Implement AR Carefully

Augmented reality is proving to be a powerful tool for automation and control systems but do your cybersecurity homework.

By Syed Belal,Hexagon Asset Lifecycle Intelligence 

Augmented reality (AR) is rapidly becoming part of industrial automation and control systems, primarily as a tool to train new employees and guide experienced workers. It’s also proving useful as a tool to help engineers and technicians find assets quickly and easily. In addition, the technology is aiding the exchange of information between home-base engineers and field technicians, particularly for operations with inadequate manpower. 

That’s not the extent of the list. AR is being used to streamline collaboration and to develop process design and equipment layout. For example, users can place virtual equipment in the real industrial world to determine whether it will fit in the allotted space before spending the money, energy, and time to implement it in real life.

AR and Cybersecurity

One of the biggest perceived dangers of AR is the insight it provides to process safety and security. Critical infrastructure operational safety is at risk because AR technologies can see what the operator is doing. AR collects information about who the operator is and what they are doing to a much greater extent than operational technology networks or operators graphics. This raises concerns and questions:

• If attackers gain access to a critical device or asset, the potential loss is huge.

• How AR vendors use and secure the OT/ICS information they have gathered from industrial processes needs to be cross-verified.

• End users need to analyze how AR vendors store AR OT/ICS data—locally on the device or in the cloud. For any cloud storage, is the data encrypted in motion and in the cloud?

• Do AR vendors share this data with third parties? If so, has the risk been assessed?

While AR browsers may facilitate the industrial process, the AR content is created and delivered by third-party vendors and applications. This raises reliability concerns because AR is a relatively new technology and authenticated content-generation and transmission mechanisms are still evolving. Sophisticated attackers could substitute an operator’s or site engineer’s AR for one of their own, misleading process operation and/or providing false alarms.

Given the potential unreliability of content, AR systems can be used to mislead industrial process users. For example, attackers could change an operator’s perception of reality through fake alarm setting or graphics or lead them into performing actions that benefit the attackers. Moreover, AR attackers can embed malicious content into OT applications. Unsuspecting users may click or copy supporting websites that lead to hostage websites or malware-infected AR servers that house unreliable visuals.

Attackers may steal network credentials off network devices such as firewalls, switches, and routers. For industrial processes that use AR for network architectures, attackers may gain access to the credentials and view critical network-configuration files.

Another potential security attack is denial of service. An example might involve industrial operations that rely on AR for work suddenly being cut off from the operational technology network. This would be especially concerning for professionals such as operators and automation engineers using the technology to carry out tasks in critical situations, where not having access to operational information could have catastrophic consequences.

The convergence of physical and digital worlds in AR scenarios introduces safety risks. For example, if AR is guiding an operator in an industrial plant to perform a complex procedure, any form of malicious interference with the AR system could lead to devastating real-world consequences. The potential for AR systems to be tampered with, either to feed misleading information or to misrepresent actual conditions, could cause operator errors, machinery malfunctions, or catastrophic accidents.

Attackers can listen in on communications between the AR browser and the AR provider, AR channel owners, and third-party servers. This can lead to man-in-the-middle attacks. Attackers may gain access to an OT/ICS user’s AR device and record their behavior and interactions in the AR environment. Later, they may use these recordings to install ransomware. This could be embarrassing or distressing for asset owners who do not want to lose brand image and announce that they are victim of ransomware attack.

Finally, as AR is implemented, all the vulnerabilities associated with it are also implemented. OT/ICS assets are rife with vulnerabilities since not all the patches can be pushed to the OT/ICS endpoint to ensure security. On the top of that, if AR vulnerabilities communicate with the AR cloud servers, the OT/ICS systems become riskier.

The potential for AR system tampering could cause operator errors, machinery malfunctions, or catastrophic accidents.

Merging physical and digital

As we integrate AR technology deeper into our industrial processes, we are effectively blurring the line between the digital and the physical world. This powerful blend of realities holds incredible potential for operational efficiency and enhanced decision making. However, it brings to light a new dimension of cybersecurity threats that needs to be adequately addressed. 

This underscores an AR security conundrum. Therefore, it’s vital that, as we build these AR systems, we prioritize the development and integration of robust cybersecurity measures, designed not just to protect data integrity, but also to ensure the physical safety of users and the integrity of the real-world processes they govern.

Understanding the scope of these challenges underscores the importance of taking comprehensive stock of all industrial-control-system (ICS) assets involved in AR implementations. Maintaining an up-to-date inventory of these assets, complete with configuration details and the specific physical processes they govern, is a vital step in preparing for, and mitigating, the potential risks associated with AR. The essence of AR lies in its ability to overlay digital information onto real-world operations. Therefore, a detailed understanding of our ICS assets, their configurations, and their interactions with physical processes is a critical baseline. It provides us with an invaluable ‘source of truth’ against which we can measure and validate AR inputs and outputs.

This inventory helps to identify and monitor any unauthorized changes in the system. Unusual alterations or deviations could indicate a potential cybersecurity threat or breach. For example, if an AR system is guiding a manufacturing process based on certain parameters, and those parameters suddenly change in an unexpected manner, the asset inventory could help pinpoint whether these changes originated from within the ICS, an AR device, or from an external source.

Early detection of anomalies can potentially prevent not only data breaches but also possible physical accidents or disruptions, reinforcing digital security and physical safety. In essence, a comprehensive inventory of ICS assets and configurations forms the bedrock of industrial cybersecurity in the age of AR, acting as a primary defense mechanism against the dual threats posed to data and physical safety.

While AR technology will have an increased role within industrial operations over the next several years, end users and vendors must address security and “results trust” before handing over control without human intervention. EP

Syed Belal is an International Society of Automation (ISA, isa.org) member and Global Director of OT/ICS Cybersecurity Consulting at Hexagon Asset Lifecycle Intelligence, Stockholm, Sweden (hexagon.com). Hexagon is a provider of applications that create a replica of process and control systems for training, asset identification, inventory, and threat/vulnerability management, without affecting the industrial critical process or introducing more risk into the OT/ICS environment.