Security is of primordial importance to the success of a company’s digital transformation project and even to the survival of the company as a whole. The increasing frequency and destructiveness of cyber-attacks is already well known. Companies must contain the risk of unplanned downtime to avoid damage to their reputation as well as material losses.
To do so, they need to implement the means to detect potential attacks before they occur and prevent the kind of dramatic ransomware consequences we have seen over the last few years. Human error is another risk factor – insider crime of course, which we’ll look at in more detail later, but also unintentional errors that can occur as a result of the increasing complexity of technology.
Companies implementing a cybersecurity strategy will need to take two areas into consideration: the technological and human resources designed to prevent an attack, but also a risk containment strategy that details what must happen if an attack occurs. There’s no such thing as zero risk, so production needs to get back on track as quickly as possible.
Secure and reliable network
The foundation to an effective cyber-security strategy is a secure and reliable network infrastructure. This is often easier said than done. Manufacturing companies face a number of challenges – a lack of qualified staff, old systems and various different protocols that increase vulnerability, an inflexible infrastructure, and little collaboration between operations technology (OT) and information technology (IT) staff.
This latter point is a challenge due to differing philosophies – heterogeneous, task-specific systems with a physical outcome for OT, and homogeneous, widely-used systems with a digital outcome for IT. Wide system usage has made IT a target for years, while serious attacks on OT systems have only emerged comparatively recently, such as the Stuxnet attack in 2010. But they are catching up fast.
So how do cyber-criminals sneak into companies? One common way is by phishing and similar practices involving identity and password theft. This gives them access to IT and engineering systems. Other vectors include compromised USB drives that infect computers and VPNs.
Imagine what would happen if a criminal were able to access all devices down to the I/O and sensor level – they could change product recipes in a food company or even the formulation of a drug made by a pharma company with potentially dramatic consequences. It’s also important to take internal threat vectors into account – a disgruntled IT or engineering employee can do a lot of damage when they have wide-ranging access privileges.
This is why companies need to have threat detection capabilities that monitor normal system behavior and trigger an alert and a predefined set of measures to be taken if any anomaly is spotted.
Industrial security must be implemented as a system
Cybersecurity solutions for industrial companies need to be implemented as a complete system and meet four main requirements:
- Defense in depth that safeguards every device using multiple levels of protection to reduce risk
- Openness to support heterogeneous assets from a variety of suppliers
- Flexibility to accommodate companies’ policies, processes and procedures
- Consistency with industry standards and regulatory directives, such as IEC 62443
The IEC 62443 standard is important because it emanated from the International Society of Automation’s ISA-99 initiative involving a range of actors, including Rockwell Automation. It is also aligned with ISO 27000. Rockwell Automation software has been certified as compliant with IEC 62443.
NIST Cybersecurity Framework
Rockwell Automation recommends the Cybersecurity Framework, developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), as a viable cybersecurity guideline and bases its own cybersecurity strategy on this standard. It comprises five areas: Identify (know what you have); Protect (secure what you have); Detect (spot threats quickly); Respond (act immediately); and Recover (restore operations).
Identify: this involves conducting a complete inventory of all IT and production network assets, including old or obsolete systems, and defining their level of criticality. It also includes a review of all documentation as well as passwords and how they are managed. Network and Cybersecurity Assessments, provided by Rockwell Automation Connected Services, are a recommended methodology for obtaining a clear picture of the current status and necessary improvements of cybersecurity related infrastructure and procedures.
The Protect stage involves implementing security zones around groups of assets, qualified patch management, and a site appliance that monitors all assets – both OT and IT. It learns what normal data traffic flowing to and from an asset looks like, making it easier to spot anomalies immediately. It also involves creating comprehensive backups of critical systems to help ensure rapid restorability if an incident does occur.
Detect: Hackers can make changes which might not be recognized immediately. They can change machine set points, recipes, procedures or any other parameters. If these modifications are only discovered after a longer period of time, this can cause huge damage with possibly serious impacts on people, machines and company reputation. With a threat detection service that includes automated deep packet inspection (DPI) of all IT and OT data streams and devices down to Level 0 – the sensor and I/O card level, these anomalies will be detected immediately and damage can be avoided.
Respond: the DPI function will trigger an alert as soon as it detects anomalies, such as logins from an unknown IP address or code changes in a controller. The customer and/or Rockwell Automation service center can then initiate the previously agreed incident response measures, such as turning off defined assets to limit the incident’s impact.
Recover: the backups from the Protect stage come into play to get systems back up and running as quickly as possible after an incident and limit the impact to production. In addition, asset management systems, like FactoryTalk AssetCentre, provide the latest valid versions of controller code and other devices’ programs. The goal is to get back to a normal state as soon as possible. This stage also implies a post-incident analysis of where the attack or anomaly occurred in order to close any loopholes and possibly identify the perpetrator.