An earlier blog entitled “Hacking attacks on UK manufacturers increasing”, considered why hackers were switching from stealing data to ransomware, this begs the questions of where the organisations should start about ensuring industrial cyber security in manufacturing. Understanding the threat is a good starting point.
Produced annually by the UK Government, the Cyber Security Breaches Survey is a quantitative and qualitative study of UK businesses. It aims to help organisations understand the nature and significance of industrial cyber security threats and what others are doing to stay secure.
According to the 2020 survey, cyber-attacks have evolved and become more frequent. Almost half of businesses (46%) and a quarter of charities (26%) reported having cyber security breaches or attacks in the last 12 months. As in previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%). Significantly, almost 70% of threats came from fraudulent emails or those sending the user to fraudulent websites.
Many of the cyber-attacks that hit industrial users may be accidental, but that does not change the impact on their business. Whether resulting from an employee opening an innocent-looking email, or from a targeted attack, the results are the same. They are costly, damage reputations, and take a long time to recover from. They can even put smaller companies out of business.
Manufacturing automation systems are often connected to business and office IT systems. Once a hacker compromises a vulnerable system, it is possible to reconfigure it or access other parts of the network. In the case of a sophisticated attacker (which many are), all operating systems can shut down or even become encrypted. Something like this crippled Honda’s worldwide operations
For SMEs, the risk of a targeted ransomware or spear phishing attack is less likely compared to large multinational corporations. Despite this, there are reports of ransomware like “Ekans”, that identifies and targets industrial controls systems. According to one report, after accessing the enterprise systems, it migrates to the control level and terminates a wide range of selected software processes.
Systems are becoming more complex and more integrated as connecting IT and OT systems is a key element in the drive to IoT/IIoT. They comprise of a mix of protocols, topologies and SCADA systems making security even more complicated. Furthermore, they may also involve building services management and security systems. Other areas include those of uncontrolled risk such as digital connections to the supply chain. Even cloud providers are not immune.
For automation users, there is no silver bullet for industrial cyber security in manufacturing automation. Moreover, identifying where vulnerabilities exist is the right place to start. According to a 2019 survey of 850 real-worlds control systems by Cybers labs found:
– The traditional air gap, between IT and OT systems, at one time common in automation networks, has fallen to under 40% of installations
– More than 50% of sites continue to use legacy Windows systems like XP that no longer receives security patches from Microsoft
– Almost 70% of networks have plain-text passwords
– Almost 60% of sites are not running anti-virus protection with automatic signature updates
– Up to 16% of sites had poor or misconfigured wireless access points (WAPs), and 84% of sites have at least one remotely accessible device
Defence in depth
The UK’s Government’s National Cyber Security Centre offers a downloadable guide on defending organisations against malware and ransomware attacks. They say that there is no absolute way to protect an organisation against malware infection. They advise using a ‘defence-in-depth’ approach, with each layer using mitigations. In this way, users have a better chance to detect and stop malware, before it harms the organisation.
They also say to start by assuming that some malware will infiltrate your organisation so you can plan a response. They identify having a four-point action plan providing detailed guidance to reduce your vulnerability by:
– Making regular air gap backups
– Preventing the delivery of malware to other devices
– Preventing malware from running on devices
– Preparing for an incident
Industrial cyber security
Industrial cyber security needs to be as much a part of an organisation’s digitisation strategy as its IT security. In its chapter on technical security controls, the book Information Security Management Principles addresses many of the cyber security issues facing the world of automation operational technologies. Because they use different protocols like Modbus or open platforms like ProfiNet and TCP/IP etc. for control and to communication. These follow an architecture that does not look like a standard enterprise network architecture. They highlight the use of ISA/IEC 62443, the global standard for the security of Industrial Control System
This standard provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. ISA-62443-4-2 is a new standard covering Security for Industrial Automation and Control Systems (IACS). It provides the cyber security technical requirements for components making an IACS including embedded devices, network components, host components, and software applications.
Simple first steps
If almost 70% of threats come from email or those sending the user to fraudulent websites, instigate regular workplace awareness training. Staff need to know what to look for, what hacking looks like and the damage it can cause. They also need to know how to handle suspect communications. Other steps include:
– Regular backing up data to multiple sources both in-house and in the cloud.
– Operating systems with regular or automatic updates.
– Ensuring the installation and updating of anti-virus, anti-malware, and anti-ransomware tools.
– Disabling vulnerable or unsupported plug-ins like Flash.
– Controlling or segregating access restricted data.
– Using password managers to ensure strong passwords.
– Block the downloading of suspect file extensions or email attachments.
Finally, to have a plan for when things go wrong, even if it is insurance. Remember, in the event of a hack, by having a plan of action you will never be worse than not having one.