‘Cyber-securing’ your plant

Photo: © Egor / Adobe Stock

At this point, all manufacturers, small and large, should already be paying serious attention to cybersecurity.
Cyber-attacks on manufacturers have been numerous in the last few years and included companies from many sectors. A short sampling includes OXO International (kitchen tools), JBS (meat processing), Visser Precision (space and defense), Norsk Hydro (aluminum), Renault-Nissan (vehicles), Mondelez (food and beverage), and Merck (pharmaceuticals).

Manufacturing was not the primary focus of attackers in the beginning. Even two years ago, according to cybersecurity firm Bitlyft, the manufacturing sector was number eight in the top ten most-targeted sectors. Manufacturers were not top choice as they generally didn’t have many internet access points compared to companies in other sectors, such as banking. Therefore, they collectively didn’t take much action.

But because there was money to be had through ransomware attacks – and there still is – more manufacturers started being targeted around 2017. They were ripe for the picking, as explained in a recent Deloitte cybersecurity report, not least because the focus of manufacturing technology “has traditionally been on performance and safety, not security, leading to major security gaps in production systems.”

At the same time, Industry 4.0 had started to emerge, with explosive growth in the amount of internet connectivity in manufacturing plants. And then the pandemic hit. With some employees having to work remotely for at least a short period of time in 2020, a rush to increase automation to deal with absent workers and physical distancing, and other factors, the IT systems in plants were pushed to new limits.

All these elements have caused manufacturing to move sharply up in sector ranking for volume of cyber-attacks. Bitlyft now puts manufacturing in second place, behind finance/insurance.

Today’s reality, explains Michael Lester, Director of Cybersecurity Strategy, Governance and Architecture at Emerson Automation Solutions, is that “manufacturers are under pressure from their boards to ensure the right level of cybersecurity is achieved to protect their manufacturing environments and processes from the increasing level of cyberattacks we are experiencing globally.”

Attack overview
As Deloitte says, cyber-attacks are motivated by money, revenge and competitive advantage.

Attacks against manufacturers, as with any organization, can range from external email phishing and internal malicious employee attacks/leaks to external attacks that seek to sabotage equipment or access intellectual property. Ransomware (a type of malware) is probably the biggest threat, where access to a company’s IT system or data is denied until the company pays the ransom.

And although it’s hard to get data on dollar amounts involved in ransomware attacks as that is not always made public, it’s safe to say ransoms are large already and will only grow larger.

Photo: © Egor / Adobe Stock

To bring their cybersecurity to the appropriate level, manufacturers first need to map their business and manufacturing systems. This, Lester explains, will help provide understanding and ownership of each process and achieve business continuity and resiliency objectives around cyberattacks.

A thorough threat analysis should also be conducted. It’s best practice to review the MITRE ATT&CK matrices, said Lester, “specifically the recently-developed MITRE ICS ATT&CK Matrix, which is based on a global knowledge base of adversary tactics and techniques used in real-world attacks.”

Securing automated plant systems
As part of their assessment of current security environment, manufacturers must understand that they’re at particular risk through their operational technology (OT) systems that run various automated processes. Many of these current systems are running with both outdated hardware and outdated software.

Indeed, because the manufacturing sector is seeing an increased volume of cyber-attacks, particularly involving malware and other increasingly-sophisticated threats, “we have seen a significant increase in attention on better securing OT environments,” said Paul Griswold, Cybersecurity Chief Product Officer, Honeywell.

Dr. Apala Ray, Global Cybersecurity Manager (process industries division), ABB and Bart de Wijs, Cybersecurity Lead, ABB notes that because OT systems play an important role in companies’ digitization journeys, with hyper-automation occurring through the use of ‘smart’ systems, there’s a strong need “to secure manufacturing plants from OT-related threats. There are inherent challenges expected from OT systems during these smart/digitization transformation journeys, and organizations must address them carefully.”

They explain that historically, a plant’s legacy automation, protection and control systems were based on specialized equipment with little connectivity, where today’s systems “are distributed and highly interconnected, and they are also increasingly connected to ‘cloud’ platforms” as well. To secure a plant’s OT infrastructures, an analysis to gain total visibility is a crucial first step. Then, say Ray and de Wijs, basic security controls can be put in place (but also properly maintained and monitored).

Hold onto your hat, because the next bit is somewhat technical. As Ray and de Wijs explain, “with regards to increased connectivity and associated risks from that, we see an increase of use of security controls defined in security level SL3 and SL4 of standard IEC62443-4-2.” Lester agrees. “We will see continued increases of capabilities built into manufacturing systems and components that include a secure-by-design approach in alignment with industry standards such as the ISA/IEC 62443 family of standards,” he said, “to enable higher levels of cybersecurity and factory protection or compliance.”

This standard, developed by the ISA99 committee of the International Society of Automation (ISA) and adopted by the International Electrotechnical Commission, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). That is, the standard (also known as Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components) addresses IACS components such as embedded devices, network components, host components and
software applications.

Defence strategy
Once a manufacturer has worked with a reliable vendor to complete a threat analysis and assessment of current cybersecurity environment, the next step is to develop an in-depth defence strategy. Lester says it must address weaknesses and mitigates risk in every operation that could be impacted by direct or indirect attacks and should also include a risk-based prioritization of any gaps.

Griswold explains further that a specific OT security assessment done by a reliable vendor will help identify gaps in security controls, missing patches and other security issues. “Based on the results of the assessment, remediation actions are implemented to provide a more secure baseline,” he said. “From here, advanced technologies – such as continuous asset discovery, threat monitoring and asset discovery – can then be implemented.”

The overall defence strategy should also include planning for worst-case scenarios. Lester explains that for a manufacturing plant, this means having a clear backup plan for the failure of computer systems, plus having hard copies of orders, labels and contacts. While this may not be possible in every scenario at all times, it may enable plants to fully or partially operate even in the event of a cyberattack.

Lester adds that once the defense-in-depth strategy is in place, “it should be tested and reviewed methodically, purposefully and regularly to ensure it is effective and does not jeopardize ongoing operations or introduce other risks.” Roles, responsibilities and employee training should be updated.

And although it sounds like something that’s a no-brainer and needs no mention, strict measures need to be in place to guide every employee who interacts with a computer. Each interaction is a potential risk, and every employee needs to follow strong, fundamental security practices in their daily work, for example when creating and storing passwords, storing information and sharing information, whether in the building or from a remote location.

Future direction
In terms of where cybersecurity is going, Lester believes that manufacturers are going to need to consider using multiple technologies (but also always focus on people and processes in addition to technology).

Looking forward, he also foresees that “manufacturing and industrial-specific technologies will include more secure communications and capabilities that are robust and meet the requirements and specifications with the devices and systems being used to maintain safety, control and monitoring. Some cybersecurity technologies are specifically designed for use in manufacturing and industrial environments like The Dragos Platform to achieve inventory, visibility, detection, and response capabilities in operations that engage both the OT and the IT functions in an organization. These should have priority when reviewing how to achieve higher levels of manufacturing and
plant security.”

He adds that some existing technologies that are more prevalent in the Enterprise IT environments are also being used in manufacturing, but may have limitations or need to have significant configuration to work appropriately and prevent unintentional safety or control impact.

Along the same vein, Griswold explains that securing OT requires purpose-built solutions, as IT tools are often not designed for effective and safe use in OT. “While most security tools and processes originated on the IT side of the house, IT/OT convergence is driving demands for integration between IT and OT security,” he said. “In the next three to five years, we expect to see the emergence of solutions that bridge the gap between IT and OT, contextualizing OT cybersecurity events in a manner that can be understood and responded to by IT cybersecurity personnel.”

He adds that “additionally, due to a severe shortage of OT-specific cybersecurity skills, we expect many companies to opt for managed security services to provide cybersecurity programs for their manufacturing environments.”
__________________
Treena Hein is a freelance business writer based in Pembroke, Ont. E-mail her at treenahein@outlook.com.