By Scot Wlodarczak
The appeal of Industry 4.0 is undeniable. Manufacturers are gaining a competitive advantage by squeezing out new levels of equipment availability, productivity, and quality, all while lowering costs and improving revenue.
Factory data is the “gold” that needs to be mined and refined (analyzed) to realize next-generation manufacturing.
However, connecting to machine data in the factory from the enterprise can potentially open up security risks. With any Industry 4.0 or Industrial IoT project, the attack surface is going to expand. The entire organization’s Industrial IoT effort may come to a grinding halt if a hacker wreaks havoc in the facility, so plan ahead.
Recently, Cisco published the 2017 Midyear Cybersecurity Report, which reflects not only these areas of concern for manufacturers, but also the changing security landscape for many industries. The 2017 study was fielded from July through September 2016 and included 2,912 respondents from 13 countries across multiple industries.
Some important cybersecurity findings for manufacturing:
• 28 percent of manufacturing organizations reported a loss of revenue due to attacks in the past year—the average lost revenue was 14 percent.
• 46 percent of manufacturing organizations use six or more security vendors, with 20 percent using more than 10. Sixty-three percent use six or more products, with 30 percent using more than 10 products.
• Nearly 60 percent of manufacturing organizations report having fewer than 30 employees dedicated to security, while 25 percent consider a lack of trained personnel as a major obstacle in adopting advanced security processes and technology.
The cybersecurity report covers technology trends, impact to businesses, adversary tactics, vulnerabilities, opportunities to better defend against risk, and how to communicate with management.
To keep your facility safe in the frightening world we live in, there is no one product that you can buy for complete assurance. Nevertheless, there are some basic steps that absolutely must be followed to mitigate risk.
Here are seven steps to defend your factory:
1. Remove and replace unmanaged switches with managed switches, and implement basic security measures. Open ports on unmanaged switches are a security risk and need to be locked down. In addition, unmanaged switches offer no resiliency and result in higher downtime. Unmanaged switches cannot prioritize or segment traffic and they also have limited or no tools for monitoring network activity or performance – limiting your ability to troubleshoot if and when you have a security incident or other problem.
2. Create and enforce security policies. This is basic, but I’m often surprised at the lack of detail around this in many facilities. Who is allowed to do what? What can contractors access? What “outside world” connections are allowed? etc. Get a basic framework documented and employees trained on it, now.
3. Lock down your factory with defense-in-depth security. A defense in depth approach is a universally accepted way to secure your factory with a DMZ, and the layers below the DMZ.
4. Strengthen your first line of defense with physical security. Control plant area access, lock control cabinets, lock PLCs with keys, install security cameras in appropriate locations, and control equipment firmware and code versions.
5. Control network access with device profiling. Get a solution that delivers full visibility into the users, devices, and applications accessing your network. Protect your organization with dynamic control to make sure only the right people with trusted devices get the right level of access to network services. Even if a rogue user gets access to the network – make sure they can’t get far.
6. Use industry best practices, such as the ISA IEC 62443 standard, to set up zones and design schemas to segment and isolate your sub-systems in the factory. Isolate critical traffic only where it must go on the network. Implement strong firewall and intrusion prevention, and email and web security.
7. Explore and restrict the number of ways remote access to the plant is enabled. Ensure all methods of remote access are secure.
With hundreds of security vendors on the market today, it’s also important to consider compatibility between all these systems. Choose a vendor who has compatibility tested their products together to ensure reliable performance in multiple environments.
You may not be able to take one giant leap to a fully secure factory environment, but you can take a series of smaller steps to get to a point of manageable risk.
Scot Wlodarczak joined Cisco in early 2016, focused in the manufacturing, oil & gas, and utilities space. He holds a Mechanical Engineering degree from SUNY–Buffalo, and an MBA from Colorado University. He has experience in automation and process across a wide range of industries, as well as a predictive maintenance background with a Vibration Level II analysis certification.