Growing cybersecurity risks for smart factories

The fourth industrial revolution has been called many different names including Industry 4.0, Industrial Internet of Things (IIoT), smart factories, cyber-physical systems and more – with the key change being the greater interconnectivity of automation systems allowing for real-time data collection and processing.

There are many possible benefits from this greater interconnectivity, including:

• More efficient operations
• Real-time adjustments to manufacturing systems
• Supply chain and sales coordination
• Improved maintenance tracking
• Enterprise resource planning

Although the shift to the fourth industrial revolution has the potential for many benefits, it also raises serious concerns for cybersecurity. In the past, manufacturing systems including line manufacturing and robotics applications relied heavily on extremely segmented networks, with PLCs used for control of individual lines or sections of lines. The specially designed automation equipment was originally intended to be operated in extreme compartmentalization, but as interconnectivity has grown this has also significantly increased the cybersecurity risks for the manufacturing industry.

Cybersecurity risks facing automated manufacturing

The trend towards greater connectivity in manufacturing systems accelerated due to the COVID-19 pandemic, which led to an increased need for remote access to industrial systems. This resulted in more entry points for cybercriminals. A study by Morphisec found that the number of enterprise cybersecurity attacks nearly tripled since the start of the pandemic, rising from 10,000 per week in early February 2020 to 27,000 per week in May 2020¹.

The increase in cybersecurity attacks was not limited to only IT networks. A separate study of 500 automated manufacturing organizations found that 61 percent of these smart factories had experienced a cybersecurity incident². Of these incidents, three-quarters resulted in stopped production, which can have serious financial consequences.

Cybersecurity incidents in manufacturing systems can lead to physical consequences such as lost production, a major difference between IT risks and automated manufacturing cybersecurity risks. A 2014 attack on a German steel mill illustrated this when a blast furnace was prevented from shutting down safely leading to severe equipment damage and loss of containment³. 

Photo: iStock / Getty Images Plus/ Melpomenem

Understanding cybersecurity risks for automated manufacturing

Although many organizations currently conduct IT risk assessments on corporate networks, these assessments do not provide the needed granularity to accurately reflect automation systems.

Instead, automation risk assessments need to identify potential threats, pathways for attackers to gain access (from disgruntled employees/contractors to cybercriminals and nation-states), and system vulnerabilities to accurately determine the likelihood of a successful cyberattack. The IEC 62443-3-2 standard Security Risk Assessment for System Design provides a detailed methodology for completing an automation-focused risk assessment and can be a helpful starting point for organizations conducting cybersecurity risk assessments.

In addition, to identify an appropriate risk assessment method, it is also important to identify major potential sources of risk to automated manufacturing systems.

Remote access connections such as Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) are commonly targeted in attacks. There are many known vulnerabilities in RDP for legacy Microsoft systems. When exploited, these vulnerabilities can allow attackers to gain remote control of legacy systems that are still commonly used in manufacturing factories because of compatibility requirements with specialized automation systems⁴.

Even when updated devices are used, if authorized users can legitimately establish access remotely, there exists a potential for threat agents to as well. For remote access endpoints with weak or unused security features (especially those that are exposed to the internet), attackers can easily use common attack methods such as brute force to gain access.

The risks of remote access continue to grow when employees connect to company systems using personal devices. A recent study found that 56 percent of employees use personal computers for working from home and 25 percent admit to failing to follow their company’s security policies for working from home/ remote access¹.

Cloud and edge computing are two strategies for storing and processing the large amounts of data generated by smart factories. These empower manufacturers with applications to support real-time adjustments to automation systems and improve efficiency, supply chain/ sales coordination and enterprise resource planning.

Cloud-based systems can provide the necessary capacity to complete many computing-intensive tasks, but shared cloud infrastructures can represent a common weak point for many different companies. This can be particularly critical when the IT team (internal or external) has limited experience with industrial automation systems, multiple levels of the automation networks are connected to the cloud, or an outdated cloud system is in use.

Edge computing uses resources physically located at the manufacturer’s site to pre-process the data and limit the amount of information that needs to be transferred to external systems. Although this allows for the manufacturer to have more control in how cybersecurity protections are implemented, it still is connected to external systems and creates a stockpile of confidential information that can be targeted by attackers.

Industrial Internet of Things (IIoT) devices such as smart sensors and actuators are commonly used to gather data. The collected information is not just used to automate machine functionality, but also to feed the advanced control activities and improve the visibility that is paramount to smart factories. As smart devices continue to be used more frequently, the potential for attackers to compromise networks through these smart devices grows. Wirelessly-connected I/O (input/output) points that can be controlled over Wi-Fi, and devices with enabled web servers are particularly vulnerable and should be considered in the risk assessment of the automation system.

Managing risk for automated manufacturing facilities

Managing the cybersecurity risks for automated manufacturing facilities may seem daunting at first, but the following strategies can help organizations make significant improvements.

• Adopt a cybersecurity lifecycle: A lifecycle is a process for managing cybersecurity throughout the entire life of a facility. Introduced in the IEC 62443-1-1 standard, the lifecycle helps organizations manage cybersecurity at three stages: assess, implement and maintain. Allowing for more consistent application of security through risk assessment, implementing cybersecurity protections during design and ongoing activities such as patch management, anti-virus updates and monitoring make automated systems more resilient.
• Build competency: The human element can often be the weak point in security for automation systems. Common attack types such as phishing continue to exploit unsuspecting employees. Improving cybersecurity awareness for all personnel can help to significantly reduce the likelihood of an unintentional action by an employee triggering a cybersecurity incident. In addition to awareness training, more targeted role-based training also should be completed to provide personnel with the skills they need to successfully complete their cybersecurity responsibilities.
• Define response strategy: Regardless of how many protection layers are put in place for cybersecurity, there is always the possibility of a cybersecurity incident occurring. It is critical that organizations have a clear strategy in place to respond when they occur. Of the cybersecurity incidents that resulted in downtime, 43 percent led to an outage of more than four days¹. As the unplanned downtime from a cybersecurity incident increases, the financial impact increases significantly as well. A proper response plan, including identifying key roles and the key steps to limit the spread of the incident, communicating effectively with stakeholders and restoring operations, is an effective method for reducing the length of unplanned outages.

References

1. Michael Gorelik, HOW COVID-19 HAS ALTERED THE ENTERPRISE CYBERATTACK LANDSCAPE, Morphisec, 2020, https://blog.morphisec.com
2. The State of Industrial Cybersecurity: Converging IT and OT with people, process, and technology, Trend Micro, 2021
3. R. M. Lee, M. J. Assante and T. Conway, ICS CP/PE (Cyber-to-Physical or Process Effects) case study paper – German Steel Mill Cyber Attack, ICS SANS, Rockville, MD, 2014.
4. Prevent a worm by updating remote desktop services (CVE-2019-0708), Microsoft Security Response Center, Microsoft, 2019

About the author

Patrick O’Brien, CFSP, CACS, is a safety and cybersecurity Engineer at exida LLC. He leads a variety of functional safety and cybersecurity consulting services and training courses for end-user industrial facilities. He specializes in gap analysis, risk assessment techniques, and subsequent safety/cybersecurity lifecycle tasks. Patrick is a coauthor of Implementing IEC 62443: A Pragmatic Approach to Cybersecurity, one of the first books published on industrial cybersecurity.  Patrick represents exida in the International Society of Automation Global Cybersecurity Alliance (ISAGCA).