Cyber warfare: As enterprises become more connected, and plant floors more mobile, manufacturers are arming themselves for battle against cybercrime
May 22, 2014 by Vanessa Chris
When an anti-virus company accidentally came across Stuxnet — a worm designed with the sole intention of targeting industrial PLCs — in 2010, it forever changed the manufacturing world.
It’s widely believed that the intricate and advanced virus was created by the U.S. government to secretly destroy the manufacturing practices of Iran’s enriched uranium plants. When a flaw in the virus allowed it to be detected — and, subsequently, a journal article to be written about it — not only did it introduce manufacturers to the importance of a sound cybersecurity infrastructure, but it also showed hackers how vulnerable industrial control systems really are.
“These attackers had 20 years of experience breaking Windows boxes,” says Eric Byres, chief technology officer of Tofino Security at Belden Inc. “Going after PLCs was like shooting fish in a bucket. It wasn’t a fair fight.”
Industrial cyber risks skyrocketed within a year of the Stuxnet discovery — jumping from five known vulnerabilities affecting PLCs to more than 200. That number has been increasing ever since.
Everyone’s at risk
Hacking industrial control systems has become a lucrative endeavour, involving more than just the stereotypical joy ride seekers that infiltrate computer systems for recreational purposes. Today, professional criminals, pseudo military groups, foreign intelligence agencies and insiders all pose a cybersecurity risk.
While the most attractive targets tend to be large enterprises, no company is immune.
“The connected enterprise has put security on the radar,” says Doug Wylie, director of product security risk management at Rockwell Automation. “It’s necessary now because of how these systems are designed and how they operate. Everything is interconnected, complex and easily targeted.”
Companies in competitive industries — such as the chemical sector — are at greater risk because if proprietary information is stolen, it can either be sold easily to a competitor or held for ransom. Small and mid-sized manufacturers are typically poorly protected, and are more likely to pay a ransom because they’d have a lot to lose if their critical infrastructure was taken down. And with destruction toolkits readily available –— in Russia you can buy a toolkit to attack a manufacturing system for $2,500 US, for example — virtually every company can potentially be affected by a disgruntled employee who chooses to take down their system “just because.”
Changing the cyber mindset
While cyber attacks pose a threat to all businesses, they’re particularly dangerous for manufacturers. As more enterprises become connected, and more plant floors become mobile, networks are becoming more vulnerable. New control systems are being added to older systems that weren’t originally designed to be integrated. And because the notion of cybersecurity is so new, it sometimes takes time for a supportive company culture to evolve.
These obstacles make developing a sound cybersecurity policy more difficult, but it’s not impossible. It just requires a different way of thinking.
“A secure, connected enterprise is within our reach,” says Wylie. “It’s important to realize, however, that there’s not one, single solution. A layered security model offers defence and depth. These two philosophies allow for a series of protection — not only do you create barriers for entry into a system, but it makes it easier to maintain operations as conditions change.”
Mark Fernandes, cybersecurity partner at Deloitte Canada, believes that increased cyber threats are merely a side effect of changing times.
“A connected enterprise brings a bigger threat profile, but better business value as well,” he says. “Secure mobile plant floors are possible. You need better zoning, better access control and better use of encryption to prevent interception and misuse.”
Captive portals are also handy tools for minimizing the vulnerability of mobile devices on the plant floor.
“Captive portals put restrictions on what a user can do,” says Byres. “Maybe it only allows for the device to be connected to one PLC, or disallows browsing on the Internet. The key is to tame mobile devices in a way that can work in a manufacturing setting.”
It’s also important to evaluate your risk profile regularly, and update your cybersecurity processes accordingly.
“Solutions are always changing,” says Wylie. “You have to make an ongoing investment to mitigate risk.”
When it comes to developing a cybersecurity strategy, there are plenty of resources available to help.
Most governments are beginning to recognize how important the issue is, and are responding accordingly. An executive order from the U.S. government, for example, called for the National Institute of Science and Technology (NIST) to develop the Cybersecurity Framework 1.0, which was released in February.
The voluntary framework, which includes global manufacturing standard ISA-IDC62443, is designed to help companies mitigate cyber risks by bringing a common language to the issue and assisting in the writing of company policies.
“It’s important that this cyber framework isn’t seen as just a U.S. document,” says Wylie, who was involved in the development of the framework. “It’s an effective tool that can be used across all countries.”
The Canadian government launched Canada’s Cyber Security Strategy in 2010, which includes Public Safety Canada’s Canadian Cyber Incident Response Centre (CCIRC). The CCIRC shares cyber threat information with the private sector, and also offers advice to help companies prepare and recover from targeted attacks.
Private companies are also responding to manufacturers’ needs to strengthen and streamline their cybersecurity processes. Rockwell Automation, for example, offers clients consulting help to assist them in adopting the NIST cybersecurity guidelines.
Consulting firms like Deloitte also offer a full range of cybersecurity services. The company typically examines both the business and manufacturing side of a business, assesses threat risks, designs an implementation plan and assists in executing it. It can also help in monitoring ongoing risk threats.
Of course, to make use of these services you need company buy-in — which is likely the most important component of any successful cybersecurity strategy. Fernandes says companies should approach cybersecurity similar to health and safety — from the c-suite offices down to the plant floor.
“Many manufacturers have built a strong program around health and safety,” he says. “The same thing needs to occur for cybersecurity. In many ways, cybersecurity is tied to health and safety — attacks can cause generators to fail, pipelines to malfunction. Attacks can pose health and safety risks.”
Vanessa Chris is a freelance writer based in Guelph, Ont.
This article originally appeared in the May 2014 issue of Manufacturing AUTOMATION.