Vidar Hedtjarn Swaling at 4SICS 2016
Vidar Hedtjarn Swaling at 4SICS 2016

Vidar Hedtjarn Swaling, analyst for the societal security and safety department at the Swedish Defence Research Agency announced his department's research into how ageing is regarded, and dealt with, in the area of industrial control systems.

The research, focusing on nuclear, sewerage, processing, drinking water supply and transportation industries, asked what mechanisms drive the ageing measure of an ICS, is aging an issue, and what are the implications for societal security.

Swaling said they began their research by developing an ageing model to define age, using a topological model, and conducting interviews to collect data on opinions to show how people think of ageing.

Approaching their first find, he explained: “physical ageing is not considered strange or challenging in ICS - the more important aspect tends to be that the ICS has robust support should it break down.”

Swaling explained that if you don't fully understand how your device works, “you could easily get into a situations where things are beginning to fall apart, and end up wanting to replace it.”

The research explains how the support length for the product and competence of its provision now determines the aging pace. Meaning, should a product lose support from its manufacturer, it will be considered the obsolete product and one which should probably be replaced.  

The same problem exists due to substitutions and lack of spare parts, “things are aged when the supplier says so”, said Swaling. The increasing skills gap affects this too, recently graduated engineers are not interested in aging systems.

Cascading ageing, where substitutions happen due to compatibility problems are themselves a cause of things being considered outdated. Public procurement is also a complicating factor, due to requirements of support warranties, access to support and system compatibility with new systems.

Digitalisation is found to be a driving force in ICS upgrades  - because frequent prompt software updates involve upgrading the whole structure - which now commonly combines both operating technology and traditional office based IT.

As trends are currently showing a melding of ICS and traditional office-based IT, this has now meant respondents are saying, “we've begun to get the ear of the company's directors”, presumably, as the ICS are considered business critical, and there is increased understanding of the business risk.

One respondent said, “the further from Microsoft the equipment, the longer the stuff can stay.”

According to the research, security risks do push through significant upgrades if found to be putting the public at risk.

Concluding, Swaling said, “A general trend is that ICS is approaching IT, with all of its opportunities and challenges: online and cheap, but with increased exposure to the internet. The trend towards off-the-shelf instead of custom solutions goes hand in hand with having less intimate knowledge about how systems actually work and with a stronger supplier oligopoly.”

Adding: “Possible consequences of this situation may be vulnerabilities in the form of ‘black boxes' and ‘patchworks' of solutions, which complicate maintenance, planning and the opportunities for obtaining support. Altogether this makes protection against cyber-threats even trickier.”