Cybersecurity horror stories abound, enough to give manufacturing data security chiefs frequent nightmares. As if tales of Stuxnet and the “Wanna Cry” ransomware cases weren’t enough, reports recently surfaced in several publications, including the Wall Street Journal, of hackers in Australia stealing sensitive data on high-profile defense equipment assets including the F-35 Joint Strike Fighter (JSF). In a vast majority of instances, human error, such as not following proper cybersecurity protocols and using easy-to-guess passwords, appear to be the main culprits. This leaves data in banking, power infrastructure, aerospace/defense, and manufacturing vulnerable to ever-growing cyber threats.
One of the best ways to improve cybersecurity is the diligent application of software patches. In the infamous Equifax breach, the company failed to apply critical patches to the software Apache Struts, an open-source program used in its cybersecurity system. This enabled hackers to infiltrate Equifax’s databases to steal information on as many as 143 million people in the US, and more in the UK and Canada.
Bad press like this can give cloud software and cloud-based business operations a bad reputation. The reality is that cloud cybersecurity practices aren’t much different than those used for on-premises-only installations, but being on the cloud connected to the Internet gives hackers more opportunities to sneak in through unlocked doors.
Power grids, financial institutions and retailers have all been subject to cyberattacks. Manufacturing operations haven’t reported many major intrusions, but according to a study released in September, as many as half of small- to medium-sized businesses (SMBs) will pay a ransom on Internet of Things (IoT) devices to reclaim their data.
The study by Arctic Wolf Networks Inc. (Sunnyvale, CA), a security operations center (SOC)-as-a-service supplier, noted that 13% of SMBs have experienced an IoT-based attack, yet many are still not taking proper security measures. Conducted in collaboration with Survey Sampling International, the study found that most SMBs do not have advanced detection and response capabilities for ransomware, advanced persistent threats (APT), and zero-day attacks, like Stuxnet.
Security professionals and manufacturing experts agree that the steps for securing cloud data mirror those for users of non-cloud, on-premises data.
“People mistakenly assume that data in the cloud is secure, when it is only as safe as you make it,” said Brian NeSmith, Arctic Wolf Networks cofounder and CEO. “This means implementing a firewall, monitoring for suspicious activity and controlling access to sensitive data.
“The responsibility is not on the cloud service provider, but on a company’s IT team to secure any cloud-based data,” NeSmith continued. “Companies in regulated industries tend to think compliance is security. Compliance is a way to assess controls but it is definitely not security.”
The benefit of on-premises systems is that the user has greater control over the network from which the data can be accessed, he said. “For cloud-based data, anybody with an Internet connection can try to get access to the data. Diligent security controls and processes are the key, whether the data is in the cloud or on-premises. For example, if you inadvertently provide access to your internal network, anybody that finds that hole could potentially access your data, whether the data is in the cloud or on-premises.”
Ideally, manufacturers should have a security operations center (SOC) that is collecting, analyzing and investigating potential cybersecurity threats 24/7, NeSmith stated. “The SOC should be staffed by full-time security experts. Having IT do it as a part-time job is just not enough.
“Hindsight has shown that nearly all the major hacks were preventable,” NeSmith continued. “Equifax had a security patch they failed to install. Target had alarms but they were buried in the noise of their systems. Cybersecurity is not easy, and many companies make the mistake of thinking effective cybersecurity means buying the right products. Security is not about the products but how effective your security operations are.”
Manufacturers using Siemens solutions can leverage a combination of protocols and hardened network security hardware like the Siemens Scalance and Ruggedcom lines, as well as new cloud offerings. Siemens also operates its Cyber Security Operations Centers, which offer 24/7 data security monitoring and remediation assistance in the event of cyberattacks (see “Heading Off the Inevitable Hack Attack,” Manufacturing Engineering, October 2017).
With Siemens Plant Security Services, threats and malware can be detected early, vulnerabilities analyzed, and suitable security measures initiated, according to Henning Rudoff, head of Plant Security Services, Siemens PLM Software (Plano, TX). He added that continuous monitoring gives plant operators security transparency.
Cloud-based cybersecurity software can offer easier deployment and better operation options compared to traditional on-site deployments for customers not bound to local solutions by laws or internal restrictions, according to Rudoff. “Siemens offers cybersecurity software based on its IoT operating system, MindSphere, to help customers implement digitalization and security in parallel,” he said.
Operators of industrial operations should typically start with an assessment to baseline their security needs and current status, e.g., based on the IEC 62443, Rudoff advised. “Needed security measures could be organizational, like training the workforce to raise awareness, or technical, like the implementation of a network segmentation or hardening of automation devices.
“In addition to protection concepts, customers with advanced needs should also deploy detection and remediation concepts,” he continued. “Detection can be achieved, for example, with Security Information and Event Management [SIEM] systems that help customers monitor their systems’ behavior [e.g., new devices on the network or failed login events]. In case of a security incident, a forensic analysis is recommended; it answers two questions—how can the system be brought back to normal behavior, and how can future incidents be prevented?”
To prevent intrusions, Siemens strongly recommends that manufacturers apply product updates as soon as available and always use the latest product versions. For information on product updates, customers can subscribe to the Siemens Industrial Security RSS Feed at http://www.siemens.com/industrialsecurity.
Strong systems and applying due diligence are musts for cloud providers, noted Srivats Ramaswami, CTO and vice president, IT, for manufacturing execution systems (MES) software developer 42Q (San Jose, CA).
“Manufacturers deal with sensitive data every day: traceability data, warranty information, device history records, and especially the engineering specifications for a product are all highly confidential. Trusting that data to a cloud-based system requires due diligence to ensure the provider has taken the proper steps to secure the data,” Ramaswami said. He advises users to seek out key cybersecurity features such as:
Just how secure is a manufacturing operation’s cloud-based data? “When manufacturing data is stored in the cloud, security is usually enhanced rather than diminished,” Ramaswami stated. “That’s because cloud suppliers devote enormous resources to ensuring their systems are as secure as possible, and are constantly updated to react to potential threats. While hack attempts occur dozens of times every day on cloud-based systems, to date there have been no major security breaches at systems used by manufacturers.”
There is a common misperception that cloud-based data is not as secure as on-premise servers, according to Ramaswami. “The truth is most on-premise systems fall far short of the security that the best cloud providers have deployed. In fact, I have personally seen passwords for supposedly ‘secure’ systems posted on Post-it notes alongside a rack of servers where the application is running. The security architecture of advanced cloud providers is virtually impossible to duplicate in an on-premise solution,” Ramaswami added. “For example, the cloud storage system utilized by 42Q was designed for 99.999999999% durability and up to 99.99% availability of objects over a given year; due to the high cost of this system, that’s out of reach for virtually every IT organization. To deploy tools like these in an on-premise environment would require not only large investments in infrastructure, but large teams to manage them, too.”
Ramaswami noted that Equifax doesn’t use an external cloud provider, but instead builds and manages its own infrastructure and applications. “According to the information made public so far, it seems Equifax could have done more to protect data security—the hack happened in May,” he observed, “while a patch for the vulnerability exploited was available more than two months earlier! This is an example of why companies should look at high-quality cloud service providers who monitor data and network security in real time.
“There is no magic bullet for security in the cloud; it takes a company with security in its DNA, and dogged attention to details on a daily basis,” Ramaswami continued. He noted that 42Q’s security includes physical defense within the data center and logical barriers at the firewall, standards for coding and password strength, continuous activity monitoring and malware scanning, and third-party testing.
For the most part, data is in good hands in the cloud—if common cybersecurity steps or measures are taken and followed to the rule, according to proponents of the cloud.
“Good security practices are good practices, regardless of the physical location of the computing and storage, on-premise or cloud-based,” said Chuck Mathews, cloud evangelist, MachiningCloud Inc. (Camarillo, CA, and Stans, Switzerland). “Our top 10 include:
“Generally speaking, cloud-based data is more secure than on-premise data,” Mathews concurred. “Cloud companies employ security experts and have a fiduciary responsibility to provide high levels of security; it’s what they do. The average shop doesn’t typically have such expertise on staff.”
MachiningCloud is an independent provider of CNC cutting tool and workholding product data offering cloud-based data retrieval of machining data for machinists and manufacturers.
“The majority of us in the United States use cloud-based services every day of the week,” Mathews added. “Surfing the web, sending an e-mail, booking a plane or hotel, banking, paying our bills—all are cloud-based services. However, the use of cloud-based systems in CAD/CAM is very limited; most CAD/CAM software is desktop based and may only access cloud services for licensing, software updates, or reference data/libraries.”
Many highly publicized hacking events are outliers, things that could have been easily prevented with proper cybersecurity measures, according to Mathews. “However, some cloud-based services, such as single sign-on [versus double-authentication sign-ons], do present inherent security risks and should be avoided in high-security situations,” he said.
In some cases, cloud-based data may not be a perfect fit for some applications, including CAD/CAM or high-response apps, and in some operational technology (OT) found in near-real-time automation on the factory floor.
“The general consensus is that cloud-only cybersecurity measures will never be sufficiently robust to completely remove the cyberthreat to critical infrastructure,” said JC Ramirez, director of engineering, product manager, ADL Embedded Solutions (San Diego), a developer of embedded systems PCs and automation hardware. “Hence, the trend is towards bringing cyberthreat security hardware/software solutions closer to these critical assets. This parallels similar trends in industrial IoT/IIoT with new paradigms like Fog and Mist computing bringing cloud computing closer to the edge of the fabric for a variety of reasons having to do with robust industrial system control, but also enhanced cyberthreat security to high-value industrial assets.”
Cybersecurity for industrial and infrastructure assets uses many of the same network security measures common for years in IT systems, Ramirez noted. “The critical difference is that threats to critical infrastructure and equipment can have significant real-life repercussions to personnel, public safety, or high-value assets. For that reason, the best cybersecurity measures should rely on a team-based approach that includes not only IT personnel, but also control engineers, operators, on-site management representatives, and on-site physical security personnel at a minimum.” He added the National Institute of Standards and Technology (NIST) publication 800-82, “Guide to Industrial Control Systems (ICS) Security,” is a good reference.
Some automation suppliers seem to be hedging their bets on cloud systems, perhaps with good reason. In September, Rockwell Automation Inc. (Milwaukee) launched a new on-premises threat detection service aimed at helping companies detect and recover from intrusions. It features technology from OT applications developer Claroty (New York) that aims to offer “clarity” to the OT space.
The threat detection service is a passive, nonintrusive security solution, and takes a product-agnostic approach to create an asset inventory across both IT and OT systems in an industrial operation, according to Umair Masud, Rockwell consulting services portfolio manager. The system goes deep into industrial network protocols and uses threat detection software to map the end user’s network assets and how they communicate with each other.
“There’s still, maybe rightfully so, apprehension to connect OT environments directly to the cloud,” said Masud. “This is a disciplined and responsible on-prem approach.”
The Claroty system, under pilot for about three years, is being rolled out now, Masud said. In addition to Rockwell, the system is also being used by Schneider Electric and other automation suppliers.
“We want to help customers defend themselves,” Masud said. “In an attack continuum, there’s what you are doing before, during and after an attack. You have to be aware of what you have and come up with countermeasures to protect it, using things like zone firewalls and two-factor or two-step authentication. And after an attack you have to make sure your resources and the people involved can recover by having the proper backup and recovery tools in place.”