The modern production line is extremely sophisticated and can do many things unimaginable only a few years ago. However, as with so many other developments, this has its darker side. It’s critical you learn to protect your industrial control systems.
You almost certainly have one or more supervisory control and data acquisition (SCADA) systems that allow you to control all of your devices, harvest data from them, and use that data to improve efficiency. All of this is great and allows you to save money and optimize all of your processes.
But the dark side? These systems are often targeted by malicious actors. To a cybercriminal, the centralized controls of large numbers of devices are a potential moneymaker, something which they might be hired to attack, or something which might allow them to hold industrial systems to ransom. Unfortunately, these kinds of attacks are already happening around the world.
CrashOverride in the Wild
One of the best-known recent real-world incidents was CrashOverride. Also called Industroyer, this is a malware platform that has been used to target critical infrastructure. In 2016, Russian agents used it to take down part of Ukraine's power grid. The platform is scalable and it attacks certain ICS protocols, commonly used outside the U.S. in electrical power control systems. It uses a form of denial of service attack to force the toggling of circuit breakers, shut down relays, etc. It can also wipe and shut down Windows-based computers.
While this malware has not been seen in the wild recently, it was a wake-up call to ensure the protection of power grids and other critical infrastructure from malware.
Similar malware can easily be used on industrial systems in general and could be used to, for example, shut down a production line in such a way that it then has to be restarted manually, resulting in significant cost.
What Are the Known Cyber Threats?
In addition to attacks on power grids, a growing number of infrastructure attacks have been reported. In 2020, 21% of these attacks were from ransomware. The traditional form ransomware takes is to lock down and encrypt files on a desktop computer or server until a ransom is paid. Another variant is to threaten to release stolen data. Unfortunately, enough companies are willing to pay these ransoms to make this potentially lucrative.
While most of this ransomware targets networked data, an unprotected industrial control system can provide an entry point to the rest of the network. This can leave a back door open for ransomware, industrial espionage, and other issues. In other cases, the attackers might take down a production line and demand a lot of money for its restoration. One ransomware program, LockerGoga, was used to attack a Norwegian aluminum manufacturer, and some plants had to switch to manual operations. This particular software is so nasty that even paying the ransom is not always an option.
Smart factories are also vulnerable to a variant called "siegeware." In a siegeware attack, the criminals take control of connected building systems and use them to render the building unusable or uninhabitable. This can be as simple as activating the security system to lock all of the doors, turning off the lights, or altering the temperature to force evacuation. Again, the criminals will then demand a ransom.
The use of malware to physically destroy equipment is less common but has been reported. In 2010, a worm, Stuxnet, caused the physical failure of centrifuges used in Iran's nuclear program, setting them back decades. The worm, deployed via infected flash drives, affected the computer systems that controlled the speed of the centrifuges, causing them to spin outside tolerances and fail. Nobody ever admitted to responsibility, but it's assumed it was done by a state actor. This kind of attack could theoretically be used to physically damage production lines.
Industry 4.0 and the use of the Internet of Things have increased the vulnerability of systems to attack. Stuxnet had to be deployed using flash drives because the systems controlling the centrifuges were air-gapped. Many manufacturing systems are set up to allow for remote access. Simple things such as smart thermometers can allow skilled hackers (or people who buy code from them) to gain access.
Manufacturers who don't deal with sensitive information need to be as careful as those who do. The primary motivation of ransomware hackers is to make money, and shutting down a production line is a way they can get a ransom, often a very high one. It is particularly hard to follow the advice of "don't ever pay" when they have shut down your production line and you are losing the requested ransom a minute.
How Manufacturers Should Approach Cybersecurity
There are several weaknesses that most manufacturers share when it comes to cybersecurity. Here are some of the most prominent:
- Use of old and legacy systems. Some manufacturers use old PCs in industrial control. In some cases, they are not connected to the internet (air-gapped), which can help protect them, but viruses can still be loaded physically. These systems are often running out of date and unpatched operating systems that may leave them completely vulnerable to modern malware.
- Industrial control systems were generally developed before the internet became commonplace. When these older systems are connected to the internet (for example, so a supervisor can monitor from home if needed) they lack any kind of cybersecurity protection. Manufacturers are often complacent about protecting these systems, not thinking of them as a target.
- The more people have access to a system, the more vulnerable the system is to social engineering such as phishing attacks. Often, learning to protect industrial control systems can be difficult, and are manually accessed by large numbers of employees, and remotely accessed by a smaller number. Identity management is key to ensuring nobody has access to something they don't need to have access to.
- There are few standards for the security of Internet of Things devices. While this is a recognized problem throughout not just manufacturing, but other sectors, not enough has yet been done about it. Any kind of connected device represents an entry point to the network and not all companies think about this.
These four weaknesses give you the three key aspects of protecting your network: Updating systems to be compliant with modern security, training employees to reduce the human factor, and auditing security across the network to include all connected devices.
The Human Factor
The vast majority of cyber attacks can be traced at some level to social engineering, otherwise known as the human factor. Hackers use phishing to acquire login credentials, then sell them to others. A different concern expressed by some experts is that thieves might leave a flash drive outside a facility. A curious employee may then plug it into a system to see what's on it, releasing malware into air-gapped systems.
Addressing the human factor is key across all segments, and in many cases, the solutions are the same. Training employees to recognize phishing attacks should be priority one. You want it to be reflexive for all employees not to click on links in an unsolicited email, for example.
For manufacturing specifically, ensuring that employees do not carry data past air gaps can be vital. If you have older standalone systems, then hackers are less likely to target you unless they see you as a particularly high-value target. However, this does not mean it won't happen. This can happen through the previously-mentioned planting of flash drives. Another thing that can happen is the blackmail of an employee to get them to insert code into the system. It sounds like a movie plot, but it can happen.
Make sure that you include janitors and other "low-level" staff in cybersecurity prevention training. A janitor may pick up a flash drive dropped in the loading dock, assume that it belongs to an employee, and put it on somebody's desk. Or they may hook up their phone to the wi-fi, without having protected it against malware.
Here are some other human factor issues to consider:
- Business email compromise. These attacks are usually used to obtain data or directly to get money. The attackers will pretend to be an employee, usually a senior staffer, and request a transfer of cash to a vendor, customer information, etc. The best protection against BEC is to contact the person who sent the email by another means and verify that they sent it. This should be routine for any communication requesting cash or information.
- Spear phishing. Most phishing attacks are scattershot and are designed to collect login credentials that might then be sold in large numbers. In spear phishing, the attackers go after a specific employee, generally somebody in a key position (such as a facility manager) or the C-suite. These attacks are spread out over time and are designed to get that specific person's information.
- Identity management. One way to mitigate the damage that can happen from a phishing attack (which can happen even when employees are trained) is to ensure that users only have access to the files, data, and systems they need. By limiting remote access to your industrial control systems to the people who regularly use them, you reduce the chance of a hacker getting in.
- Advanced phishing education. One recent trend is that phishing has moved out of email and into social media messaging. It's vital to ensure your employees know not to click on links sent to them via social media .without checking the person who sent it. These links are often used to spread a compromise through the social media network itself but may be used to obtain other login credentials. Smishing attacks, which go through SMS, are also an issue.
- Device policies. We already talked about the scenario of somebody connecting their compromised cellphone to the Wi-Fi to send an email. Having and enforcing a device policy is a solid way to prevent this. This might go as far as barring personal devices from being connected to the network altogether, which can work on factory floors. In offices, it is generally better to have a BYOD policy that, for example, requires that employees keep their phones up to date.
Training your employees on how to prevent cybersecurity attacks is a vital part of your cybersecurity system. As technology becomes more sophisticated, so hackers go more and more for the weakest link, which is likely to always be people.
However, the human factor is not the only issue, and those issues which can be addressed by technology and IT are often easier to deal with.
Bringing Everything Up-to-Date
Manufacturing has a certain level of inertia, and this particularly goes for production lines. The expense and downtime associated with replacing equipment results in it being run until it dies in many cases, or at least until the chance of failure has become high.
This means that many production sites are running antiquated hardware and software. As the value of Industry 4.0 becomes more obvious, there is a high temptation to Frankenstein modern connectivity with ancient equipment, and this has its problems. Even if air-gapped, old systems are vulnerable to certain other means of attack. Older, simpler control systems can easily run on obsolete PCs no longer suited to the office, so that is what many people use.
When compared to the cost of a cyberattack, these ways of saving money suddenly become distinctly less appealing.
To start this process, you need to begin with an audit to establish what legacy systems you have and the best way to begin the process of bringing everything up-to-date. First, it's useful to start by looking at devices that can run more recent operating systems and updating them, and installing patches. Make sure that doing so won't cause vital software not to function, however.
Then you should have a trained IT team go through and analyze everything you are using and what can be done to phase out obsolete equipment as needed. However, you need to continue to be careful. SCADA systems are inherently an attack risk and as you update things you may eliminate one risk to create another. You need to hire the right experts to make sure that you do this right.
All of this means that as you bring your systems up to date, you also need to harden them against attack. Your audit also needs to include a full assessment of every point of contact to the network, including ones you might not have thought about. Internet-connected light bulbs in the office? In 2017, a Las Vegas casino was compromised, and the information of customers stolen, when thieves hacked into the network through...the lobby fish tank thermometer. Anything that connects to the network can be a point of weakness.
It's worth considering limiting the use of smart devices on production sites to ones that result in a notable increase in efficiency. Many IT professionals avoid smart devices in their own homes for a reason. However, the use of the internet of things to monitor your production and spot line problems before they become serious is something that brings on a notable increase in efficiency, at the cost of a reduction in security.
Which is why you need help. Hardening your SCADA network starts with simple things like changing any default passwords and usernames and mandating at least two-factor authentication on key systems. But there are other things to watch for. These include:
- Unencrypted passwords being sent over the network can be an issue with ICS networks. You need to make sure you are not using any systems that do that (or, for that matter, emailing new employees their passwords. A subset will not change the password. The best way to give out passwords is to either use a proper password reset system or go old school and write the password down).
- Routers not being configured properly or securely.
- Unauthorized devices connected to the network.
- Loss of communication, which can be a result of an attack (for example a denial of service attack) or some other issue such as a device crashing and rebooting.
- Authentication systems that are not rate-restricted, and thus vulnerable to brute-force password attacks. You can also reduce this risk by training users to use strong passwords or, often better, to use longer passphrases instead. You should also monitor for large numbers of invalid credential errors, as these can indicate an attempt to brute force, especially if coming from a user that is not prone to typing their password.
- Firmware update methods. If hackers can send a fake firmware update, they can easily gain control of ICS systems.
- Unauthorized software installation. With ICS systems, you should set things up so that software can only be installed by approved users, which will help with this. Linux installs are particularly vulnerable to stealth software installation (many ICS systems run on Linux, which is also a core part of the Internet of Things).
That's a lot to watch for, and some of it you can harden against by, for example, ensuring that all devices are configured properly and discouraging or preventing the connection of unauthorized devices. You can also keep your ICS network isolated from, say, your office network with firewalling or air gaps. This helps prevent somebody from using your ICS as an easy way to get your customer database. The rest has to be dealt with differently.The Importance of Behavioral Anomaly Detection
Behavioral anomaly detection (BAD) is the use of software to detect anomalies in the network. This might, for example, include unauthorized connections, high levels of invalid credential entries, loss of communication, attempts to update firmware, etc.
Behavioral anomaly detection is an ongoing monitoring system that picks up on all of these anomalies and then some. The system learns what is typical and sends alerts when it sees something which shouldn't be happening. For example, your ICS system allows you to update control logic over the network. This is a known vulnerability as well as being useful. A BAD system can detect unscheduled and unapproved attempts to update control management and flag and block them. While this might result in the occasional flagging of legitimate updates (because the person forgot to mention they were doing it), it's an effective way of hardening against this type of attack.
In addition to detecting attacks, behavioral anomaly detection can sometimes spot other problems with a production line before they become visible to somebody on the floor. For example, loss of communication with a device can indicate that there is a denial of service attack going on...or it can indicate that a problem with the line is causing a device to restart. This makes the system even more useful.
A BAD system should also be integrated with more traditional virus and malware detection software. While it is less useful these days, you should still ensure that your systems run an updated anti-virus and anti-malware platform that connects to databases that are kept up to date. You want to make sure that any known viruses are detected and dealt with before they can cause damage. This does not, however, protect you from zero-day exploits and unknown viruses, and thus should not be relied on its own. Also, the first step taken by many hackers is to disable firewalls and anti-virus software (BAD will also detect this).
All of this comes together into one thing. You need the right team to help you protect your industrial control systems. There is no way to have all of the efficiencies of a SCADA system without introducing vulnerabilities. Industrial and manufacturing systems are commonly targeted by malicious actors.
The solution is to have an experienced team help you with your cybersecurity. An experienced team can audit your existing network, help you replace or update legacy systems that are vulnerable to attack, harden your internet-connected devices and introduce behavioral anomaly and other monitoring to keep your network secure moving forward.