Imagine you’re getting ready to head to work on Monday morning when you get the call from a frantic manager because no one can get logged into their computer. The only thing they see on their screen is a demand for bit coin in exchange for unlocking access.
You’ve been hit by a ransomware attack. The culprit?
A server that was connected to an online music-streaming resource was unprotected. And once in, the hackers were able to get into every single device connected internally and control it. Just like that; production stops. The reality of this is that each device on your network poses a potential threat to the entire network. For more examples that will keep you up at night; click here.
With the rapidly increasing prevalence of networked and connected Industrial Internet of Things (IIoT) in all types of manufacturing equipment, you may actually have more connected devices on your shop floor than you have computers! It isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation for as long as 30 years, that is increasing your risk. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.
Organizational leadership often tends to think of manufacturing cybersecurity as largely a technology issue when often the much bigger problem is a lack of skilled resources, and lack of understanding of recommended best practices for device deployment. Recently, vendors and operators of critical infrastructure have increasingly deployed recommended technology controls for protecting their systems, but they do not have the resources to enforce the controls effectively.
Often, the individuals who manage cybersecurity are the same automaton engineers and production engineers who worked with the vendor to deploy the systems in the first place. They don't have the time and, rightly, are typically more focused on keeping systems running than taking them down to address security issues. A lot of production managers are operating under a false sense of security by thinking they have addressed their security issues by implementing a few technology controls or by relying on IT to keep the perimeter secure.
In order to secure manufacturing environments beyond the front office, there are four primary facets to address:
- Complete Knowledge of the Environment
- Control System Cybersecurity Policies and Procedures
- Segment and Isolate Vulnerable Systems
- Monitor Network Traffic Effectively
1. Knowing the Environment
In order to protect IIoT and ICS devices, you first need to figure out what you have installed in operations and which systems they are connected to. Discovering and creating a detailed inventory of connected devices is the first step in the journey to secure your operations.
Documentation should include, but not be limited to the following:
- Location
- Function
- Make
- Model
- Serial
- Software/firmware version
- Vendor support lifecycle
- Device age
- Change history
- The individual responsible for the system
Click here to download our FREE Connected Device Security Assessment Spreadsheet. It's an easy-to-use spreadsheet that helps you list and assess all possible threats.
The documentation needs to break down services by function. For example, control systems protocols versus engineering protocols versus file transfer and HMI configuration protocols.
When a control component experiences a fault, documentation needs to be able to explain the expected behavior of the controller’s outputs. Document which proprietary network protocols are implemented in the system, and what has been done to harden their respective services.
Without this information, you cannot truly understand the risks being accepted and the mitigation measures that are needed to isolate vulnerabilities should they impact your systems. This will allow you to understand where you have technology controls in place already, and where technology can be used to further protect these systems.
2. Policies and Planning
One of the biggest mistakes organizations make is to equate IT security with control system security. Although related and codependent, the two are fundamentally different.
IT security is primarily focused on detecting and addressing vulnerabilities in the network regardless of actual impact on process systems. For manufacturing operators, it is the integrity and availability of systems that is most important. The focus for them is not so much about the sophistication of a cyber threat but whether it can cause disruption to operations.
Determine whether you have actual control system cybersecurity policies and procedures in place. Not IT policies, not business continuity, not physical security but a focused set of policies specifically for this need.
To be truly secure, you need to be able to trust the output from the process sensors connected to your controllers, actuators, and human-machine interface (HMI) systems. IT seldom looks at the network through this lens and it creates a blind spot in policies they create.
Implement a set of controls cybersecurity policies that require approval to connect devices to the network, determine required security controls for these devices, mandate patching and vulnerability detection and remediation, design segmentation, and change control.
3. Segmenting Systems
Often PLCs (programmable logic controllers), IIoT sensors, and industrial gateways do not have a secure interface, necessitating the use of a digital certificate or private key hidden in silicon as a basis of trust. As a result, basic cyber protections like secure boot, authentication, encryption, and trust chaining are not implemented on these devices which can impact personnel safety, and the uptime of the environment.
The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT and ICS assets means taking them offline — something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large range of exploits available to attempt to gain access to your environment.
Since these devices cannot or will not be patched, they should be isolated from the rest of the operational environment. Limiting communications from devices in a vulnerable environment to only other devices in that environment and to only necessary systems outside of it will mitigate the attack risk and reduce the risk exposure. Further limiting access at the data level, employing read-only access except where write is needed, for example, can extend this measure. It’s worth understanding that many IIoT devices leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having that complete inventory of assets on the network is critical. IT will allow for dataflow mapping to know which assets are talking to each other and how they interact as a whole.
Start segmenting your systems and click here to download our FREE Connected Device Security Assessment Spreadsheet that allows you to easily compile a complete list of your connected devices.
4. Monitor for Anomalies
Network monitoring is often the most effective step you can take to defeat an attack. However, it’s important to passively monitor the traffic when it comes to IIoT devices. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail.
In contrast, passive scanning listens to the traffic, logging and fingerprinting what it sees, rather than introducing additional traffic into the manufacturing network environment. Being able to detect IIoT traffic anomalies is also key to the security of a manufacturing network. Monitoring for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned/unapproved firmware updates, unexpected configuration changes, or other anomalies can alert you to an attack before it’s fully executed.
While there is no simple answer as to how to secure your production IT, there are some foundational steps you can take to start securing your operations.
- Create an IIoT and ICS inventory. Run an electronic discovery of your network and then perform a manual survey of devices in operation at your sites. Use our FREE template
- Identify and document the business owners and function of each device and detail the related systems that should be communicating with each device.
- Talk withIT about network isolation/segmentation. Do you have the correct equipment in place to enable these strategies?
- Review existing policies and procedures to see if they address manufacturing device security
- Talk with your IT about network traffic inspection, IPS, IDS, threat detection and response
- Review the environment and your policies/plans regularly.
Start Protecting Your Connected Shop Floor Today
Don't wait until a cyber security attack happens to you. Taking these four simple steps and downloading our Free Connected Device Security Assessment can help you protect your shop floor. To learn more, visit our Manufacturing IT page.
For an easy-to-use spreadsheet that helps you list and assess all possible security threats in your business, click here to download our free Connected Device Security Assessment Spreadsheet.