One of the most important aspects of any manufacturing facility is security — whether protecting machinery or data. Tech Briefs posed questions to executives at companies providing network and facility security solutions to get their views on issues such as cybersecurity, the cloud, wireless devices, and securing a remote workforce .
Our participants are Mike Jabbour, General Manager, Digital Connectivity and Power at Siemens Digital Industries; Mike Lloyd, Chief Technology Officer at RedSeal; Radu Pavel, Chief Technology Officer and Chief Engineer at TechSolve; and Donovan Tindill, Senior Cybersecurity Strategist at Honeywell Connected Enterprise – Cybersecurity.
Tech Briefs: With more people working remotely due to the COVID-19 pandemic, what security procedures and systems should be in place for remote operation of equipment, diagnostics, and maintenance?
Mike Lloyd: In the rush to work from home, most security teams got hit by a tsunami of requests for improved laptop controls, new VPN requirements, new cloud services, and more; however, a frequently overlooked aspect is the business assets that didn’t move when the operators did. Suddenly, operators needed remote capabilities to drive and diagnose any physical equipment that didn’t move and in security, remote always means risk. Any new control pathways between remote workers and physical company assets are an increase in a company’s attack surface. It’s wise for security teams to go back and audit how all the physical assets in the company can be reached. If you knew how that all worked before COVID, then you probably don’t know it now.
Radu Pavel: The COVID-19 situation is leading to an accelerated digitalization of the work environment. As business realities drive the need for real-time data from many functions, the potential benefits of new technologies fuel the desire to connect production and non-production devices on the factory floor. The manufacturers’ appetite for advanced technology is rapidly exceeding their ability to protect it and this connectivity and datarich environment raise significant concerns and challenges associated with cybersecurity. Manufacturers face additional challenges due to the need to protect not only the IT systems but also the operational technology (OT), which can span from sensors to PLCs, robot controllers, machine tools, and other operational equipment.
Mike Jabbour: The great part is that COVID has not changed the overall equipment or processes needed for remote communications — it has only driven the necessity to utilize the technologies that were already available. Not every company should do the exact same thing when it comes to remote applications and security but the basics should always be incorporated. There are many other security appliances that should be considered but at the most basic, a VPN connection, firewall, and jump server should be utilized.
Remote communication should always be properly authenticated, encrypted, and shut off when not in use. A proper firewall protects the internal traffic from an untrusted network. If there are multiple segments of a network, communication through the firewall should protect each of the internal segments from one another. When it comes to remote communications, encrypting traffic from the remote user to the trusted network is always considered best practice. This can be done with a VPN appliance. There should be no direct communication from an untrusted network to the secured network.
Donovan Tindill: For remote access into an industrial control system/operations technology (ICS/OT) system, the consequences and loss from a cyberattack are significantly higher than accessing information technology (IT). In order to reduce this business risk, added safeguards are needed including multifactor authentication from untrusted networks. Trust is relative — the business network is lower trust than the ICS/OT systems. A typical VPN allows a user to connect at will 24/7. Explicit access request approval is required for each session, each user, and each day when working remotely, due to the consequence potential of ICS/OT cyberattacks.
Tech Briefs: It seems like a double-edged sword: the cloud, wireless sensor networks, and other industrial systems have led to exciting new benefits for digital factories but at the same time, these smart manufacturing technologies massively increase the scope for attack. How can accessibility be balanced with security?
Lloyd: The Industrial Internet of Things (IIoT) brings great benefits but also great risks. Generally, all the “things” in the Internet of Things should be treated as fragile and not trustworthy. This comes as a shock to teams used to managing isolated SCADA infrastructure but times have changed. Given how fragile IoT systems are, the only reasonable approach is network segmentation — all possible access pathways have to be accounted for and industrial systems should be isolated to the greatest extent possible. Over time, access will get sloppy and mistakes will be made, so you need a way to continuously reverify that access is only as much as it should be, so that you can stop network drift.
Tindill: Accessibility can be balanced with security but new norms are set at the same time. Airport security before 9/11 is very different than today but the new normal is well established with new technologies and protocols that still allow timely security screening. With new technologies, there is solution training required and if cybersecurity is parceled with it, then the user experience and accessibility is not an issue. The business benefits of these new technologies and digital factories have the potential to deliver results never seen before. The role of cybersecurity is to protect the investment in the cloud, wireless sensor networks, and other industrial systems so they can deliver their ROI while being more resilient to cyberattacks. Multifactor authentication, public key infrastructure, cryptography, and other security controls — when implemented correctly — are virtually seamless to the user and provide an added level of access controls not achievable with the prior legacy technologies.
Jabbour: Intentionally planned and segmented networks are the backbone of not only a plant communication system but also security best practices. A segmented ICS network can help protect sensor networks from each other when an attack occurs, meaning access into a single section of your plant would not take down the entire company in one fell swoop. This also must be coupled with knowing and understanding the vulnerabilities of your facility. Simply placing a device and walking away is the prime procedure for granting hackers an attack plane to your system. Managing all the devices on the network includes not only knowing and understanding what devices are there but regularly scheduled reviews of the vulnerabilities and their threat level (low/medium/high).
Pavel: The scale and speed of digitalization and growth of connectivity networks are leading to an increase in cybersecurity risks. It is not just the scale of exposure but the vulnerability of the cyber-physical systems being connected. These new systems were not inherently designed with cybersecurity in mind. Exacerbating the problem is the potential for negative performance impacts resulting from the integration of common cybersecurity technologies into existing systems. Balancing accessibility with security is a multi-faceted strategy that relies on standard communication protocols, encryption of data being transferred over networks, leveraging the most up-to-date cybersecurity standards, and implementation of technologies that allow identifying and mitigating cybersecurity threats in real time.
Jabbour: Because cybersecurity is most easily overlooked. Most IIoT installations are trying to satisfy a business need and cybersecurity is something that is usually not a standard conversation topic in business needs until an attack happens.
Lloyd: Cynically, because security is always the last element of all deployments. The push for IoT is all about features and cost. This means devices are produced quickly, at minimum price, and you get the security you pay for. Devices are often not patchable and cannot support the traditional agents and scanners in our security toolsets. So, IoT security is a very hard problem — effectively, injecting innumerable fragile new devices into a network that was already unruly and disorganized. The transition to IoT will only go well for those who are disciplined and plan in advance to contain the blast radius of problems when — not if — they occur.
Tindill: There are several reasons why cybersecurity is considered only at the end of deployment. Procurement and sourcing processes exclude cybersecurity requirements because price remains the primary factor. Most engineering processes exclude cybersecurity — this means that specification, design, configuration, testing, and commissioning often occur without any cybersecurity tasks or deliverables. IT and cybersecurity teams are excluded until it is time to connect to the network or Internet — this is when these teams may find out for the first time the project even exists. Cybersecurity should have sufficient weight in the decision criteria; after it is included in the purchasing processes, it is then carried through the entire design, configuration, hardening, and cyber acceptance testing, all before launch.
Pavel: From early days when the biggest risk was a computer virus, to today when operational technology malware can destroy equipment and lead to loss of life, the computer world has seen an exponential increase in cybersecurity attacks. IoT-based technologies provide their own set of unique security challenges associated with data integrity, data leakage, privacy, and the potential for unauthorized access.
So, why is security often the last element of IoT deployment? Some of these systems were not designed with cybersecurity in mind but rather with the sole goal to provide a certain function. End users did not consider cybersecurity as one of their main selection criteria but rather the ability of a system to perform a task, its efficiency, and cost. Only in recent years has the cybersecurity problem become more emphasized by users, government, and standardization groups.
Lloyd: The top three priorities for industrial networks are segmentation, segmentation, and segmentation. The old air gaps have evaporated and the Internet is increasingly mixed in to physical plant operations, whether we like it or not. This profusion of interfaces means the total attack surface has exploded and sooner or later, something is sure to get in. The overriding priority is to plan ahead to limit the spread of bad events, using segmentation, and for the most critical systems, to plan ahead to close “blast doors” similar to the bulkhead doors in submarines.
Pavel: Cyberattacks have the potential to affect confidentiality, integrity, and availability in a manufacturing setting. They can lead to loss of product and process IP; production losses due to destroying, modifying, and reprogramming parts and processes; damage to reputation; and even injury and loss of life. The importance of data integrity for manufacturing can be seen in relation to part production — altering product and process specifications could be detrimental to product quality and reliability.
Data and cyber-physical system availability is also critical to manufacturing productivity. Legacy hardware and software are commonly used in manufacturing processes and some of these systems were not designed with cybersecurity or the IoT in mind. Therefore, there is an inherent risk when connecting such legacy devices to IoT or integrating them into the factory network.
Jabbour: Absolutely not. Firewalls are but a single appliance of a total system and while they should be used, other design considerations must be taken into account.
Tindill: In the mid-1990s, firewalls and antivirus were the standards because they provided sufficient safeguards to defend against the cybersecurity threats of the time. Virtually 100% of organizations today have firewalls and cyberattacks can bypass firewalls with other tactics, techniques, and procedures (TTPs). Cyber threats are rapidly evolving and multiple cybersecurity controls are required. Firewalls fulfill primarily a protective control, good at detecting known bad behavior at the network perimeter. Today’s attacks include credential theft and using them to penetrate networks without detection, because brute force or malicious connections are not required. We’ve all heard stories about how a threat actor was inside a system for six to nine months before the attack; this is an example of how weak detection and response capabilities manifest.
Pavel: Relying on a firewall only is not a good practice anymore — it probably never was. The three most critical parts to a corporate security program are people, processes, and technology. Small and medium sized organizations present a special challenge for cybersecurity in manufacturing environments and supply chain. Many lack the technical staff to provide robust cybersecurity and because they are often unaware of the threat complexity, they are unable to create a business case for investing in OT cybersecurity. In order to help address these pitfalls and accelerate the adoption of proper cybersecurity measures, the government has invested in development of regulations, standards, and certification programs applicable for entire industries.
Lloyd: Firewalls are like door locks on your building — a good start, a basic level of security hygiene, but hardly a comprehensive antidote to risk. Firewalls are complicated and are almost always misconfigured in some way. I’ve assessed many thousands of real-world firewalls and it’s unusual to find fewer than ten errors per device. (Extremely complex firewalls can contain thousands of errors in a single device.) The hardest aspect of firewalls is understanding whether they have covered everything —after all, you can’t identify a pathway around the firewall just by reading the firewall. You need to have a comprehensive view of access across your entire factory network and you need to be able to keep up with access as your network changes and grows.