Q&A: What manufacturers need to know about cybersecurity
By Kristina Urquhart
Cybersecurity software exec and former intelligence official David Masson discusses the top risks for Canadian manufacturers
By Kristina Urquhart
February 27, 2019 – As a former member of British intelligence agencies during the end of the Cold War, David Masson has witnessed cyber-attack threats move from the analog to the digital sphere, where he’s seen them proliferate, especially in manufacturing scenarios.
Now, Masson is applying his years as an expert in the field as the country manager for Canada at Darktrace, an artificial intelligence (AI) software provider that detects emerging cyber threats on industrial networks, the cloud and industrial control systems. He recently talked to Manufacturing AUTOMATION about what Canadian manufacturers need to be aware of regarding cybersecurity – and how to mitigate the risks in your operations.
Manufacturing AUTOMATION: In your experience, what’s the awareness level of Canadian manufacturers when it comes to cybersecurity risks?
David Masson: It’s getting better. That’s the good news. Many Canadian manufacturers are well aware of protocols and things like the NIST Cybersecurity Framework that are coming out of the States. They understand the importance of protecting their OT systems as well as their IT systems.
But for a long time, people weren’t really paying attention to their cybersecurity systems. People were too focused on IT and less focused on the damage that could be done to OT systems. The things that can affect OT systems have changed – primarily because the old myth was that our OT systems were air gapped from the internet. They weren’t connected, so therefore they weren’t under threat.
But they were under threat, because you could still have remote access attacks to the industrial control system (ICS). Even if you couldn’t connect to the internet, somebody could still have a go. What’s now become rapidly important to the manufacturing side in Canada is the Industrial Internet of Things. All of those PLCs and sensors on our ICS systems are becoming internet connected, and that’s just opened up a whole new threat landscape for ICS to come undone.
Cybersecurity is an increasing issue on IT systems. I want to point out that our government has told everyone it’s an issue in its annual report just last year – it’s not just vendors like me, or people like you who are saying it.
MA: You say that awareness is getting better. What’s the general sentiment among manufacturers – do they still need help when it comes to cybersecurity?
DM: They still need help. The biggest thing they’re looking for is visibility on their OT networks. It’s the same issue for IT networks – if you don’t know what you’ve got, how are you going to protect it? Because of the rapid expansion of connecting OT systems to the internet, the ways of [getting onto OT systems] proliferated very quickly.
So it’s visibility. What have I got in my industrial control system? Where is it? What is it doing? How is it doing it? Is it doing it the right way? Is it doing it for somebody else rather than us? Visibility has been a key issue, and trying to gain control of the threat landscape in the OT space.
MA: Can you point to specific examples that show the OT risks manufacturers need to be worried about?
DM: A classic was about five years ago at a steel manufacturing plant, where they have big smelters for melting steel. The bad guys were able to get into the OT side of the plant, and they switched the smelter off for a few moments. Those things can’t ever go off; they can’t ever cool down. But that’s what the [perpetrators] did – they let it cool down for a wee bit and that was basically the end of that smelter, the end of that plant.
Another interesting one was at a fleet manufacturer that made cakes and cookies. And some of their Industrial Internet–connected things were PLCs for bagging and slicing the cookies, and for blending the cake mix. And that’s basically what those PLCs were supposed to do – that and nothing else. However, the bad guys managed to get onto those PLCs on the OT network because although [the network] wasn’t supposed to be connected to the internet, it was. This is unusual, because usually the bad guys get onto the IT network first and then get onto the OT network. And this was the other way around.
What became pretty obvious fairly quickly were things like the blender getting “bored” of making cake mix and starting to communicate with its friends in the outside world – which it wasn’t meant to do and which was good news for the bad guys. One of the slicers started doing lateral movement, looking for information to ship and then send off the network. That’s not supposed to happen in OT networks.
MA: What about automotive manufacturers – are there specific risks for them?
DM: Automotive manufacturers are producing vehicles with speed that can cause a lot of damage if they are not under control. Manufacturers will be increasingly worried about the third-party supply chain being hacked, whether it’s just for IT purposes – getting your IP stolen, your plans, your budgets – or because people want in to see into the manufacturing process. Can you imagine what would happen if someone got a hold of the chemical formula for winter tires? Adjust it slightly and all of a sudden a whole batch of winter tires shreds within a couple of weeks of being put on.
For the automotive industry, the ultimate thing is they have to produce a safe product. So there’s a lot of concern that that isn’t affected by a cyber threat on the IT and OT networks. We’ve got automated self-driving cars on the horizon, and again there will be increasing concern for those working in that space to make sure that the networks that control the cars are going to be safe.
MA: Are cybersecurity threats always malicious attacks?
DM: A non-malicious cybersecurity threat would be where you’ve discovered a vulnerability that nobody knew existed, and luckily someone’s found it before the bad guys did. For example, there was a new device that appeared on a control network and it was sending a large number of what we call “broadcast communication requests” using an industrial communication protocol. ICS systems all run on these almost-individual, bespoke protocols. In response to just one of these requests, the device was revealing its exact make and model as well as stored IP addresses. Investing in an IP address that bypassed the device, we traced it to a normally unused communication in an active human-machine interface. There were no suspicious circumstances here, but it becomes an obvious vulnerability because you don’t want to give that kind of information away, particularly on an ICS system.
MA: So what can manufacturers do to mitigate their risk?
DM: My view would be that there’s still a fair bit to face. It’s not only that there’s too much in terms of the quantity, it’s now that there’s too much in terms of the sophistication. These attacks are not going to get less sophisticated; they’re going to get more sophisticated. And they’re not moving at human speed – machine speed is faster than you and I could think. Basically, humans are being overwhelmed.
Manufacturers need to start allowing machines to do a lot of this heavy lifting for them – in terms of identifying threats very, very early on, and in machines letting humans know what’s going on. Then the machines can actually stop these threats in the very early stages.
One of the ways you can do this is to basically understand everything about your network [using AI]. So just talking about OT, you need to know everything – where it is, and how it is. If you understand the pattern of life of the devices in your OT network, you’ll see changes to that pattern of life in the very early stages. And if you can do that, you won’t end up with a hack, because you’ll see every stage of an attack, or something unusual going on.
Now, this is AI – obviously when you’re talking in regard to manufacturing, the first thing people think is that machines are going to replace human beings. This isn’t actually the case. AI is actually using machines to support those overworked and stressed-out cyber people that you’ve got. They’re a very scarce resource. These people are difficult to find, and even if you could recruit more of them, you’re then talking to more people about [your threat] problem. Using AI supports those staff, allowing them the freedom to concentrate on what they really need to do on the OT network rather than running around whacking moles all the time.
MA: How does that work with the fact that many manufacturers are using aging infrastructure? Are you able to pair an AI platform with that or do they need to upgrade other equipment?
DM: You’re right to point out that much of the equipment is very old, and they’re using systems that were designed long ago that were not designed for security at all. It never even crossed their minds; they didn’t even dream that they would have to. The kind of AI pattern-of-life approach I just described – it wouldn’t matter how old or advanced the system was, or whether it gets patched or not. If you use AI, you can do it entirely passively – basically, you can tap off the network to gain all the raw network traffic that you need to analyze, without ever actually touching the OT network. That’s what we do at Darktrace. This is a great thing for ICS systems, because nobody wants you touching it or interfering with it in any way.
Remember I spoke about the blender that developed a mind of its own? A blender has a pretty bland pattern of life – meaning when it departed from that pattern of life, and it’s quite obvious that it did – with AI, you could then enforce the pattern of life. You could enforce the blender to blend, to stick to its pattern of life that it had up until that microsecond of change. By doing that, you can then isolate the event – you stop the threat that has landed there, it can’t do anything, and you don’t stop anything else. The blender keeps blending, the cookies keep coming through on a steel roll, the accountant keeps accounting. It just stops the change with nothing else affected. You can do that with AI. It’s a very useful thing for ICS systems to have.
This interview has been condensed and edited for clarity.