How to build a strong Industrial Cybersecurity routine
General Douglas MacArthur once said, “There is no security on this earth; there is only opportunity.” These thoughts from a military man living in an analog world fit directly to today’s quest for smarter manufacturing in a safer environment. This is especially true in the globalized, regionalized, just-in-time business operations of today and tomorrow. Federal and state compliance complicates things of course, but, there too, innovations and solutions can be coaxed from delivery and service networks as well as the application and implementation of smart data miming. And, the inevitable adaption of “the internet of things” can work to your advantage and need not be feared.
The implementation of smart manufacturing has increased the need for risk management and the realization that there is a need to make Security a driver of growth. The state of growth of IoT can cause manufacturing companies to implement smart technologies on a fractured infrastructure in trying to meet the demand. Also many companies will need to consider restructuring departments within their company to meet these technological needs. The technology reporting structure is very important to the health of a company. There is no other organization in the company that can alter the way the company operates than the technology based departments. It is as critical for the technology departments to be involved in the company’s most strategic conversation as it is with finance, sales, engineering and plant operations. The technology leader of a company needs to be savvy on both sides of the Plant and that is Plant Operations-PLCs, HMI, AutoCAD, industrial switches to name a few and the Administrative Systems-ERP system, Payroll, Human Resources, etc.
With the high risks in Cyber Attacks, plant systems cannot be forgotten. It is not uncommon for the plant to upgrade patches to software for the Administrative Systems, but neglect the patch upgrade to the plant’s PLCs or to perform code review on PLC ladder logic. It is not uncommon to find non-industrial switches in the plant supporting the most critical systems. Industrial switches are quite different that the standard backend office switch. There are benefits of an industrial switch over a standard backend office switch. Many industrial switches are designed with no moving parts, meaning no single point of failure. Plant safety directors would rather have an industrial switch for the fact that industrial switches can use a 24 DC power rather than the 100-240 VA powered switches. Industrial switches can operate safely where gases are located. A major cost to the implementation of switches in the plant is that backend office switches usually require Nema boxes which may need to be pressurized. Remember plants are usually dirty, dusty and have moisture. Industrial switches are small and can be placed most anywhere without additional costs. Industrial switches work in a variety of temperature ranges. Safety-Safety-Safety is our most important goal.
In order to prevent, defend and protect those systems from worms and zero day attacks that exploit both and known and unknown vulnerabilities, it is important to deploy a Primary Response solution on critical plant computing resources such as IoT, servers, HMI’s, PLC’s and switches. It is important for the plant server whether it is running DAS or communications package for the HMI’s to PLC’s to have an event notification (email/test message/phone call) that should be implemented when unauthorized changes are made to the plant operational server(s). A process needs to be created to verify current system change management processes are working based on evidence provided by primary response reports.
In the industrial world there are pressures put on workers to make machine adjustments on the “Fly”, but sometimes adjustments are not adjustments but rather system changes that need proper project management methodologies. Most commonly ladder logic changes that need to be tested before putting into production.
The manufacturing company needs to establish an application certification process using tools to test applications to ensure that they don’t have openings that can expose the company and its customer’s data to disruption, misuse, disclosure and theft. The manufacturing company that employs vendors to perform any type of programming needs to be on top of their game in this area. There should be a Change Management team developed to have a role in this.
With the realization that many manufacturing companies bid work for Plant Systems it is important that the plant monitor its system activity and deploy a third-party tool for real-time network traffic monitoring and vulnerability assessment and tracking. Vendors can deploy an Ethernet cable or a rogue wireless access point inside the network which has an open hole and get into the entire network. Without network monitoring you are open to risk to your network and the safety of your plant. This poses the vulnerability of comprised systems propagating an attack on critical systems over the network. A means for enforcing compliance of standards; patch status, virus protection, and operating system and approved systems for connections needs to be put into place to greatly reduce risk. Remember a machine going down at the wrong time could be a loss of life situation. The primary purpose of this initiative is to identify and trend vulnerabilities. The process should be able to create daily scan of your Plant for vulnerabilities. Being on top if your game may require intrusion testing on a regular basis. There are many software packages that can perform this task for you. But make sure that you vet out the company before cutting a check.
We touched on Data Mining and should stress that all Data Bases are not created equal. Manufacturing data from machines operate in the 100s milliseconds and that not all Data Bases are designed for the high volume of a manufacturing environment. Normal MSSQL may not be the system that is needed for your data mining operation. It is also important that a committee or each departmental supervisor with the Plant Manager’s approval identify what machine fields are historized on the data base as well as what data needs to be encrypted.
One of the simplest tools to protect your Industrial Network if to use strong Authentication for System Administrators. Consider employing some type of Secure Token Technology for two factor authentication for privileged users. There are tools available.
On a final note; if your manufacturing company is involved with manufacturing processes that are trade secrets such as pharmaceutical or if you are supporting U.S Government products, the world of Stealth technology has been around for some time but still is in its infancy. The point is, if you “can’t see it, you can’t take it”. I have worked with stealth technology both on the switch level and Wireless Access Point Level and it works. There are white papers on Stealth Technology. Stealth Stealth will not interfere with any software running as it executes between the Link and Network layers sits on top of any existing infrastructure and requires no reconfiguration of the existing network. Systems are protected and enforce security with strong end-to-end encryption, properly manage encryption keys cloak each endpoint. Only the Stealth enabled devices are able to communicate with each other. Any device inside the stealth network will be none response to any attempted communication from a device outside of your network.
Although nascent in its adaption and application, stealth technology has been growing for some time. If you are a manufacturer involved with proprietary processes, procedures or formulas, or if you are a Government contractor, you’re wondering if and how it can help you. Conversely, you wonder if it can hurt you in cost layout, time down, implementation configuring and all the other problems that are going through you mind about now.
This article was written by Norman Rankis, the Information Technology & Automated Process Controls Manager for McWane Ductile of New Jersey. He has an extensive background in Information Technology and Higher Education. He was the first College Chancellor in the history of Gibbs College which opened in 1950. He also served as guest faculty for U.S Homeland Defense agencies, specializing in Cyber Security. He has been used as a resource specialist for the Boston Globe, San Francisco Chronicle, Chicago Sun-Times and the Miami Herald.