When hackers eye the factory floor

The most important machines and systems on earth are at risk of attack.

The Industrial Internet of Things (IIoT) is evolving quickly, as factories across the world are increasingly switching to internet-connected sensors, monitors and other devices to operate and supervise their manufacturing operations more intensely.

While this digital transformation represents increased efficiencies, it also reveals potential security threats – more devices on the network with sophisticated operational capabilities are a prime target for adversaries looking to attack and impact the global supply chain. Among all of the operational systems within an industrial setting, the programmable logic controller (PLC, or programmable controller), is one of the most vulnerable.

PLCs prone to advanced persistent attacks

Modern PLCs are sophisticated, network-connected devices that form the backbone of both small manufacturing plants and large strategic infrastructure sites. Disruption of these industrial devices can cause catastrophic events on an international scale, hence the importance of implementing security solutions in front of a variety of attack vectors.

Cybersecurity researchers have already begun to unveil the vulnerabilities that PLCs in industrial settings hold – in August 2019, a group of Israeli researchers demonstrated an attack on the Siemens S7 PLCs, which are regarded in the industry to be among the most secure controllers for industrial settings and are used in critical settings like power plants, building controls, production lines and other use-cases. The group set up a mock-attack scenario that showed how hackers with access to the network and the PLC could set up a fake workstation that could be used to gain deeper access to the industrial system.

A sophisticated IIoT factory can be brought down by using advanced persistent attacks, known as APTs. APTs gain entry, thwart detection and amass information over a long period of time. APTs represent a threat to IIoT security because they may be able to slip under the radar of industrial systems monitoring, and disguise themselves as part of the organization, as the Israeli group did in their demo of the Siemens S7 PLCs attack. Because of this, security teams within industrial settings may not be able to detect their presence until it’s too late.

With increasingly complex attack methodology, dedicated and persistent actors like APTs, and the continued connectivity of industrial settings, there is no slowdown in sight for threats to the IIoT.

Developing protection strategies for the flash memory component is a way to protect IIoT devices, as the flash memory permanently holds the device’s logic and firmware, and the holy grail of any cyberattack is to have persistence – for example, surviving a device reset by modifying the flash memory with malicious code.

Protecting IIoT systems

A new cybersecurity protection monitoring and management approach, called flash-to-cloud, moves the root of trust out of the controller operating system (OS), into the flash memory.

By creating a root of trust in the flash that blocks code modifications in the protected memory, and moving the control from a vulnerable device to a trusted entity on the industrial company’s premises or cloud, a secure channel is created all the way from cloud to the flash, making it impossible for attackers to alter the firmware with any malicious code. This approach is agnostic to the processor and any software that is running on the device and avoids any latency in boot time or run time.

This flash-to-cloud approach can protect the PLC or the IoT device, throughout its entire lifecycle – from manufacturing and supply chain throughout its industrial setting, and until end-of-life. Flash-to-cloud isn’t just a software update or firmware fix – it provides a way to protect and manage the security of PLCs and industrial IoT devices to block attacks and prevent network breach.

Of course, PLC and other IIoT devices require continuous updates as technology advances. Using cloud-to-flash, the secure channel enables reliable firmware updates and trusted status and alerts.

Where cloud-to-flash could have helped

In late 2014, attackers successfully gained access into an industrial site – a steel mill in Germany – by first hacking into the office network via a file in an email that once opened, injected malware into the sales software of the plant.

Once on the network, the hackers attacked the production management software, which enabled further access and control over the plant’s control systems. After the attackers gained control, they destroyed critical parts of the infrastructure, such as preventing a blast furnace from initiating its security settings on time, which caused physical damage in addition to the damage to the network. Though the motivation of the attackers was never confirmed, they were labeled as APTs, because of their persistence and continued attacks on numerous components of the network and system.

With cloud-to-flash protection in place, the cohesive cloud-to-flash management platform would have detected the malware’s presence on the network. Second, the attackers would have been blocked from having access to PLCs and other edge devices flash memory on the network, thus rendering them unable to gain access to the control systems and see out the attack. The attackers would have been stopped before they could take the critical control over the system, much like a dam to a flood.

If a similar attack was conducted in a factory developing automotive, for example, APTs might be looking to gain access to and control over production lines to impact the global supply chain. With more eyes trained to the vulnerabilities of the changing global technology supply chain, the issue of cybersecurity and finding new ways to prevent future issues has become top of mind for manufacturers especially in this turbulent trade time.

As Western industrial manufacturers continue to choose China and other Asian countries for the development of hardware and products, they may lose a level of oversight and control over the path that these products take while in production, and may be exposed to cyber threats and bad actors that are looking to gain access through the supply chain.

The impact of IIoT management

Malware, vulnerabilities and bugs can all start a chain of attack that allow a window for attackers, particularly APTs, to enter and cause irreparable damage.

Flash-to-cloud can protect our critical infrastructure even if the PLC or other IIoT devices are hacked – this is an important and valuable proposition for CIOs, CSOs and other leadership responsible for keeping these systems secure.

Leadership for IIoT companies should look to implement new and resilient technology approaches to protect networks and industrial systems even as the IIoT expands and changes. The security of this infrastructure, as well as the global supply chain, depends on it.

Nitzan Daube is the chief technology officer of NanoLock Security.