Cyber security in manufacturing is already an issue. Cyber attacks are becoming more prevalent and increasingly sophisticated. Attackers may find a backdoor into your system months before anyone realises-if they ever do. Identification may result from routine monitoring, the occurrence of strange events or by luck. If the hacker wants you to know you may be subject to ransomware or other forms or extortion.
To quote American businessman John T Chambers, there are two types of companies: those that have been hacked, and those who don’t know they have been hacked. This may be an exaggeration, but the truth is we don’t know.
Good practice is important, along with intrusion detection software, constant monitoring and the use of malware tools. It also includes educating users and operators of potential risks.
Basically, hacker motivation may be fun, to cause damage, for financial gain, or industrial espionage. Hackers sometimes use tools that find and exploit weakness in software or firmware. It is important to routinely update and use patches with they are available. If you think the hacking of manufacturers is accidental? Think again!
According to a report on Cyber-Security for manufacturing published by the EEF, manufacturing is the third most targeted sector in the UK. It says nearly half have been a victim of cyber-crime. Furthermore, a quarter of these have suffered financial loss or disruption.
IT and OT convergence
Information Technology and IIoT are driving interconnectivity and the use of shop-floor PCs. As technology and data start to play increasingly critical roles in manufacturing, companies will inevitably find themselves more vulnerable to cyber breaches. Manufacturing is moving away from PLCs controlling individual machines to networking. The controllers link to shop-floor microprocessor-based PCs and SCADA system.
Many leading manufacturers of process and automation equipment use microprocessors in some of their control products. However, a recent report in The Register revealed that patches for the Meltdown and Spectre chip vulnerabilities have caused glitches and stability issues in industrial control systems.
Markedly, the report says twenty percent of firms are not actively making staff aware of the risk. It is not discussed at board level meetings according to half of those surveyed.
We will soon have billions of IoT connected devices. Cyber-crime is an easy way to make money and it is not going away, so what do manufacturers and SMEs do? System design needs to be resilience for when (not if) a cyber-attack comes. Cyber security requires implementation at multiple levels throughout an organisation.
According to a 2017 Government survey, 72% of breaches are from fraudulent emails, where firms identified a breach or attack. The next most common attack related to viruses, spyware and malware (33%). Following this, people impersonating the organisation in emails or online (27%) and ransomware (17%). This highlights the need for having good technical measures in place. Also, heightening the awareness and vigilance of all staff are important to a business’s cyber security. Helpfully, the survey also includes risk information for SMEs to download.
Action by automation producers
Manufacturers of control and automation equipment are aware of the issues facing their users. They acknowledge the need for open access, tempered with appropriate levels of security. They are designing and developing new products with end-to-end cyber-security measure built-in.
According to Mitsubishi Electric’s Chris Evans, most large control systems have many points with potential for unauthorised access. The systems need layers of integrated protection at all levels, starting with the network through hardware and software. For instance, future PLCs will include multiple embedded features such as hardware security keys and multi-layer password structures.
Each PLC will be capable of hardware security key authentication to prevent the opening or editing of programmes from PCs without a security key. Furthermore, the writing of programs that cannot be executed by PLCs unless thay have a registered security key. Thus, protecting the integrity of embedded technologies and intellectual property from compromise. Additionally, using an IP filter to register the IP addresses of devices approved to access each PLC. With these actions, unauthorised operation, access to hackers or implanting of malware becomes much more difficult.
Free online tool from EEF
In response to the threats and, to back its call, EEF has developed a free online tool. It helps enable manufacturers to benchmark their cyber security. They will also find useful information and links to further advice and bring themselves up-to-speed with cyber issues. Manufacturers will also be able to register to take part in focus groups that the industry body is organising in a bid to help tackle cyber concerns.
To take the test or to find out more, visit: www.eef.org.uk/fourthindustrial.