Six ways to defend against digital threats

Posted on 19 Feb 2017 by The Manufacturer

Digitisation and connectivity are driving the fourth industrial revolution, but as Helen Saunders explains, manufacturers need to embrace cybersecurity to ensure physical assets and intellectual property are adequately protected from theft and attack.

The digitisation of manufacturing, or Industry 4.0 as it is commonly known, is driving industrial operators to achieve new levels of productivity, quality, and visibility.

It doesn’t take the genius of early industrial innovators like Robert Louis Stephenson to see that manufacturers who connect their factory systems with their enterprise networks will create a more agile, efficient, flexible and profitable business.

Digital Threat Cyber Security PQ - Feb 17These are exciting times in manufacturing; however, there is a dark side to the rapid progress that’s underway. Unfortunately, more connections also open the door to new security risks, and previous generations of industrial control systems were not conceived with security or IP connectivity in mind.

Industrial Automation and Control Systems (IACS) traditionally utilise proprietary hardware and protocols that are hard to integrate with network security. Although segregated from industrial IP networks, they’re still at risk because they’re often set up as simple, open network machine islands, with limited or no security.

The net effect is that digital transformation is proliferating vulnerabilities at the same time as cyber-attackers are getting more sophisticated. This raises the stakes for UK manufacturers.

According to a recent study by Cisco, if cybersecurity concerns delay digital implementation, it could take up to five years to catch up with the competition. The industrial sector has some of the least mature security practices and policies and lowest quality security infrastructure, so there’s a very real risk of being left behind.

  1. Ensure the basics are covered

Many industrial businesses don’t have even a simple security policy written down. Start by drafting and implementing a set of written security policies and procedures for your plant that will, for example, outline who should be able to access the network in the first place and how.

It should cover permanent employees and contractors as well as BYOD (bring your own device). It should also spell out what assets they can access, define acceptable asset use, and define reporting mechanisms for events. Written policies should also contain an incident response plan, including any procedures to restore critical production systems after a security event.

  1. Physical security is the first line of defence

Some of the most severe damage comes from the inside, when entry is gained from the factory floor. Whether it’s preventing inventory lift, data loss or intellectual property theft, companies can benefit from a comprehensive physical security solution integrated with a secure wired and wireless industrial network.

Protect assets with physical access restrictions like locks, key cards, and video surveillance. Where practical, you can also add device authentication and authorisation, plus encryption.

  1. Take a holistic approach

The more connections you have in your manufacturing environment, the more chances for a breach. No single technology, product, or methodology can fully secure your network. Protecting critical manufacturing assets requires a holistic approach that uses multiple layers of defence— physical, procedural, and digital (network, device, application) – to address different types of threats.

A basic mapping exercise will help you get started, providing an inventory of all the devices and software on your network. Remember, ‘air gap’ strategies are fallible – just because a robot or device isn’t connected to the network doesn’t mean it’s completely safe. One corrupt or malicious thumb drive will put an isolated machine at risk of unplanned downtime or worse, safety incidents.

  1. Get in the zone

Use industry best practices, such as the ISA IEC 62443 standard, to set up zones and design schemas to segment and isolate your sub-systems. Create a ‘demilitarised zone’ (DMZ) between your enterprise and manufacturing networks. On the network perimeter, firewalls and intrusion detection will help you keep threats at bay. And within the network, employing out-of-band deep packet inspection (DPI) in your routers, switches, and other network devices can help you spot viruses, spam, and other intrusions. (See Case Study below)

Case Study

The Emirates Aluminium Company Ltd. (EMAL) maintains a huge plant organised into several independent industrial zones and IT networks. Each zone handles a different stage of the production process. The company needed to consolidate these networks and share information to streamline production without compromising security and resilience.

EMAL deployed a Cisco-based Industrial Demilitarised Zone (IDMZ) to link information from each zone with enterprise IT without compromising security. Each production area has a DMZ, with twin firewalls, providing a ‘neutral zone’ where suspicious traffic can be identified and isolated before it can penetrate networks, servers, and systems. The solution lets EMAL safely share information across different interfaces and environments.

  1. Distance isn’t a barrier

If your company is made up of distributed sites in multiple locations, you need a way to apply security remotely. (See Case Study below)

Case Study

A leading oil and gas company operating in more than 70 sites globally was able to reduce costs by £500,000 per site deployed over five years (per its ROI study). To protect its critical infrastructure, including refineries, wells, and other sites, the company deployed Cisco Secure Operations, utilising field-deployed software and networking gear to remotely monitor more than 50 upstream and downstream sites.

The solution provided a secure ‘tunnel’ from the field infrastructure to a centralised management console. Its centralised control centre enables engineers and IT experts at a global service desk to quickly respond to any security threats.

  1. Thwart attackers at the edge

A critical segment of any company’s network architecture straddles the internet edge, where the corporate network meets the public internet. Internet edge is the gateway to cyberspace, and serves many roles for the typical enterprise network. As network users reach out to websites and use email for business-to-business communication, you need to keep your corporate resources both accessible and secure.

Something as simple as moving from unmanaged switches in your network to lightly managed switches gives you the ability to better secure ports and improves network visibility, control and security.

Conclusion

Ultimately, manufacturers who rise to the challenge of digitisation by implementing the next generation of security protections built for the age of the IIoT will gain competitive edge in the process.

By thinking holistically and combining multiple layers of defence, you can protect intellectual property and physical assets from unintentional breaches and cyber theft, while speeding threat resolution, reducing downtime, and driving efficiency gains across your facilities.

Sources

The Connected Factory – bit.ly/2kzOFWd

Cybersecurity – bit.ly/2k8CWAJ

Helen Saunders – Content Marketing Storyteller, CISCO