In view of ever-increasing cyber-attacks of all types, securing industrial control systems is every bit as important as securing other types of corporate data networks. Automation and control environments were not, until recently, considered at high risk. But there is no evidence to support a growing and viable threat. These operating technology (OT) systems face unique cybersecurity challenges, especially now that it is the norm to connect everything to a company’s IT system.
The challenge to prevent such attacks requires directed efforts to create obstacles in the path to likely targets and to deliver insight and early warning of intended compromise. Both internal and external sources pose risk. Some attacks are indiscriminate; others have a specific, intended target. Today’s IT and operational staff must cooperate to protect automation and control environments from cybersecurity threats by becoming familiar with the implementation of cybersecurity strategies and/or partnering with an experienced cybersecurity company.
Elements of a basic cybersecurity plan for industrial automation and control environments
At its most basic level, a cybersecurity plan for industrial automation and control environments should include the following action steps:
- Determine the most likely goal a cybercriminal might have for attacking your OT system.
- Pinpoint which area(s) of operation are most vulnerable to a breach designed to accomplish the potential goal you identified.
- Assess the system of operation for its most prominent vulnerabilities.
- Reduce or eliminate those weaknesses.
Examples of cybersecurity strategies
1. Network Separation
The industrial and automation control systems should be detached from other networks. Demilitarized zones can protect a system from network requests and messages originating from outside sources.
2. Perimeter Protection
Establishing barriers like firewalls, authentication requirements, antivirus software, establishing a VPN, and incorporating whatever devices it takes to reinforce perimeter protection are the best basic countermeasures for consideration within an in-depth deference strategy.
3. Network Segmentation
This strategy uses VLANs and switches to divide networks into segments and then restrict traffic between the segments. Under suspected malware attack, this limits damage from affecting the entire network.
4. Device Hardening
Password assignments, defined user profiles, and frequent updates as users join and leave the company to strengthen device security. Conversely, sharing of passwords or even worse, failure to require them for access to a device and forgetting to deactivate accounts of employees who no longer work for the company are obvious security risks.
5. Monitoring & Updating
Keeping watch over operator and network communications and activity and keeping firmware and software up to date, and using code signing for updates when possible.
Examples of automation and control security risks and implications for specific industries:
Food and beverage
Companies that make and package foods have no choice but to shut down if security is breached in any way. Improper mixing of ingredients is at minimum annoying to consumers, in its worst form, fatal. Death (and — must we mention — irreparable damage to the manufacturer’s reputation) could result from something as simple as the addition of an allergy-triggering substance mixed into the wrong product. Separating the OT system from IT, at least during production, shows sound judgment.
While automated control use for drug mixing, especially for combination drugs, increases the efficiency of the process lack of proper security protocols in place leaves pharmaceutical companies open to serious risk of costly cyber-attack. Networks that were once siloed are now connected to IT. The life-critical OT operations of pharmaceutical manufacturing make theirs one of the most risk-vulnerable systems. Protecting these systems from internal and external attacks and errors requires a multi-level strategy.
Giant packaging industry player WestRock recently reported a ransomware attack. WestRock says the incident is being managed but its impact may well damage the company financially. Details of the incident were not shared, but it was reported the attack affected both IT and OT systems, a reminder that linking of the two is not advisable without proper protocols. Seven or more ransomware families are known to attack industrial software, so the risk is definitely real.
Cosmetics and personal care products
In 2020 Avon, a subsidiary of Natura and Company suffered a cyberattack which halted some of its systems.
The incident apparently affected operations, though details were not shared. Cosmetics is another manufacturing industry which could be quite adversely affected if an automated production line was ordered to compose an incorrect mix of ingredients, rendering the end product ineffective or hazardous, resulting in lost profits, or worse.
On February 5, 2021, a hacker attacked an Oldsmar, Florida water treatment facility, briefly adjusting the levels of sodium hydroxide from 100 parts per million to 11,100 parts per million, before an alert employee spotted the error.
The method of attack was the abuse of remote access credentials that were shared between employees. It seems this attack could have been prevented with the addition of more securely configured remote engineering access. Employees were apparently allowed remote access to their ICS systems with a software package which was not securely configured. Also, it seems reasonable to question why the HMI application allowed such an unsafe value for sodium hydroxide.
Utilities may be alarmingly vulnerable to cyberattacks affecting their operational structure. Many experts agree that the increasing tendency to link IT and OT at power generation locations is extremely risky unless implemented with proper protocols. Cybersecurity strategies to place barriers between IT and OT, like those listed above, are even more important for critical industries like power generation which affect the well-being of so many.
Partnering with the right solution provider is considered the best way to secure operational technology data against cyberattacks. Contact us for more information about how our services can help protect automation and control environments for every major business sector.
Image Credit: Freepik @ Creative Commons