As ransomware attacks have increased in manufacturing, the operations world is staring down the dangers of cybersecurity gaps in smart factories. Meanwhile, the IT side of the house is starting to understand that what works well for them does not always work well for the operations side.
Ransomware targets manufacturers by disabling their operations technology. Hackers then demand that victims pay to restore the functionality of their systems. Manufacturers that cannot afford to have production halted by such attacks may have no choice but to pay the ransom. This trend has been growing steadily, and shows no sign of letting up anytime soon.
“For the last 10 years, I used to say I was an evangelist crying in the wilderness,” said Chuck Tommey, digital connectivity executive at Siemens. “Now we have people coming to us, asking what can we do about cybersecurity for our factories.”
Tommey is not alone in this observation. According to the recently released “State of Ransomware in Manufacturing and Production” report by Sophos, a UK-based IT security services and hardware provider, 55 percent of manufacturing and production organizations surveyed were hit by ransomware attacks in 2021. That’s up from 36 percent in 2020.
A pivotal event happened in 2007, Tommey noted, when the Aurora experiment by Idaho National Labs destroyed a generator. Researchers demonstrated how a hacker could use a computer program to rapidly close and open a generator’s circuit breakers out of phase from the grid, causing the generator to explode in three minutes.
“In 2010, Stuxnet (a malicious computer worm that attacked Iranian nuclear facilities) got everyone’s attention,” Tommey added. “But then most plant operators said, ‘That’s military grade, CIA, NSA stuff. No one is coming after me like that.’”
Although early ransomware attacks were easy to ignore, when things hit close to home—in the gas tank, on their dinner plates, and in their own industries—people took notice, Tommey explained.
“We’re seeing on a monthly, almost weekly basis, large companies with high profiles impacted by ransomware,” he continued. “When you shut down the gasoline supply in the southeast United States for a week, that gets people’s attention,” Tommey said of the cyberattack on the Colonial Pipeline in May 2021 that stymied the largest gasoline pipeline in the country, leaving many gas stations sitting on empty. “When you shut down meat production for a couple of weeks, that gets people’s attention,” he added, citing a May 2021 ransomware attack that shut down production in many plants at the world’s largest beef production company.
Ransomware attacks also are hitting a number of different sectors including chemicals, pharmaceuticals, and automotive, making the attacks difficult to ignore, Tommey said.
“When it’s somebody in your industry, it hits home,” he said. “People think, ‘If they shut down our competitors in the same industry, they’re going to come after us next.’ I have a sign that has a plant with a big target on it. I tell manufacturers, even if you’re not this plant with the target, you could be next door and you could still get shut down. Being collateral damage is still painful.”
Ransomware is the first fear. But sabotage attacks, often launched by governments or groups working with governments, also are a real threat, Tommey said. “It could be the same people, doing a night job for the (ransomware) criminals and working for the government during the day,” he said.
To secure manufacturing and other heavy industry, the operations and information sides of the house must work closely together. This is not necessarily a marriage made in heaven.
“One of my colleagues sometimes introduces me to customers as the IT-OT marriage counselor—trying to get each to understand the other’s point of view,” Tommey joked.
The good news is that compared to five or six years ago, IT is working more closely and effectively with OT, said Oscar Ornelas, chief product security officer at Boston-based PTC, a software and services company. “Just in the past three years, we have seen some major security incidents,” Ornelas said. “You see more attempts to interrupt critical infrastructure. At all levels, people are taking notice, becoming more security aware,” he added.
Visibility on OT networks has greatly improved, thanks to better software and hardware that has been designed with OT in mind, Ornelas explained. Security network equipment is now designed to be more rugged and is optimized to work well within the OT environment, he noted.
“There’s a much better level of collaboration between IT and OT based on the need to converge the two types of networks to get ahead,” Ornelas said. IT and OT teams understand they have to be neighbors, he added, for valuable data from industrial control systems (ICS) to be available to manufacturing organizations—this convergence has to take place.
“In the past seven years, there are now companies that create solutions, designed from the ground up, to secure and protect OT networks,” Ornelas said. “You have the visibility. You have the tooling. That gives you the ability to monitor, alert, and protect those OT networks.”
But that expanded level of connectivity “can potentially produce new points of entries for bad actors,” Ornelas said. With that increased risk in mind, he added, security operations teams are responsible now to collaborate with operations networks to monitor technology and respond to security incidents.
“Siemens is a big believer in collaboration vs. convergence,” Tommey said. “Convergence is a thing; it’s real; it’s happening but it’s not enough from a cyber perspective. It’s not enough to have IT come just to help. They must really understand. OT and IT are working better together. But there’s still lots of room for improvement.”
Air gapping, a go-to strategy a few years ago, is still in place in some environments where risk leaders make it impossible to bring information from the operations side to the information side, said Brian Haugli, founder and CEO of Worcester, Mass.-based SideChannel and author of “Cybersecurity Risk Management.”
Air gap backups are seen as a last line of defense, protecting data from being destroyed, accessed, or manipulated in the event of a network intrusion or system failure. Typically stored in an offsite location, such as a secure server facility, air-gap backups can be used to restore data in the event of a natural disaster, a software glitch, hardware failure, or ransomware attack.
“I worked in the DoD (Department of Defense) environment for a long time in an air-gapped environment,” Haugli said. “I have worked with a pharmaceutical company that said, ‘That building on the other side of the campus is completely air gapped from everything else we’re doing. Their r&d is so important; that building will never be connected to the internet. There’s no outside network. Once you’re on it, that’s it.”
Increasingly though, segmentation is emerging—or re-emerging, re-imagined—as a way to protect the operations environment.
“Manufacturing should be using the Purdue model,” Haugli asserted. The concept, developed in the early 1990s (although not necessarily for security), calls for segmenting different layers of industrial control systems within OT.
“We’re continually finding new ways to segment OT,” he continued. These new methods, Haugli added, are moving away from hardware models to focus more on software.
“With air gapping, you deny by default,” Haugli said. “You do not physically have a connection. With segmentation software, you have a wire, but you’re using software to create that segmentation for the same purpose as air gapping. With software defined segmentation, if you need it, you can enable it and allow it.”
Despite improvements, there are rarely cybersecurity policies or smart manufacturing experts on the OT side of the house, according to Tommey.
“OT says, ‘Here comes IT and they’re ready to help us.’ But they don’t know anything about OT,” Tommey cautioned. “IT is trying to assimilate the OT network into the IT network structure they’ve already created. They’re trying to do what they think is best for the company. But they don’t understand the differences.”
A common scenario, according to Tommey, is: “The IT guys say, ‘we’re addressing cybersecurity here on our side of the firewall. The OT guys are responsible for their side.’ The OT guys say, ‘We’re just making stuff.’”
While IT worries first about confidentiality, the OT side focuses first on availability, Tommey said. For example, pushing an update in the middle of a day can cause a factory shutdown as can changing a firewall configuration. Instead, manufacturers should look to scheduled downtime. Even just a few seconds of latency can create problems for OT, he added.
“Everything is happening in real time—ordering raw materials from suppliers, letting customers know when they will get their order,” Tommey said. “It has to be secure and we have to be sure it’s available.”
For example, active asset management—pinging equipment to make sure it’s running as expected—can potentially be disruptive to operations, said Laura Élan, senior director of cybersecurity at MxD. Meantime, passive accounting is a great way to monitor connected assets without interfering with their ability to operate, she added.
Overall, asset management software, which allows a manufacturer to scan its network and identify which assets are connected, is becoming better, more common, and more likely to be able to operate without disrupting factory operations, Élan said.
Beyond knowing what’s always in the manufacturing environment, asset management also involves knowing what new things have recently been introduced and what has been removed, Élan said.
“Especially in a plant that doesn’t run 24/7, you could come in the next morning and not realize something has changed, something has been moved, or something has been adulterated in the environment,” she explained.
On top of this, the recent increase of remote access had led to more vulnerabilities, Tommey said. One challenge is consolidating protection in an organized, standard fashion. For example, some smaller plants don’t have their own cybersecurity program, so OEMs provide a system. In other cases, manufacturers do have their own cybersecurity system that they want to use, but OEMs push back because now they’re using multiple systems.
“Factories ought to own and manage that issue because it’s their ultimate security at stake,” he said.
Several different suppliers make such systems, potentially causing interoperability issues. Eventually, Tommey predicted, three or four main suppliers of secure remote access will emerge, and that issue will calm down.
A remaining vulnerability is SCADA systems, a common framework of control systems used in industrial operations with some analog operating systems, Ornelas said. This is especially precarious for companies running software that has achieved end-of-life status and no longer receives support or security updates.
“You might have a terminal used for viewing day-to-day manufacturing processes still running on Windows XP, Windows 7; you might even find Windows NT,” Ornelas noted. “That’s exposing some level of risk to the OT network.”
A related risk is that many devices and communications protocols still in use today were not designed with security in mind.
“They lack the basics like authentication and encryption,” Ornelas said. “We see from ICS manufacturers that they are introducing newer equipment that does support authentication and encryption but the change is going to be slow.
“There’s a huge market, a huge opportunity for products and services in the whole cyber-physical security space,” he continued. “It won’t be a big gotcha moment. Instead, we will see continued incremental improvements.”
With the ever-changing threat landscape, it’s clear that manufacturers need to do more to protect their smart factory operations. And with the advent of adversarial machine learning, which involves techniques to train neural networks on how to spot intentionally misleading data or behaviors, investment in software and expertise to defend against future attacks is imperative.
Experts agree, vigilance is the name of the game in ensuring smart factories stay secure.
Connect With Us
