As manufacturers discover the benefits of expanded digital networks, growing cybersecurity threats must be addressed
Manufacturing operations face a multitude of cyber threats. The latest dangers from hackers include not only the theft of intellectual property but also malicious attacks that can cripple critical infrastructure, such as energy plants, utilities, and large-scale factories. Cyberattacks range from clever, often effective phishing schemes to ransomware demands and distributed denial of service (DDoS) attacks to malware and “zero-day” exploits like the infamous Stuxnet worm attack on Iran’s centrifuges over a decade ago.
With the novel coronavirus (COVID-19) pandemic, the stakes for manufacturers are even higher. Supply chain disruptions from recent cyberattacks have affected manufacturing and healthcare providers.
“In general, manufacturing is one of the more complex infrastructures [to protect] because of the mix of small- and medium-size manufacturers,” said Wayne Austad, chief technology officer for the National and Homeland Security Directorate at the Idaho National Laboratory (INL) in Idaho Falls, Idaho.
Fortunately, as the world grows more aware of the threat, more solutions are available. Awareness itself may be the first line of defense.
Confronting Cyber Risks
With the growth of the Industrial Internet of Things (IIoT) and the push for full digitization of manufacturing, hackers are concentrating on the inner workings of factory-floor controls and automation. “The key thing to focus on is that cyberattacks across the industrial world are increasingly targeting operational technology (OT) rather than information technology (IT) systems,” noted Kurt John, chief cybersecurity officer, Siemens USA, Washington, D.C. “We’re seeing roughly 30 percent of cyberattacks targeting OT.” The consequences of an attack on OT are higher, as any potential breach in these systems, especially while recovering from the COVID-19 crisis, could cripple domestic manufacturing.
“The biggest risks are unauthorized access to control systems used to manage industrial operations (e.g., PLCs, distributed systems, embedded systems, and IIoT devices),” John noted. “Access now extends beyond the shop floor and into third parties, some of which may be spread across geographies.” The risks include operational disruption impacting the health and safety of workers, product quality, and management systems for building and production lines, John said. Additionally, connectivity introduces additional vulnerabilities via a wider attack surface, and intellectual property theft is always a big concern in manufacturing.
Manufacturers are all working around the clock making equipment for critical infrastructure and helping protect frontline workers and patients from COVID-19, John noted. “As manufacturers continue to invest in automation and pursue digital transformation, cybersecurity has to be core to the vision. This includes the convergence of IT and OT ecosystems (people, process, technology overlap) as routine IT procedures (e.g., virus definition updates) can impact production lines due to downtime,” he said.
Adopting Some Cyber Basics
Manufacturing operations are often victims of intellectual property theft due to a lack of cybersecurity, INL’s Austad noted. Another cyberthreat is attacks on control systems. Austad, whose expertise is in control systems cybersecurity, has spent most of his career in energy, telecom, and most recently, manufacturing. “We’re more of an applied research lab,” Austad said, adding the lab offers a lot of experience with the Department of Homeland Security (DHS), focusing on power, energy, and on the manufacturing of parts for extreme environments.
With the COVID-19 crisis, Austad said he sees cyber threats changing, as more hackers target the manufacturing supply chain. Criminals are moving from random to automated attacks, Austad said. “They’re targeting industries that might be more willing to pay, such as state governments, schools, and now healthcare.”
A lot of ransomware or other cyberattacks can be prevented, or at least alleviated, by setting up a cybersecurity perimeter defense. “A lot of times they can get in, but you can mitigate the damage,” Austad said. Manufacturers don’t want to discover that their digital assets are compromised well after the fact. “A lot of whether or not you’re able to recover is if you’ve designed your system properly,” he added. “On the detection side, certainly we’re getting better. If you’re one of the big boys, you’re going to be a target for the persistent threats. The challenge for big manufacturers is they are heavily dependent on small manufacturers.” It can be difficult to impose a proper security posture, he noted.
Cyber threats really haven’t changed that much with the COVID-19 crisis, although pressure on the supply chain has increased, Austad said. “The main goals are similar. We have a different frailty as we try to meet demand,” he said, noting the challenges early in the crisis that automakers faced in quickly building ventilators and personal protection equipment (PPE).
Most manufacturers with engineers suddenly working remotely should already have had a plan in place, he added, such as using a VPN. “There’s effectively a quality check on your machine,” said Austad. A VPN connects from a remote location to the company’s systems. “It’s a matter of whether you’re ready to scale, and with many more people connecting it, do you sacrifice quality in connecting so many people?”
These risks have always been present, but the COVID-19 pandemic has raised the stakes, added Siemens’ John. “If just one facility loses power or stops producing critical PPE, that could mean loss of life,” he added. “And with IT resources spread thin and people working remotely, unfortunately some may see this as an opportunity to take advantage of the situation. That is why we need to be more vigilant now than ever.”
Due to COVID-19, more employees have access to connected OT systems than just those on the shop floor. “This is further extended to business partners, vendors and suppliers who have connectivity to OT systems,” said John. “Access is even potentially spread across different facilities and geographies. COVID-19 further heightens this risk with a greater population connecting from potentially insecure locations and for a prolonged period of time.”
Additionally, new COVID-19-themed phishing emails have tricked people into exposing their systems to cyberattacks, John pointed out. “We are seeing attack paths start on the corporate IT side and work their way into the OT environment—compromising both IT and OT ecosystems.”
Lowering the Pain Threshold
To combat cybercriminals, manufacturers need several options to prevent or minimize incursions. “There are many technologies—such as VPNs, public-key infrastructure (PKI cards), multi-factor authentication, real-time equipment monitoring, and factory asset intelligence—that can all help make remote work more secure,” John said. “Additionally, for OT, companies need to embrace security in the cloud. If done right, it can make them even more secure. This will help industries become more connected and resilient to issues like COVID-19 by allowing for expanded remote operations and automation. Embracing connectivity allows organizations to use data analytics that in turn enable them to see data and gather insights in real time.”
John said it’s important to decide which software meets a company’s needs for security and operations. “The important piece is that they embrace connectivity, including IoT, so they can use data analytics that enable them to see data and gather insights in real time. This gives them visibility into the virtual side of their operations, from beginning to end, so our customers truly own and protect their operating environments.”
Technologies such as VPNs, PKI cards, threat intelligence solutions with a focus on OT environments, and multi-factor authentication should be more widely adopted by companies large and small to better secure critical infrastructure, particularly gaining effectiveness as the line between IT and OT continues to blur, he said. “But again, connectivity with the right level of security is key. Companies need to embrace the concept of security in the cloud. We know that companies want to know where their data is physically and that it’s safe. But in fact, if done right, data can be safer in the cloud because it’s in the hands of professionals who have the resources to provide leading security protection and evolve in response to a threat.”
Today, manufacturers are susceptible to a wide range of attacks, due in part to a heavy focus on continuity of operations and remote work by employees, noted Akin Akinbosoye, director of cybersecurity at Chicago-based MxD, formerly the Digital Manufacturing and Design Innovation Institute. “Some of the threats include ransomware, theft of intellectual property and modification of designs to cause failure of the finished product,” he said.
Many of these attacks are perpetrated by a variety of actors, including state-sponsored ones, Akinbosoye noted. “Adding to the difficulty is the increasing proliferation of free, low-cost, sophisticated hacking tools that can be used with little technical know-how,” he added. “The implication is the democratization or commoditization of cyberattacks, with many more deploying these attack tools with targeted objectives. At MxD, we actively work with our ecosystem of members to increase their awareness of both their vulnerabilities and the ways to mitigate the risks they pose.”
Akinbosoye noted that cyberattacks have accelerated during the COVID-19 pandemic. “The same attacks have been aided by reduced focus on cyberhygiene by manufacturers,” he said. “They have emphasized production and working through the challenges across supply chains to support continuity of operations. Manufacturers are seeking out non-traditional and new sources for critical parts in the manufacturing process. This further exposes manufacturers to opportunities for compromise of their systems. Nation-state sponsors, working with some of the suppliers in the supply chain, have been accused of embedding functionality that are used in intelligence gathering from manufacturers and users of the end product that the parts are used in.”
Most security tools in the marketplace today were developed for IT security and adapted for use in manufacturing, Akinbosoye said. “This is beginning to change with the recognition that OT has specific attributes that need addressing, distinct from IT,” he added. An example of a tool focusing on securing OT environments comes from one of MxD’s member companies, Chicago-based Verve Industrial Protection, which offers a platform of technologies for managing assets on the factory floor, including OT and IT assets. Akinbosoye said the technology platform allows organizations to inventory their assets with the right amount of detail to implement protections and manage updates to address any vulnerabilities.
“I would point out that there is no silver bullet for OT security, just as there is none for IT assets, but the capability to effectively inventory assets with information necessary to understand [threats] is the foundation of security management in OT,” Akinbosoye said. “Additional technology and practices can be layered on this for comprehensive security.”
Securing the Right Factory Assets
New equipment is also a security threat. “To me, the biggest threat to cybersecurity in manufacturing today is securing devices that people never knew needed security,” said Michael Erdner, manager for solutions engineering–CNC division, FANUC America Corp., Rochester Hills, Mich. “In the past decade, the push for data collection from CNC machines has pushed more and more CNC machines that were once very secure islands to become part of the plant floor network. Now, with the Industry 4.0 push, we are seeing more of those machines and the peripheral equipment becoming part of the larger business-wide network.”
Regarding the COVID-19 crisis, Erdner said, “I don’t think the threats have changed, but the opportunity has. As a company, you are trying to allow access to these once ‘island’ machines while still maintaining overall network security. This is a difficult task when it is just inside your company with very little outside connectivity.”
CNC machines are capable of being run, monitored, and serviced remotely, Erdner noted, but it’s mostly been done in-house and only occasionally via access from outside. “In the wake of COVID-19, more employees are working from home and the company networks are seeing an increase in required outside access that they may not be ready for,” he said. “As this outside access and network traffic increases, so does the opportunity for cyberattacks.”
When communicating with any software solution, either in on-premises or cloud-based systems, it’s a good idea to choose a secure protocol, Erdner said. “Probably the two biggest areas that I see where existing technologies could be better used is changing to managed switches and using encrypted communication protocols. Because the plant floor was a separate network years ago, many older devices installed then are unmanaged, which can cause a security gap. Also, the data transferred between the CNC and the network devices has primarily been plain text. With data such as the part program and parameters being the IP of the manufacturing process in a CNC, simply choosing a secure encrypted protocol for this data transfer can help decrease the cyberattack threat.”
As manufacturers start accepting the cloud as a viable place for data analytics, they need to be aware of what data they are storing there, he added. Although the data may not be specific IP, like employee data or machine code, an attacker could still access company information, such as the business performance.
Adapting to Remote Operations
While risk levels increased for manufacturers with the COVID-19 crisis, the need for top-notch cybersecurity also became much clearer. “With so many people working from home, the attack surface and opportunity for error is greater,” noted Tony Baker, global product security leader at Milwaukee-based Rockwell Automation Inc. “For example, workers are remotely accessing their operations in different ways—some of which are more secure than others. And as with any major event, attackers are preying on human nature—like our need for information in difficult times—to convince people to click on malicious links.
“Another development has been a renewed understanding of what truly is critical manufacturing,” he continued. “Up until recently, many companies weren’t even considering themselves critical. However, the COVID-19 pandemic is showing us that more companies are essential to our daily life than we thought. For example, disposable-paper manufacturers may not have been considered critical before the pandemic, but now they’re some of our unsung heroes and certainly should be considered critical. With more companies revealed as critical, they must embrace this understanding, take cybersecurity more seriously, and improve their cybersecurity fundamentals and plan for attacks.”
Many of today’s threats can be addressed with effective cybersecurity fundamentals, Baker added. “There’s a human element to this. You should ensure that people, especially those working remotely, are trained to spot and avoid phishing e-mails,” he said, “and your IT team should make sure passwords are managed and patches are implemented.”
The design of manufacturing networks is also crucial to security, according to Baker. “For example, ensure that firewalls are used and networks are segmented,” he said. “Many companies are having success creating secure, future-ready network designs using resources like the Converged Plantwide Ethernet (CPwE) reference architectures that we developed with Cisco.” The robust and scalable networks in these documents are proving to be useful today for manufacturers responding to the pandemic by quickly reconfiguring their lines.
“Without a doubt, technology plays a role in protecting industrial systems from attacks,” Baker said. “For example, the same control system that helps you meet productivity, quality and safety goals can also address security needs. That’s why it’s important to make sure automation vendors make cybersecurity a priority and adhere to ISA/IEC 62443 standards, the world’s first consensus-based cybersecurity standards for automation and control system applications.”
Another consideration is using devices with CIP Security to protect critical industrial communications, he said. CIP Security is an extension to the Common Industrial Protocol (CIP), which is the application-layer protocol for Ethernet/IP and helps protect information exchanged between authenticated devices from interference and theft. Rockwell Automation is introducing Ethernet/IP products to leverage CIP Security, such as the Allen-Bradley ControlLogix communications module.
“Threat-detection software that’s purpose-built for industrial network security can give remote workers real-time visibility into their networks,” Baker said. “The software creates an inventory of industrial network assets, monitors traffic between them and analyzes communications at their deepest level.” Any detected anomalies are reported to workers with actionable insights to speed up investigation, response and recovery efforts.
“It’s also important to remember—especially in these extraordinary times when you’re facing sudden new security risks or challenges like furloughed talent—that you don’t need to do this alone,” he said. Service providers can help perform security assessments, provide threat-detection and mitigation solutions, and develop response and recovery plans.
“The shift to remote work likely isn’t temporary,” he added. “Post-pandemic, many companies may strive to become more accepting of remote workers. This would present new cybersecurity challenges that need to be addressed. How companies grapple with the human element will also be important as their workforce shifts back to working on-site again. Employees eager for information about their jobs, for example, may be more susceptible to cybersecurity risks like malicious phishing links.”
As we emerge from the pandemic, Baker advocates the continued use of best security practices and good judgment. “If your organization is planning to keep some level of remote work in place, understand what tradeoffs you’re making,” he said. “And remember, cybersecurity is not a one-time project—it’s an ongoing process that must adapt to the changing times and the evolving threat landscape.”
UL Creates Supply Chain Cybersecurity Solution
UL, northbrook, illinois, a safety science organization, has launched its Supplier Cyber Trust Level solution, which helps organizations minimize supply chain cybersecurity risk by focusing on the trustworthiness of suppliers’ security practices. The solution analyzes suppliers’ security practices across multiple trust categories resulting in a documented supplier “Trust Level” rating, which demonstrates the trustworthiness of a supplier’s security practices across the software and hardware development lifecycle, hosted systems, information management systems and their third-party management.
UL says its Supplier Cyber Trust Level assessment enables a holistic view of a supplier’s security posture while providing a fair and consistent evaluation of the cybersecurity posture from supplier to supplier. The solution leverages security controls from industry best practices, standards and frameworks, including NIST, ENISA, NERC and ISO.
The UL Supplier Cyber Trust Level joins other UL IoT security solutions—including the UL IoT Security Rating; services for IEC 62443 and UL 2900 Series of Standards; and security by design training, advisory and testing services—that address secure product development, smart ecosystem cybersecurity, and supply chain risk management.