Production is the lifeblood of every discrete manufacturing business, with professionals working to get high-quality product out the door quickly and within limited budgets. Advances in operational technologies and factory floor networking are giving operational technology (OT) professionals powerful tools to boost yields and reduce waste, but such tools cannot be implemented without an understanding of the resulting cybersecurity risk they open up.
Here is an overview of vulnerabilities often found in the OT environment and what preventative measures can be taken.
1. Insider Threats
Too often, cybersecurity efforts are focused on external threats. The possibility of malicious actions by an employee—often far easier to implement and more likely to occur—can be completely overlooked. Building a robust perimeter does little if the adversary is already inside.
Reasons for employee-induced cyber-attacks include disgruntlement and desire for revenge due to real or imagined company slights; betrayal driven by bribery or monetary gain; becoming reluctantly compromised due to threats or blackmail; cheap thrills; or boredom.
Another type of insider threat is that performed by a perpetrator who is spoofing a trusted employee using stolen credentials. For example, even if they are checking the logs, operators may turn a blind eye and not be suspicious of changes made to production specs initiated by the boss or a colleague, not realizing that the changes were being made by someone masquerading their identity through the misuse of their credentials.
No matter the source, protection against insider cyber events starts with visibility. If every time a change is made, an alert is sent to the operator, then every change can be verified to authorized work orders. Unexpected, unauthorized changes, whether with malicious intent or not, can be immediately reverted back to the expected operational configuration.
2. Malware—Ransomware, Viruses, Trojans, Worms and More
Malware describes a number of manmade code-based phenomena that can infect the OT network and impact production in a number of ways. This can vary from silly and annoying to completely shutting down production indefinitely.
Malware can be introduced to the OT network in a number of different ways. Infecting user PDF manuals and schematics is a common channel. When a contractor opens such a file on the plant floor to attend to a device, the malware is launched and spreads throughout the entire OT network. Malware can enter through an attachment opened in an email— another reason why Internet-connected devices should not be connected to plant floor devices.
Unfortunately, malware is often not an end in itself, but the first step in malicious behavior. Malware can be designed to change configurations, capture passwords, open connections to external devices and so on. With proactive cybersecurity awareness, these changes can be seen and prevented.
3. Human Error
Not all cyber events are malicious—unintentional mistakes play a role in a high percentage of detrimental network impacts in a discrete manufacturing environment. Think how easy it is for a busy operator to type in 60 psi instead of 6.0 psi to a torque value. Detecting these errors and then remediating them is another important piece of a cybersecurity program.
4. Failing Equipment
Another common, non-malicious scenario that can impact the integrity of the production network stems from an imminent failure in physical infrastructure, such as a cable, a switch or a device like a PLC or HMI. All these can cause an impact on quality and yields in the discrete manufacturing environment. These devices can generally communicate diagnostic data but most of the time, no one is proactively looking at this data.
Numerous Cybersecurity Threats—One Protective Strategy
Any change to the network—whether purposeful, accidental or malicious, immediately leaves evidence of its inputting. The problem is, by default, such evidence is often incomplete, isolated and hidden somewhere in device logs or not even collected in the first place. That’s why operators consider implementing solutions that are designed to provide continuous real-time visibility into their network operations. Generally speaking, these have a three-part strategy:
- Inventorying what you have and what it does
- Putting in protective controls
- Monitoring for changes or abnormal network behavior
There are foundational cybersecurity controls that you can begin right now to help reduce operational risk and detect and avoid the impacts of all the threats discussed above.
Step 1. Gain Visibility
Immediately take the guessing game out of the equation. You need to know what you have and therefore what you need to secure.
Visibility capabilities include:
- Understand and document all network communication between the industrial control network and the enterprise IT network.
- Understand and document all remote access into the industrial control network, i.e. vendor access with dial-up modems, VPN and cellular connectivity.
- Create and update asset inventory information for both hardware and software, including vendor, make, model, serial number, firmware version, and versions of installed software.
- Create and maintain a network topology diagram.
- Understand what industrial protocols are communicating and between what assets, such as HMIs to PLCs.
- Understand how assets and devices are configured and if those configurations are changing.
- Identify what vulnerabilities (weaknesses) are present in the environment.
- Implement a centralized log management solution to capture logs from all capable automation devices, including switches, PLCs, routers, firewalls, HMIs, etc.
Step 2. Implement Protective Controls
Protective controls help prevent or lessen the impact of cyber events. Ensuring network segmentation between the corporate enterprise IT network and the industrial control network is a great first step. This denies all unauthorized network communication through the use of firewalls or access control lists on networking devices.
Another effective protective control is system/device hardening, by which:
- All services are disabled that are not explicitly needed to run the industrial process, i.e. disable insecure protocols like telnet which does not encrypt traffic
- Cybersecurity features such as logging, SSH, SNMPv3 and other features are enabled
- Device/system is checked for proper configurations, i.e. change default passwords and enable password management (length, strength, complexity, etc.)
Step 3. Continuous Monitoring
The third step is to implement continuous monitoring. Just like you have a SCADA to help optimize and control your industrial process, you need a cybersecurity solution to help optimize and control visibility to industrial cybersecurity events and ensure the protective controls you have implemented are operating correctly. This is not a one-and-done activity—it needs to be performed continuously, as automation systems are evolving and the cyber threat landscape is constantly changing.
Industrial cybersecurity monitoring helps continually answer the “How do I know” questions, such as:
- How do I know if my device/asset configurations are changing, and do those changes put the device in an insecure state or misalign to my technical build specification?
- How do I know if my operational baselines (the configuration of a device or system that is specific to the environment it is running in) are changing?
- How do I know if one of my devices is at the brink of a failure?
- How do I know if a rogue asset or protocol is now present on my control network?
- How do I know if my vulnerability risk profile has changed?
If you are able to answer all of these questions, you will be able to keep your industrial process running without interference from cybersecurity events.
Related Links:Connectivity and Cyber Risk: Two Key Actions to Protect Your Smart Factory
Benefits of Industrial Cybersecurity
Gary DiFazio is the Strategic Marketing Director for Industry Cybersecurity at Tripwire. He has been in the technology space for over 26 years, spanning experience with systems, applications, networking, and cybersecurity through a number of industry verticals including telecommunications, manufacturing, retail, federal government, financial services, electric utilities, and logistics/distribution. Gary comes to the Belden family through the acquisition of Tripwire. After Belden acquired Tripwire in January 2015, Gary was part of the team to help drive Industrial cybersecurity solutions to both Tripwire customers and Belden Industrial Networking customers. Gary holds a bachelor of science in Industrial Engineering from Clemson University.