Cybercrimes continue unabated, with new reports of hacks coming at a breakneck pace from all over the globe. Organizational complacency, combined with the lack of user awareness, compound a vexing problem. This is as true for manufacturers as it is for governments, educational institutions, healthcare providers, and power-generation systems. But manufacturers can protect their assets if they heed the warnings and implement effective cybersecurity standards.
The most recent major attacks include the well-known SolarWinds hack. That hack, which experts calculate was the work of hackers in Russia, dug deep into computer systems by using SolarWinds’ widely used Orion IT management software. The hack spread malicious code to some 18,000 government and private computer systems. Coming on the heels of the SolarWinds report, another massive hack involved the ubiquitous Microsoft Exchange Server. This caused Redmond, Wash.-based Microsoft to hurry 89 patches to fix vulnerabilities on the corporate servers affected. Microsoft attributed that hack to a sophisticated Chinese operator called HAFNIUM, according to a report in SecurityWeek. It used advanced persistent threats (APT) to target servers at government agencies and contractors.
“Complexity is often the enemy of security. Manufacturing is one of the most complex infrastructure sectors, given the scale and assortment of suppliers with a predominance of small and medium manufacturers and variety of business models,” said Wayne Austad, chief technology officer for the National and Homeland Security Directorate at the Idaho National Laboratory (INL), based in Idaho Falls, Idaho.
“There is a huge diversity in processes and equipment within product lines that integrate complex collections of legacy and advanced manufacturing methods. Intellectual property (IP) theft is historically the largest share of cyber intrusions within manufacturing-related IT assets, but there are some concerning trends in operational technology across all critical infrastructure—including a factor of three increase in threat activity groups, including manufacturing,” said Austad, citing a recent report by cybersecurity specialist Dragos Inc., Hanover, Md.
Austad is also chief R&D officer for the Cybersecurity Manufacturing Innovation Institute (CyManII), a $111-million public-private partnership launched in November 2020. He said that the risks of IP theft will continue to grow with increased digital transformation that creates new attack surfaces. CyManII is a Department of Energy institute led by the University of Texas San Antonio, and the Idaho National Laboratory is a major partner in the institute, along with two other national laboratories and dozens of academic and private industry supporters.
“Cybercrime is now a ‘criminal commodity,’ where virtual tools, techniques, information, and anonymous currency are exchanged to enable increasingly sophisticated attacks,” Austad stated. “Ransomware that holds entire companies and assets at risk is increasingly commonplace. A recent CrowdStrike report cited an increase in cybercrime of 124 percent in 2020 alone. In the near future, critical suppliers to the defense industrial base will need to deal with both subtle physical attacks and cyber sabotage,” he said. “Unfortunately, 90 percent of industrial control system operators, in all sectors, have limited visibility into their operational technology environments, which are increasingly being targeted.” CrowdStrike Holdings Inc. is an American cybersecurity technology company based in Sunnyvale, Calif.
Industrial Cyberattacks Rising
Malicious cyber activity is increasingly targeting the industrial control systems (ICS) vulnerabilities found in energy, critical manufacturing, and water/wastewater. More than 70 percent of the ICS vulnerabilities disclosed in the first half of 2020 can be remotely exploited, highlighting the need to protect Internet-connected ICS devices and remote-access connections, according to a research report focusing on operational technology (OT) security released last August by Claroty, New York, a group of OT cybersecurity specialists.
In Claroty’s inaugural Biannual ICS Risk & Vulnerability Report, its research team assessed some of the 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, which affected 53 vendors. The Claroty Research Team discovered 26 of the vulnerabilities included in this data set. Compared to the first half of 2019, ICS vulnerabilities published by the NVD increased by 10.3 percent from 331, while ICS-CERT advisories increased by 32.4 percent from 105. More than 75 percent of vulnerabilities had high or critical Common Vulnerability Scoring System (CVSS) scores.
With widespread COVID-19 pandemic-related shutdowns, ICS vulnerabilities sharply increased as security gaps in remote work technology expanded attack surfaces, according to Claroty’s follow-up report on the second half of 2020, released in February. It noted that 71 percent of ICS vulnerabilities disclosed were remotely exploitable through network attack vectors. The Claroty report also revealed a 25 percent increase in ICS vulnerabilities disclosed compared to 2019, as well as a 33 percent increase from the first half of 2020.
“Manufacturing is one of many sectors grappling with the convergence of information technology (IT) and OT, and the new security risks that come along with it,” said Claroty CEO Yaniv Vardi. “Digital transformation initiatives have caused once isolated OT networks to be interconnected with the rest of the enterprise through the IT network. However, there is a 25-plus year gap between the security posture of IT and OT networks. OT was never designed to withstand the IT-based security threats it now faces.”
Vardi noted that this is because most OT networks run on legacy equipment with proprietary protocols different from those in enterprise IT environments. “Industrial equipment is built to last, often many years or even decades—and the OT systems behind them are designed to the same time scale,” Vardi explained. “Equipment such as engineering stations and human machine interfaces (HMIs) often have a refresh cycle of around five to 10 years. The underlying operating system will be outdated by IT standards. In contrast, modern software is continually updated. Connecting an OT environment to the IT network means introducing an operating system that might be nearly old enough to vote, with no means of patching its vulnerabilities.
“The rapid global shift to remote work due to COVID-19 has accelerated IT-OT convergence even more,” he continued. “In manufacturing, this has created massive demand for solutions that enable secure remote access to OT networks, which, of course, involves establishing a secure connection through IT networks. OT network administrators are on the front lines. They need to provide online connectivity to users who typically access industrial control systems physically, while remaining confident that security isn’t compromised.”
Cybersecurity is Still a Youngster
Cybersecurity as we understand it today is a relatively young industry, noted Damon Small, a Houston-based cybersecurity expert who is technical director for the NCC Group North America. “[Modern] manufacturing has been around since the time of Henry Ford. Around the time of the dot-com bubble bust [in early 2000], that’s when you saw a lot of [cybersecurity getting implemented]. We’ve got a whole 20 years of experience—we’re very much in the infancy of cybersecurity.”
With fully connected manufacturing machine tools, today’s cyber threats are even more real. There is some element of risk attached to any device being connected to the Web. Current cyber threats can be traced to the well-documented 2016 theft of National Security Agency (NSA) hacking tools, possibly by a group called the Shadow Brokers. The group attempted to sell them on the open market. In the wake of the SolarWinds hack, cybersecurity experts told CBS 60 Minutes that the U.S. must be ready to fight back by staging return attacks against its cyber adversaries, or else the cyber attacks will just keep on coming.
The supply chain has become the culprit, making it easy for connected machines to transfer malicious code to the factory floor. “In manufacturing, you typically depend on others to give you things,” said Small, who focuses on industrial control technologies. “It is possible for someone to inject malicious things” onto the network, noting the famous case of the Stuxnet worm more than a decade ago. In this case, the Stuxnet zero-day exploit computer worm was unleashed on the Siemens Simatic PLCs that controlled Iranian centrifuges. It successfully disabled and damaged Iran’s nuclear program.
Firewalls and web monitoring can help protect manufacturers as well as home network users. According to Small, the key is industrial network monitoring, employing technologies like network sniffers, which are also called packet switchers, that use PLCs to monitor and analyze what belongs on the network and what does not.
“If you monitor your network properly, you will know if something happens,” he said, adding that proactive monitoring is a lot cheaper than remediation. “Companies like NCC Group can do vulnerability assessments.” When attackers do get in, NCC’s computer incident response teams send clients small “jump boxes” that phone home, he said, enabling NCC to do the forensic work remotely, if needed.
“We can get boots on the ground,” he said, adding there are advantages to being onsite in such instances. “It is potentially a crime scene, and we have to preserve the evidence so that it’s admissible in court. Criminals are going to take extreme measures to cover their tracks. The main goal is to figure out how the intrusion happened, and how to make sure it won’t happen again.”
Industrial manufacturers don’t always know what’s on the network, which is what happened with the SolarWinds hack that lurked undetected for several months. Small said that since his work involves a lot of energy installations, he’s encountered some customers on offshore oil rigs who don’t always know what devices on the network are actually there.
Passive vulnerability assessments and networks that flame packet servers (simulate attacks by injecting anomalies into the packet servers) enable manufacturers to harden industrial networks. “We can do that in OT,” Small said of using network sniffers. “There’s a variety of them, and they are all computers that watch the traffic that goes through [the networks]. It makes it easy to protect them.”
Another method of protecting the manufacturing perimeter is using cybersecurity frameworks. One of these is the Purdue Enterprise Reference Architecture (PERA), a model that originated in the 1990s and aimed to isolate the network’s OT layer. The Purdue model’s Level 3 walled off the OT side and kept IT away from OT equipment and software, allowing only authorized devices to talk to each other. “These passive scanners tell you which devices are talking to each other, and what is happening on your wire,” said Small. “They can tell you what’s on the network wire.
“The bad guys are always going to be one step ahead of us,” he continued. “Monitoring is your best friend.”
In the 60 Minutes report on SolarWinds, one expert said that due to the scope and size of the cyberattack, the only way to truly remediate the damage would be to replace all of the 18,000-plus computers affected by the malicious code. Asked for his opinion if that was necessary, Small said, “It’s not too dark a view. It could be the only way. The good news is SolarWinds as a product is mature and reliable, but the only way to be sure is to get rid of all of those systems that use it.”
Among the many cyber remedies available to manufacturers, assessing and implementing effective cybersecurity frameworks can add to a builder’s arsenal. Besides the Purdue model, one of the best-known is the NIST Cybersecurity Framework from the National Institute of Standards and Technology (NIST), Gaithersburg, Md.
“In order to maintain competitiveness, manufacturers are taking on digitization, automation, and interconnection of equipment,” said Jon Powvens, director of cybersecurity at MxD USA, based in Chicago, formerly the Digital Manufacturing and Design Innovation Institute. “In addition to learning the ‘new normal’ of Industry 4.0, manufacturers are now faced with ever-changing and growing cyber threats. Today, we are talking about SolarWinds and water treatment plants—tomorrow, the threat will be different and a new level or attack that is yet unknown. The threat manufacturers should be focused on is not what is known today. Instead, they should be considering their overall cyber maturity, and how they would recover in the event of a cyberattack.
“The news of the SolarWinds hack was a scary moment for many organizations,” Powvens continued. “As many service providers and companies utilize SolarWinds, it is hard to say we know how many companies were affected. In fact, the only reason that we know of the breach is from the brave reporting that FireEye (a cybersecurity developer) did once they noticed it. This information sharing is critical to the success of manufacturing. We don’t know what the next attack will be, or how it will work.”
An integrated strategy is the only type that will succeed, Powvens added. “While some of the frameworks can be hard to understand and work against, the NIST framework’s concepts of identify, protect, detect, respond, and recover are suited to convey the scope of cybersecurity,” he said. “A manufacturer that is new to the cyber journey can look at the categories in the NIST wheel and quickly see what they need to work on. Every manufacturer should have an inventory (identify), a protection plan (protect), a way to detect intrusions on the network (detect), a plan for how to repair intrusions (respond), and a detailed plan for how to return to normal operations (recover).”
MxD is also involved in several educational efforts aimed at addressing the shortage of highly trained cybersecurity professionals. “There is a critical need for cybersecurity professionals in manufacturing,” added Lizabeth Stuck, senior director for Workforce Development/MxD Learn.
A significant challenge when considering cybersecurity needs is evaluating the skills necessary for the workforce, Stuck said. “MxD has worked closely with ManpowerGroup to develop a Cybersecurity in Manufacturing Hiring Guide that identifies nearly 250 roles and skills that will be required in the workplace,” she said. “The Hiring Guide looks at career pathways, skills training, business impacts and more” to help manufacturers identify the skills they need.
If the first step is defining the roles and skills, the next step is to provide the training for individuals to acquire and build these skills, according to Stuck. She went on to say that “MxD is currently piloting a Cybersecurity for Manufacturing Operational Technology course in partnership with the University of Maryland—Baltimore County to ensure that current workers who are looking to increase their cyber knowledge have a means to do so. With more than 500,000 job openings predicted in cybersecurity and 2.4 million job openings predicted in manufacturing, the need to provide training and close the skills gap is critical.”