The combination of industrial control systems vulnerabilities and a relentless drive to embrace Industry 4.0 makes UK manufacturing an attractive, and all too often an easy, target for cyberattackers.
However, by following just a few straightforward guidelines, manufacturers can greatly improve their cybersecurity. Helen Saunders reports.
Manufacturing has become the most attacked industry sector in the UK, representing 46% of all cyberattacks in 2017, and significantly higher than the rest of Europe according to research by NTT Security.
Operational technology (OT) networks are now one of the key focus areas for malicious attacks, which highlights the impact that security vulnerabilities are having within the manufacturing industry:
- 31% of security professionals said their organisations have already experienced cyberattacks on OT infrastructure
- 38% said they expect attacks to extend from IT to OT in the next year
- 69% of organisations believe OT is a viable attack vector in 2018.
Far from scaremongering, it appears that this global study may be understating the UK impact.
A local cybersecurity study commissioned by EEF and published earlier this year found that more than 80 manufacturing plants here have suffered stealth cyberattacks, with criminals deploying tactics that could put critical national infrastructure at risk.
Half of manufacturers surveyed admitted that they had fallen prey to cyber warfare.
These statistics make for sobering reading, clearly indicating that as factories work to drive better business outcomes using connectivity and data, they are a rich target for increasing threats. Worryingly, they are all too often an easy target.
This article first appeared in the July/August issue of The Manufacturer magazine. To subscribe, please click here.
Industrial control systems (ICS) are at the heart of all manufacturing and process control systems, connecting to other electronic systems that are part of the control process, to create a highly connected ecosystem of vulnerable devices that a wide range of attackers are eager to compromise.
While rapidly on the increase, attacks targeting operational technology (OT) such as ICS and Internet of Things (IoT) devices are still uncommon enough that many security professionals have yet to experience them first-hand.
But according to research, security professionals fully expect such attacks to occur, and are trying to determine how they will respond to them.
However, these security professionals also recognise that ICS often have few protections and run unpatched and out-of-date software, making them vulnerable to attacks.
“We still have OT devices that are 25-years old, and compressors and machines that are
40-years old,” said one respondent. “IT professionals are used to the schedule. [They say,] ‘Tell me when Windows X is no longer supported,’ or ‘Hey, this Oracle version is going EOL [end of life].’ There’s no such thing in the OT environment.”
Few security professionals can speak confidently on issues relating to securing OT in their organisations. That is either because they don’t have or anticipate adding much OT, or because IoT implementations are so new.
Attacks are happening against a backdrop of industry planners and managers being rallied to adopt industrial digitalisation solutions at an ever-faster pace, despite the threat that our adversaries are one (or more) steps ahead of us, increasingly exploiting the IoT devices at the heart of Industry 4.0 evolution to gain access and disrupt.
Put simply, the industrial sector is under sustained and serious attack from cyberattackers, and without careful consideration and strategy, most manufacturers will lose. The result?
Downtime, lost revenue, loss of data, and worst case – impacting worker safety.
Industrial cyberattack trends
Cyberattackers are thorough in their methods, and are actively engaged in research and creating backdoor pivot points to facilitate future attacks.
Among the potential cyberattackers are experts with advanced knowledge of IT systems, ICS architectures and the processes they support.
Some also know how to program product lifecycle management (PLM) controllers and subsystems. Essentially, they are taking as professional an approach to attacking you as you take to gain or maintain market share. And it’s paying off.
In other words, the threat is real, it’s happening right now and it isn’t a case of if you’ll be attacked, it’s when. So, what should you be doing to protect your operations?
Many ICS breaches begin with the compromise of vulnerable servers and computing resources within the corporate IT network.
Manufacturers should consider taking the following six priority actions to reduce risk and help ensure the integrity of operations within their facilities:
- Review vendors and systems and see that all patches and updates are applied promptly. If patches are not available, consider migrating to new technology
- Reduce the use of USB memory sticks and DVD drives
- Isolate ICS systems from IT networks. Don’t allow any direct connections between the two. That includes network connections, laptops, and memory sticks
- Implement policies that severely limit the use of the ICS networks for anything other than essential operations. Reduce accessibility to ICS workstations and monitors with external internet browser access. Assume these policies will fail and plan accordingly
- Research and eliminate all embedded passwords or default passwords in your production network. And wherever possible, implement two-factor authentication
- Review plans for disaster recovery following a major cyberattack
Case study: Power plant
This power plant’s critical assets include a very large ICS infrastructure and the necessary supervisory control and data acquisition (SCADA) components that manage and run their processes.
The plant is considered critical national infrastructure and subject to scrutiny and oversight by the responsible national security agency. It is therefore considered a high-security installation.
The chief information security officer (CISO) involved decided to implement deception technology to protect the plant’s standard IT resources from ransomware attacks. The technology was also distributed within the ICS infrastructure.
Soon after, the security operations team received several alerts that indicated a breach to the systems within the critical infrastructure plant operations.
Their immediate investigation concluded:
- A device in the process control network was attempting to interact with the deception traps, which were camouflaged as plant lifecycle management (PLM) controllers. This was an active attempt to map and understand the exact nature of each PLM controller within the network
- The compromised device would normally have been closed, but a vendor performing maintenance failed to close the connection when finished. That oversight left the process control network vulnerable to attackers
- The information adversaries were collecting is exactly the type of data needed to disrupt plant activity and potentially cause great damage to ongoing plant operations.
Case study: Large international water treatment and waste processing company
In computing, a ‘demilitarised zone’ (DMZ) is a physical or logical subnetwork that contains and exposes an organisation’s external-facing services to an untrusted network; e.g., the internet. Its purpose is to add an additional layer of security.
Attackers used a water treatment and waste processing company’s DMZ server as a pivot point to compromise the internal network. The security operations team received alerts from deception security technology embedded in the network DMZ.
This physical or logical subnetwork bridges internal networks from untrusted networks, such as the internet, protecting other internal infrastructure.
The investigation found that:
- The DMZ server was breached due to a misconfiguration that allowed remote desktop connections
- The server was breached and controlled from several IPs, which were connected to political hacktivists hostile to the plant
- The attackers were able to launch multiple major attacks against several of the company’s other plants from the compromised internal network.
Helen Saunders – Strategic & Executive Communications Cisco Advanced Services