Key points
Technological developments such as the Industrial Internet of Things and 5G are increasingly bringing connected devices and sensors into manufacturing environments. Yet as industrial businesses ramp up their investment into systems that incorporate connected devices, many of them are opening the door to functional safety, environmental and cyber security breaches.
The manufacturing industry has been hit by a number of cyber-attacks in recent years. Last month, German manufacturer Pilz was victim of a ransomware attack that meant its systems were down for more than a week.
This summer in the US, the National Association of Manufacturers (NAM) identified suspicious activity relating to company systems which they believe came from an attack from foreign nation state.
Operational Technology (OT) cyber security controls
To mitigate cyber security threats like this, organisations must start by implementing strong Operational Technology (OT) cyber security controls, by combining prevention, detection and response tactics to safeguard critical OT systems and valuable intellectual property.
Despite the warning signs, we have seen many manufacturing businesses are still not following the most basic cyber security measures. This indicates a lack in the awareness of how severe the impact of a security incident in this sector can be.
In most factories that are being retrofitted with real-time remote sensing and analytics, not enough attention is being paid to the secure implementation of systems and devices already lacking basic security measures.
The potential dangers need be taken more seriously, and this must filter through all areas of the company. Perhaps, cyber security isn’t considered often enough in the manufacturing world because of its complexities, implementing effective processes may seem difficult.
By their very nature, industrial environments are complicated, and a large proportion of the security risks come from the fact that machines which were designed to be deployed in closed networks are now being connected to open IT systems.
The additional risks that may result from this, can effectively be assessed and mitigated if suppliers and end users work together to investigate the security of legacy and new connected devices.
Basic security requirements
The following six basic security requirements are recommended when designing and implementing IIoT connected devices:
Secure interface
It is essential to understand a device’s architecture and review its associated interfaces, software and hardware, for vulnerabilities.
Software/firmware integrity
It is crucial that IIoT devices first and foremost have the ability to perform updates regularly while maintaining cryptographic checks from a trusted source.
Access control
Firms must review the various access controls to determine whether a device allows for the separation of roles, strong passwords and the sufficient protection of credentials.
Network services
Product manufacturers should ensure only necessary ports are available and exposed.
Backdoors
An IIoT device should not have undocumented functions or hidden entry points that can be easily exploited by the device vendor or any other third parties.
Security configuration
An attacker will often utilise the lack of granular permissions to access data or controls on a device. Manufacturers must scrutinise devices for sufficient security hardening by restricting user privileges.
While there have been few substantiated reports of major attacks in manufacturing plants when compared with breaches in corporate data, that doesn’t mean they aren’t already happening undetected.
The concern is that the lack of major headlines, when compared to consumer and corporate data breaches, is actually feeding complacency around the issue. Yet, as we saw in IT, many firms are unaware that their OT networks have been breached, since there’s a general lack of monitoring.
The time to get this right is now, not just to mitigate the threat of cyberattacks, but also to allow manufacturing firms the opportunity for enhanced intelligence and streamlined operations, all with minimal cyber security risks.
There are also many lessons that the manufacturing industry can learn from other industries. Techniques that are routinely deployed on corporate networks to identify and quarantine anomalous behaviours – identifying attacks early, in other words – must be developed.
OT security recommendations
Fortunately, the most common issues we have encountered in our investigations are relatively easy to tackle. Addressing the OT security challenges that continue to put operations, and consequently, business at risk are essential. Here are our recommendations:
Governance
Make sure it is clear who is responsible for managing and maintaining the cyber security. By making this the primary task of a number of employees, you can be sure that someone is always working on the protection of your systems.
Cyber security is a continuous process: continuous vigilance is necessary – a powerful argument for investing in the professional execution and tracking of your cybersecurity. As well as continuous monitoring, it is important to also have an action plan in place in the event of a cyber-attack.
Secure by design
Make sure the system is ‘Secure by Design'. Cyber security must be part of the design and procurement of a system, up to and including the end of its lifespan. The Systems Development Life Cycle (SDLC) principles have proven to provide a reliable method that can be used to develop your systems safely.
Cyber security hygiene
As with an industry, good cyber security starts with the basics. That means simple things like ensuring good password policy for all users (on-site and remote), administrators and the IIoT devices themselves, where standards of practice still fall short. It continues with asset audits and ensuring that proper network segregation is used to protect vulnerable parts of the infrastructure.
Supply chain
It is essential that you not only look at your own company, but also to suppliers and other partners. You can have your business in order, but do those you work adhere to the same standards? Be critical and set the bar high. Re-evaluating the entire supply chain and ensuring that business partners thoroughly understand the OT environment and its cyber security risks is essential.
Continuously test
Make sure cyber security is tested on a regular basis. We find fire exercises very normal; that should also apply to the practice of a cyber-attack. Let professional hackers try to invade your system and practice the next steps – involve your suppliers here too.
KPIs
Cyber security (and the potential risks) is not only the management's concern. Every employee, at every level in the company, must be aware of the hazards and the points of attention. Develop an awareness-raising culture and set it mandatory for all employees. It is not a crazy idea to link the program to Key Performance Indicators.
Urgency
Fortunately, the importance of cyber security is becoming increasingly acknowledged, but not everyone is taking the measures that are involved seriously enough. Now that more and more new capabilities are emerging for threat actors, digital security needs to be prioritized. By following these steps, you can make things much harder for cyber criminals.
