Total protection

Posted on 16 Feb 2009 by The Manufacturer

Adequate protection of IT on the plant floor can often be overlooked by a company’s IT security arrangements. The truth is that the dangers of fraud, electronic espionage and vandalism are just as applicable to machinery operated by shopfloor computers with internet access. TM spoke to David Robinson, general manager at Norman Data Defense Systems

There is a tendency for people to think of internet security in terms of a personal threat primarily driven by credit card fraud, identity theft and virus infection of domestic PCs. A breach of this security involving a compromise of personal or financial details, for example, can be frustrating, infuriating and painful, but will not result in commercial disaster. Infiltration of commercial IT is much more onerous.

Computer security is an accepted part of effectively managing any business. Corporate information is clearly sensitive and vulnerable – from personnel records to confidential company accounts or customer data, there will always be something valuable for someone to steal.

One area of increasing concern is the vulnerability of the manufacturing industry to IT security breaches. “The internet security industry has seen a massive increase in the amount of malicious code being distributed,” says David Robinson, general manager at Norman Data Defense Systems, an IT security company based in Milton Keynes. “We are receiving 30,000 new pieces of malware every day — that’s an exponential rise. We have seen more over the past 18 months than in the 24 years we have been in existence – despite the fact that companies and individuals have deployed IT security measures [for a long time]. The threat is greater because organised crime gangs have found that they can make a serious amount of money. Many firms just haven’t been able to keep up.”

The combined problem of the steep rise in malware — malicious software — and the time lag in manufacturing companies’ understanding of the problem means that there is a greater threat to process and control systems than ever before, says Robinson. “In an office, it is relatively easy to ensure that PCs are covered by upto- date anti-virus software, but on the factory’s plant floor, anti-virus security is often ignored, and there is limited control over who connects what to the control and process systems.”

The crux of the problem, Robinson says, comes from a lack of understanding of the risks associated with increased connectivity between former ‘islands of automation’ such as process plants, manufacturing sites and distribution centres, and the business systems operated in companies’ head offices. “Many firms don’t run any security software across their production networks — which will most likely be running old versions of operating systems that remain unpatched.”

The main source of malware infection is the browsing and downloading of data from the internet, email, USB flash drives and external connections. It is imperative that a contracted IT consultant be responsible for the protection of the whole business, including manufacturing and plant networks, and not to confine protection to the offices, Robinson says. While many viruses are known mainly for their nuisance value, more and more can disable or manipulate computer systems and cause major disruption. There have been numerous publicly reported instances that have caused immense disruption to the operations of control and process systems – on the plant floor, operators could be powerless to start or stop key plant, prevent the opening or closing of vital valves, and have alarm and trip settings overridden.

Call to action
This shop floor-level problem is rising. So what can manufacturers do about it? Well, the Government has been onto it for some time. A report in 2007 by the Science and Technology Select Committee included the explanation: “Criminals attacking the internet are becoming increasingly organised and specialised. The image of the attention-seeking hacker using email to launch destructive worms is out-of-date. Today’s bad guys are financially motivated, and have the resources and the skills to exploit any weaknesses in the network that offer them openings…with money available on a big scale, it is hardly surprising that those responsible for e-crime, commonly known in the IT world as the “bad guys”, include major organised crime groups, typically, though not exclusively, based in eastern Europe. They are well resourced, and employ specialists to perform particular tasks, such as hacking vulnerable websites, cashing cheques and receiving goods fraudulently purchased online. In summary, the internet now supports a mature criminal economy.”

Robinson agrees: “It’s continuous. It’s more like an arms race between the good guys and the bad guys — and there are some very clever bad guys out there putting up a fight that the good guys have to defend against. Sometimes the industry is playing catch-up; sometimes it’s in front. Software, including operating systems and applications, has bugs inherently, especially in new releases. This is unlikely to change. As such, cyber criminals will continue to write programs to exploit these vulnerabilities.”

Contrary to popular opinion, many viruses do not destroy data indiscriminately. Data is destroyed as a side effect of the pursuit of a nefarious purpose. “Writers of malicious software want to get on to a machine and extract information from it,” says Robinson. “They do not always have an immediate purpose — a Trojan horse will sit there and wait for further instructions. There are many tens of thousands infected computers all over the world, sometimes under the control of just one person. It’s scary, but it’s happening all the time. Much of the organised crime comes from countries which do not operate international extradition laws.”

A manufacturing company should consider two important actions. First, make sure you have adequate protection from online sabotage at the outset – in the office/s, the factory floor and all possible connections in between. Protection needs to be seamless or it will be breached as soon as someone from outside inserts an infected USB flash drive (or memory stick). Secondly, protection needs to be constant, so it should be updated continually. Most antivirus programs have an automatic update facility, and corporate IT departments need to be aware of upcoming threats and the status of the online ‘virus community’ at all times.

Incident response
If a system’s security is breached, Robinson recommends putting in place a “malware incident response”: “In the event that you have been infected, how do you get back up and running? Did anything actually happen? What was it? Sometimes little or nothing happens because it is a random piece of malware, but we are seeing stuff targeted at government departments and large companies. It is getting more and more important to ascertain what’s happened because malware can be very complex. It can put another type of malware on the system, which then drops another type, then another one and so on. Unless you find out what the dropper [hacker] did, you can’t find out if your system is actually clean.”

It is therefore essential to diagnose what has happened and how the violation has affected the company’s data, so that the damage can be rectified and steps taken – usually by a security software upgrade – to ensure the same thing doesn’t happen again. If the invasion is a clear, or suspected, case of criminal intent, the incident needs to be reported to the police.

While sabotage of manufacturing processes is a more overt problem, fraud can often be behind an infected computer system – and can originate from both internal and external sources. The risk of having sensitive corporate details compromised is much higher today, as a meaningful volume of data can be removed very discreetly. “When companies used floppy disks it was difficult to get an amount of data of any use onto a disk. But a USB key can hold 32GB of data: a serious amount of information,” Robinson says.

Many manufacturing companies do not have a proper grasp of their susceptibility to IT security risks, or what they should do about protecting themselves. “They should be involving their IT security department, systems providers and external experts, and getting them involved in building systems that have security as built-in. In-house IT departments will know what they themselves see, but may not be aware of risks to the plant. There tends to be little cross co-operation between many parts of the IT support chain. In the days of propriety production networks that was fine, but because they are now utilising common components, IT security is something that cannot be just for one department and not for another.”

Malware is a growing menace with such potentially disastrous repercussions that manufacturers should see protection from it as a company-wide priority. To attempt to combat the devious techno-trickery that online criminals employ to extract data illegally, an effective IT defence needs constant vigilance and continuous updating.