In the context of manufacturing environments, the word “risk” used to be synonymous with “safety hazards.” While safety is still important, industrial risk now also invokes concerns about protecting industrial control systems (ICS) from cyber threats.
The risk concern is not misplaced; one of the most significant threats to industrial systems in 2018 is encryption ransomware attacks, in which critical data is encrypted and held for ransom. The Wanna Cry and ExPetr ransomware attacks that swept the globe in 2017 taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than information technology (IT) systems.
Those attacks caused outages at utilities in the U.S. and Europe, as well as at manufacturers, telecoms, and public transportation systems.
Industrial Threats Come in Many Forms
Of course, ransomware isn’t the only cyber risk to industrial control systems. Attacks are carried out by all manner of terrorist groups, nation-states and industrial spies who want to infiltrate OT systems to monetize the data they can get, steal intellectual property such as manufacturing blueprints or formulas, deny service or do damage to the plants.
Cyberattacks gain all the attention, but even accidental disruptions can happen in manufacturing and industrial environments. For example, the manufacturing line for a large automaker was shut down completely for more than 24 hours when a system integrator made a planned change on the wrong PLC. The error occurred because the hard copy asset spreadsheet he was working from was out of date and inaccurate.
Whether by accident or attack, all of these developments should have manufacturing leaders considering their options for protecting their operations from unintended or unauthorized changes.
OT Security is Lagging
Cybersecurity efforts operations systems lag far behind the IT arena, but companies are beginning to play catch-up. Nevertheless, there are challenges. Perhaps the biggest and most common challenge is that companies lack visibility into all the ICS assets they need to protect. Without automated asset management software providing constant updates, their existing asset inventory may well be outdated.
Another challenge is that security attributes aren’t necessarily inherent in ICS devices. Many PLCs, RTUs, HMIs, engineering workstations, OPC servers, etc. were not designed with security in mind. Then again, they weren’t envisioned to become part of the Internet of Things one day. Nor did anyone predict years ago that there would eventually be IT-OT convergence, thus eliminating the traditional “air gap” and opening OT to vulnerabilities it has never faced before.
Then there is the issue of not being able to just stop production to do updates to firmware to fix vulnerabilities. Maintenance of OT devices has to be planned long in advance, so it might be months before a system can be taken offline long enough to make updates to device security. In the meantime, the company must live with the vulnerability or find an alternate way to mitigate the risk from the threat.
It's critically important to plug the ICS cybersecurity gaps. Toward this end, the National Institute of Standards and Technology (NIST) has issued a Framework for Improving Critical Infrastructure Cybersecurity to provide guidance on protecting industrial control systems and their environment.
Industrial-Specific Security Alternatives
Fortunately, purpose built technologies are emerging to address the security visibility and control blind spots in manufacturers’ OT environments. Here are important capabilities to look for when evaluating industrial cybersecurity solutions:
Automated Asset Discovery and Management – As a baseline, an effective ICS security strategy requires that an organization know exactly what assets it has, their configurations and related activities. This requires automated asset discovery to gain situational awareness, see the big picture and simplify ongoing asset management. This includes the ability to discover and report dormant or non-communicating assets, and continuously update asset details, tracking all changes with extensive information to support backup and recovery.
Network Activity Monitoring and Anomaly/Threat Detection – Monitoring internal and external device communications and protocols within industrial networks using security policies can detect security threats and anomalies.
Controller Integrity Validation – Detecting changes to controllers made over the network or by physically connecting to the devices, including configuration changes, code changes and firmware downloads is essential for preventing failures, outages and/or physical damage.
Vulnerability Assessment and Risk Management – This involves performing routine vulnerability assessments on all control devices to identify missing patches and misconfigurations and risk score each device for remediating conditions that create security exposures.
Incident Detection and Response – This is the ability to generate real-time alerts on suspicious activities and threats detected in the ICS network. It includes the ability to create a full audit trail of all ICS activities and maintain historical controller information to support backup and recovery.
Finally, these capabilities should be able to integrate with IT security technologies already in use by the organization, such as security information and event management (SIEM) software.
Industrial cyber security threats are no longer theoretical, unfortunately. Putting the right technologies in place to gain visibility and control over OT environments will allow plant owners and operators to keep their processes, equipment and people safe.
Mille Gandelsman is CTO of Indegy, a provider of industrial cyber security technology. He has led engineering efforts for Stratoscale and spent several years managing cybersecurity research for Israel’s elite intelligence corps. Mille is an IDF Talpiot graduate with over 15 years of experience in ICS and cybersecurity.