Wireless technology, the Internet of Things, and factory automation have come together in a way that has helped manufacturers collect more data, make adjustments, and see what’s happening on the factory floor from anywhere, as long as they have an internet connection. This convenience and access to information have revolutionized the manufacturing industry, however, facilities are now less vulnerable to physical disruptions and more susceptible to digital ones.
- The most notorious attack on an industrial automation system was in 2010, as the Stuxnet computer worm attacked industrial programmable logic controllers within an Iranian nuclear enrichment facility, subtly manipulating the feedback data of centrifuge units. This is believed to be one of the first attacks carried out by a nation state, although the source of the attack was never authoritatively identified.
- In December 2014, a German federal agency confirmed that a German steel plant was targeted by a malicious email that allowed hackers to cross over into the production network. The plant’s controls system was compromised, preventing the furnace from being shut down. The result was the first time that “massive physical damage” to the production system was experienced; it catapults us into the new age of cyber-physical attacks with safety threats for humans.
- In December 2014, a leading industrial automation system provider patched a series of flaws in its remote terminal unit controllers used in oil and gas pipelines. The flaws included hidden functions, an authentication bypass, and hard-coded credentials, which could allow remote exploits of the devices. Although no breaches have been reported to date, the existence of vulnerabilities like this could cause extremely dire consequences.(&Q)
As more and more manufacturers automate their factories and connecting their factories to the Internet of Things, cybersecurity is becoming more important. The most dangerous security problem for an automated factory is the belief that the facility is already secure. By understanding what the vulnerabilities of a facility are, steps can be taken to make sure that those areas are secure.
Security myths and misconceptions
A number of myths and misconceptions have hindered the evolution of industrial automation system security. The most common include:
- “Our OT systems are still safely air-gapped because our manufacturing line isn’t connected to the Internet.” This is a popular and very dangerous misconception. Since 2010, it is highly unlikely that any manufacturing control system is truly isolated. Just one user who can access the production system while logged on to the Internet, or who connects to the system with a notebook or tablet, creates security vulnerabilities. Remember the Iranian nuclear enrichment facility and the German steel plant? Enough said.
- “We are running a 20-year-old proprietary system that isn’t vulnerable to modern-day attack tools and techniques.” The vulnerability in legacy proprietary systems is sometimes in the communications and protocols, rather than just in the systems themselves. Security through obscurity does not work anymore. Moving from a physical world to a virtual/data-driven world powered by software poses entirely new security challenges. If there is value in data, hackers will find a way to access it.
- “Security vendors will deliver a magic box that will protect our operating technologies in the same way that firewalls and intrusion-detection systems protect our IT systems.” There is no silver bullet to guarantee security throughout Internet-connected ICS systems.
Words of advice: Tips, tricks, and critical insights
No two businesses are the same—each has unique security infrastructures, operational technologies, and processes. Some have made considerable progress in creating converged IT/OT security solutions, while others are in the early stages. Regardless of where an organization resides on this continuum, here are some general guidelines to keep in mind.
- Establish a task force. Make sure it includes both IT and OT staff. Seek out key players in your manufacturing and industrial system controls groups, and include them in briefings and activities. Tour the factory or manufacturing facility and speak to supervisors and front-line personnel.
- Plan in phases. Target core functions that are achievable and measurable in reasonable time frames. For example, start by deploying intelligent gateways on key devices or production zones in one facility, and use that site as a pilot for event monitoring, management, and policy refinement.
- Select capable vendors who work well with others. Are potential vendors part of a proven ecosystem that includes system integrators, security experts, and manufacturing OEMs? Given the formidable complexities of securing industrial automation systems, there is no such thing as a single-vendor solution or technological silver bullet. Is security their core competency? Do they have expertise in embedded security and critical infrastructure? Lastly, can they deliver more than slideware or vision papers (i.e., do they have a reference architecture and customer references, and can they provide clear architecture designs and integration plans)?
- Insist on scalability. Make certain management and monitoring technologies scale to handle potential merger and acquisition activity, as well as what will certainly be a dramatic increase in Internet-connected devices and related security events as a company or utility grows.
By understanding what is true and what is myth about cybersecurity, a cybersecurity policy, and its infrastructure, can be developed for a manufacturing facility. By taking the process step-by-step and preparing for growth, cybersecurity can be developed for the manufacturing facility no matter how many machines, people, devices, or locations are connected or added.