By Anne Klebsch
Manufacturing is a very competitive market to be in. It has undergone several evolutions in recent years, each with the aim of optimizing production processes and increasing agility to meet customer demands, while also reducing production costs.
Today, as part of their business strategy, most manufacturers seek to reduce the overhead in stock and costs associated with it, with production planning therefore adjusted to ensure timeliness.
This can be achieved by making factories smarter, via the use of Industrial Internet of Things (IIoT) devices. Such technologies are helping plants collect and analyze data to create insights that help the production line operate more efficiently. What were previously production “islands” operating independently based on weekly production schedules have become interconnected networks of systems that communicate for the business benefit.
The steady growth of Industry 4.0 is leading to more connected devices and sensors being deployed into manufacturing environments. However, this new openness of the factories is also introducing new risks. A commonly repeated phrase in the IT world is if a system is visible to the Internet it is only a matter of time until it will be targeted or affected by security incidents. The world of operational technology (OT) is taking too long to learn the lessons about security risks that colleagues in IT discovered the hard way. Rather than being seen as a fundamental part of modern OT infrastructure and essential to reaping the benefits of Industry 4.0, cybersecurity is still either regarded as a grudge purchase, or simply not considered at all.
Difficulties in Securing Manufacturing
This is not entirely surprising. Industrial environments are complex by nature and a large proportion of the unmitigated risks come from the fact that machines which were designed to be deployed in closed networks are now being connected to the cloud via IIoT devices. In many factories that are being retrofitted with real-time remote sensing and analytics, not enough attention is being paid to protecting systems which don’t include basic security features, and therefore may be exposed to attack.
Even when manufacturers are diligent, however, there’s an inherent difficulty in securing non-homogenous environments like the typical factory floor. Where different systems and devices are added over time, it’s easy to make mistakes in configuration that can leave back doors open to hackers. The challenge now is to improve standards within the manufacturing sector, and ensure best practices are widely spread and adhered to.
Just as an unpatched web server in the IT world is vulnerable to a low-cost automated attack, we are beginning to approach the same inflection point for OT. There have been few substantiated reports of major attacks to date when compared with breaches in corporate data, but that doesn’t mean they aren’t already happening. Indeed, the lack of major headlines compared to consumer and corporate data breaches almost certainly feeds the complacency around the issue. Yet, as we saw in IT, firms are likely ignorant their OT networks have been breached, since there’s a general lack of monitoring.
The risk is that security breaches in manufacturing environments don’t just give attackers access to data. Production stoppages could be financially devastating, and some attacks – including one on a German steel mill in 2014 in which attackers gained access to the control system for a blast furnace – have demonstrated that when control systems are infiltrated it’s possible to cause serious physical damage and put human lives at risk.
Protecting the production line requires a change in the way technology is deployed in manufacturing to reflect the reality of Industry 4.0 and the risk it generates. Administrators can no longer be complacent; the drive to deliver efficiencies and real-time analytics using cloud-based technologies means OT environments are no longer air gapped from the IT network.
Much of the business benefits from these insights comes from the ability to better judge stock levels and drive just-in-time manufacturing processes. Ironically, these can also make the effects of a cyber incident more damaging. With lower stock levels there is also less buffer for downtime and proper recovery from an attack.
Good security, designed to mitigate these risks, starts with the basics. That means simple things like ensuring good password policy for all users, administrators and the IIoT devices themselves, where standards of practice still fall short. It continues with full asset audits and ensuring that proper network segmentation is used to protect vulnerable parts of the infrastructure.
On a more in-depth level, it means re-evaluating the entire supply chain and ensuring business partners thoroughly understand the OT environment and its risks.
To achieve this effectively, manufacturers will need to have an agreed baseline of security measures that are required industry wide. They will require a common language to communicate cyber security expectations and countermeasures. While Industry 4.0 promises many efficiency and productivity benefits within the manufacturing sector, these are not worth the risk of a significant cybersecurity breach.
Anne Klebsch is a ICS Security Consultant at Applied Risk. As a certified Global Industrial Cyber Security Professional and Information Systems Auditor holding a MSc degree in Computer Security, she has over 9 years’ experience in IT and OT security from a range of major international companies in the FMCG, pharmaceutical, manufacturing and oil and gas industries.