Manufacturing in Cyber Security Cross Hairs: How It Fights Back

The vast industrial automation complex, the backbone of American factories and critical infrastructure such as power grids and water plants, gets way less attention, yet it’s rapidly shaping up to be one of the most potentially damaging targets of cyber attacks.

While there’s been plenty of focus on cyber security concerns related to IT and business, industrial control systems (ICS) have recently been in the cross hairs.  Indeed, the manufacturing sector is among the top three industries targeted by spear phishing attacks, and the advent of IIoT connectivity opens the door to other significant threats that simply did not exist when developing and deploying legacy ICS such as SCADA and PLCs.

“The biggest risk is older and outdated technologies in the OT environment that cannot withstand today’s advanced threats and frankly continue to provide a wider and wider attack surface for cyber criminals,” says Al Ghous, senior director of cyber security for GE. “Legacy OT systems were not necessarily designed for today’s threat sophistication, and many of the areas most likely to be compromised are not updated or fixed regularly.”

The United States Computer Emergency Readiness Team (US-CERT) sounded the alarms in March when it released a report warning of Russian government exploits targeting U.S. government entities along with organizations in the energy, nuclear, commercial facilities, water, aviation, and other critical manufacturing sectors.  The joint effort between the Department of Homeland Security (DHS) and the FBI characterized the activity as a multi-stage intrusion campaign, which encompassed the staging of malware, spear phishing, and remote access to networks to allow Russian cyber actors to conduct reconnaissance on ICS. 

As part of a counter offensive, DHS in July announced the National Risk Management Center, a new facility dedicated to defending critical infrastructure and private industry from the newest flavor of cyber attacks.

The situation escalated when automation giant Schneider Electric confirmed that a new Trojan, the TRITON/TRISIS malware, was communicating with safety instrumented systems (SIS) using its Triconex Tricon safety-controller firmware. SIS equipment is tapped by oil, gas, and water utilities to monitor systems to ensure they operate within acceptable safety thresholds. A breach could cause a disruption or sabotage any of the targeted entities, and there were reports that TRITON was deployed against at least one organization in the Middle East.

Prior to these incidents this year, there were only a handful of attacks ever reported on ICS, including the Stuxnet campaign that attacked programmable logic controllers (PLCs) at an Iranian uranium enrichment facility in 2010 and another malware attack on Ukraine’s electric grid last year.

“Triton was a call to action for the entire industry,” says Gary Williams, senior director, cyber security service offer leader, Schneider Electric. “Similar attacks are likely and could happen at any time on any worldwide industrial safety system, no matter who designed, engineered, or provided it. The urgency is on suppliers, industrial plant operators/owners, third-party providers, integrators, standards bodies and government agencies alike.”

Changing the Security Game

Given what’s at stake, the cyber risk message is being amplified at a time when manufacturers are retrofitting legacy platforms and investing in new Industrial Internet of Things (IIoT) technologies as part of digitalization and Industry 4.0. A report by Deloitte on Industry 4.0 found nearly half of respondents (48%) saying that digital transformation efforts increase cyber risks for manufacturing companies, including theft of confidential data and design IP as well as cyber sabotage of industrial processes.

The convergence of operational IT (OT), technology that is traditionally the domain of the factory floor, and conventional IT elevates risk even further since office IT is no longer isolated and can become a conduit to ICS and other industrial systems. While manufacturers have begun to implement rigorous security frameworks and policies for IT systems, they have not been as vigilant about safeguarding the plant floor or outside industrial assets. The Deloitte study found that nearly a third of respondents had not performed any cyber risk assessment of ICS and the two-thirds that had, had used internal resources, potentially injecting organizational bias into the assessment process, the report found.

Moreover, only half of those manufacturing execs surveyed said they performed targeted vulnerability or penetration testing on their ICS less than monthly, and only one in five cited implementation of a secure information and event management systems (SIEM) as a top priority.

With industrial cyber threats now a prominent headline, manufacturers are finally slowly waking up to the risks, taking small steps to embrace new safeguards. Among the top priorities recommended by Deloitte and Symantec experts:

• Initiate a risk management process; put processes and tools in place for managing the secure convergence of IT and OT
• Create a holistic inventory of all connected devices attached to network segments
• Establish a “zero trust network” that extends to the outer layers of the enterprise
• Create cross-functional security teams to promote governance and best practices.

Automation vendors also need to (and are) embracing “cyber security by design” practices to embed more out-of-the-box security capabilities into their products.

“There is finally some awareness that these industries need to mature their security posture and hygiene,” says Koushik Subramanian, the director of the National Center for Cyber Security in Manufacturing, part of the Digital Manufacturing and Design Innovation Institute (DMDII) in Chicago. DMDII launched the center in March with $750,000 in seed funding from the DoD to focus on cyber security awareness building, workforce development, and creating low-cost tools.

“The manufacturing industry and a lot of industrial organizations that run critical services like nuclear energy are mostly in legacy mode, but we are starting to see them up their game with regards to cyber security.”