Cybersecurity in Manufacturing
Over the last decade, there’s been a lot of focus on the need for cybersecurity. It first started with Stuxnet—which felt like the end of the world as we knew it—at the time. Yet, it turned out to be a very well targeted attack on specific facilities. More recently, there has been concern about North Korea weaponizing many of the tools systems integrators and manufacturing companies use to manage and troubleshoot control system equipment. This is a very scary state of affairs and preys on “security through obscurity”, one of the key approaches many companies take.
Why Cybersecurity is Difficult and Not Always Taken Seriously
Cybersecurity is difficult for four main reasons:
Cybersecurity threats are a “tiger in the grass”
Most manufacturing control systems have usually had at least one layer of protection—by being physically separated from the internet
Many people who manage and design control systems do not have cybersecurity experience
Using secure systems usually has detrimental effects on day to day user experiences with the system
Tiger in the Grass
The idea behind the “tiger in the grass” theory is that people generally understand there is a threat, but that getting attacked is not a regular occurrence. Sure, it is terrifying when the tiger comes out of the grass and into the village where it can do immense amounts of damage. But afterwards, it goes back into hiding—and people stop heeding the threat. It is easy to be complacent when you haven’t been attacked, or after time passes since the last attack. You know there’s a threat, but with more pressing issues in your day to attend to, you become complacent.
In manufacturing, this approach wasn’t a huge problem for many decades. Systems were not capable of connecting to the outside world, so a bad actor would need physical access to your facility to do much harm. As we have moved into the realm of IIoT, and IT/OT networks are connected now more than ever. Unfortunately, while the threat exposure has increased dramatically, security efforts have not.
Security Through Obscurity
Due to technological limitations, we’ve only recently been able to connect control systems to the internet. Back when Modbus was new and using serial connections, it would have taken someone a lot of time and smarts to get data from a PLC into anything where cybersecurity exposure would be a concern.
When industrial hardware vendors started adopting ethernet protocols, most facilities still had air-gapped systems. In these facilities, the control system itself could be connected to the internet, but it wasn’t physically plugged into it because there was little need to get data into more complex systems. Likewise, the cloud (as we know it today) didn’t exist.
With the advent of AWS, Azure, and a push for machine learning technologies as a potential horizon for manufacturing greatness, many manufacturing systems are connected to the internet with very little regard for security. However, the attitude of “we’re safe because you need to be here to break anything” has not changed with these new circumstances.
If you’re not convinced that is an issue, consider a tool released in the early 2010s called Shodan which can search for exposed control systems hardware.
Lack of Design Experience
Cybersecurity is a constantly changing landscape of threats, security measures, and risks. Unless you are a dedicated cybersecurity expert, it can be difficult to stay on top of every possible threat we face today.
But, you don’t need to be an expert to implement basic protocols and security measures. Sadly, this is often lacking in many of the world’s leading manufacturing facilities. Common tools include VPNs, certificates, IP and location based authentication, two Factor Authentication (2FA), identity providers and account management, and general OpSec training for your users. Yet, some companies still don’t even have defined backup policies and procedures—so recovering from a cybersecurity attack can be an almost insurmountable task.
We still see companies putting their systems on servers with direct internet connections, while not requiring VPN access to get into a SCADA system. Fixing these issues becomes a top priority for us and usually requires a fair bit of customer education. We’ve also seen many companies attacked after clicking links in phishing emails (that should have been easy to spot and then deleted instead). This is one of the most common attack vectors today.
Degraded User Experience
A major issue is that totally secure systems can be a pain the neck to use! It’s very easy to pull up a web browser and get into a SCADA system. Compare that experience to a secure government or pharmaceutical system. In those cases, you will not only need VPN access, you also need either an RSA Token on your keyring or an app to get a two factor authentication (2FA) code. You will then need to log into a “jump server” to gain access to the facility—and after that you will still need another link to get to the control system. While this is a very secure setup, it is a hassle from a user perspective as it can add a few minutes to the process every time you need to login.
When An Attack Happens
All of these points are moot when something bad happens. Commonly, an attack will begin when someone clicks a phishing email. Then, the attacker will get into the network through malware from an compromised file. Then, the attacker wreaks havoc on the system, likely ensnaring entire systems into a ransomware scheme.
The company then gets serious about security and takes reactionary measures to immediately lock everything down. They hope to have recent backups of the system to get it up and running again. Everyone’s life becomes much more difficult from living with the changes of new security measures. Usually, these new measures are not coupled with a training regimen. Now, users face all the negative aspects of a more secure system along with the same risky security culture that made them vulnerable in the first place—all while the tiger sneaks back into the grass.
The major problem with reactionary security measures is that they usually only focus on the attack that happened. This approach won’t always mitigate the very real risks of all of the other attacks that could happen. By not updating the culture of the company and training folks on the new state of affairs, the company is headed back towards total complacency and unnecessary risk.
Doing Better Than the Bare Minimum
A cybersecurity-forward mindset first requires getting your control systems up to modern standards. Connecting a legacy system to modern infrastructure—ESPECIALLY when bad actors like North Korea are weaponizing the tools you need to manage these legacy systems—is something that should keep you up at night.
The next step is to educate and train your employees to take security seriously. This includes understanding how to detect suspicious emails and activity while avoiding common attack vectors like phishing emails.
Next, it becomes a technology push. VPNs, 2FA, moving to dedicated user logins instead of admin/password and operator/password, security certificates, firewalls and DMZs. Lock down ports on your network to limit unnecessary access, and continue to keep your critical equipment separated from the public internet as much as possible. The last thing you want is your system showing up on Shodan as an unsecured target.
Yes, a cybersecurity-forward mindset will add some headaches to day to day operations for your users. But, it is well worth these slight hurdles to save the cost and hassles of a targeted attack, and then having to dig out of a hole because you ignored the warning signs have been in front of you for years.
