University of Ploiesti, Romania, have developed and patented a system that stores part of a user’s biometric data. It uses an RFID card that stores fingerprint templates and when the user requests access to a protected area, they scan their fingerprint to create a live template, which is compared with those stored securely on the card.
Ensuring the protection of data is of particular importance in biometric systems using templates. Not only could these be stolen and used to access other biometric systems, but attackers could also implant false templates to allow malicious actors entry. For this reason, it is a recommended practice for biometric systems to not transmit the information they collect across a network.
A protected and isolated authentication method is a significant improvement over the technologies used today. However, using limited data poses the challenge of templates being incorrectly matched with biometric inputs. A way of solving this problem is used in automatic eGates.
Increasingly, biometric security is becoming commonplace in many activities that require quick and accurate authentication. Automatic eGates globally almost tripled in numbers between 2013 and 2018, using fingerprint and facial templates to ensure that passport holders are who they claim to be. However, unlike the newly patented system, this authentication method occasionally requires encrypted biometric data to be exchanged across a secure network, which can be less secure than local verification.
Improving the technology through which biometric templates are stored and matched reduces the need for transmitting biometric data across a network. By avoiding the cat and mouse game of encrypting and exchanging data as a whole, the use of biometric RFID cards could allow system developers to maintain high security standards while protecting user’s privacy.
Using the technology safely
Despite the use of safe networks, cyberattacks are still a possibility. According to Kaspersky Lab, over ten per cent of respondents had experienced a cyberattack and directly lost contracts or businesses opportunities because of it. There is a clear need for increased levels of security within ICSs and researchers are providing the tools to achieve them. The cybersecurity and physical security of the systems are strongly linked.
Biometric technology provides an effective, affordable and easy to implement way of improving the physical security of an ICS. For these approaches to be successful, we need to increase acceptance among employees. As people get used to using commercial devices, such as smartphones, with fingerprint or facial recognition, biometrics in industry is more likely to take off.