Manufacturers must wrestle with the “Black Hats” of the cyberworld in order to keep processes secure
It’s not a question of if, but when you’ll be hacked.
So say cybersecurity experts, citing the recent wave of ransomware attacks, including the infamous “Wanna Cry” malware that exploded globally last spring, encrypting users’ data until they paid up—or found a way to unlock their systems.
To combat increasingly clever cybercriminals, manufacturing operations must turn to a strong combination of cybersecurity software solutions and “hardened” hardware in their factory automation controls and networking equipment, and also deploy newer cybersecurity standards and best practices. With these tools in hand, manufacturers stand a better chance of preventing attacks, or resolving them after they’ve happened.
“The attacks are widespread and constant,” said Timothy Crosby, senior security consultant, Spohn Security Solutions (Austin, TX), a cybersecurity consulting company. He noted that many industrial systems are vulnerable because they use older, embedded operating systems, including Windows XP, Windows 2003, and Windows 2000. “Many embedded systems cannot be patched, and because these systems can’t be patched and exploits are readily available, they will be targeted regularly,” he said. “There needs to be a holistic approach—there is no silver bullet.”
Data breaches increased 40% in 2016, according to a report released in January by the Identity Theft Resource Center (Scottsdale, AZ) and CyberScout (San Diego). The number of breaches hit a record high of 1083 in 2016, easily eclipsing a near-record 780 breaches reported in 2015, with thefts hitting a broad range of business, educational, government/military, health/medical, and banking/financial institutions. For the eighth consecutive year, hacking, skimming and phishing types of attacks were the leading cause of data breach incidents, accounting for 55.5% of the overall breaches, a 17.7% increase over 2015, the report said.
Taking the Holistic Approach
Recent attacks like Wanna Cry, or the major disruption in Ukraine with the Petya malware that surfaced in 2016, have targeted critical infrastructure, including utilities and other government installations. “When attacks happen, they typically bleed out from the site,” said Ken Modeste, principal engineer, UL LLC (Northbrook, IL). Compared to those in Ukraine, installations in the US and the rest of North America have more support from the FBI and other government agencies to get critical operations back up, he added.
Last year, UL released the UL Global Cybersecurity Assurance Program (UL CAP) that helps mitigate safety and performance risks that come with the proliferation of networked devices in the Industrial Internet of Things (IIoT). UL CAP helps companies identify security risks following the UL 2900 series of cybersecurity standards and suggests methods to minimize risks in industrial control systems, medical devices, automotive, building automation, and other areas.
“Standards that we built in our testing are [based on corporations’] best practices,” Modeste said. Use of hard-coded passwords—those that are embedded in devices and cannot be changed—is an example of what not to do, he added. “That’s a fundamental flaw,” he said. “Ransomware is coming into organizations in phishing methods. They click on it and that malware starts to propagate. That’s how ransomware gets in most of the time.”
Training employees on cybersecurity safety is a big key to thwarting cyberattacks. “Training is a monumental way to solve this problem. Phishing is a major problem. The bad guys are doing physical reconnaissance,” Modeste said. “The odds are in their favor.”
Recent ransomware attacks have shown the vulnerabilities of industrial environments, stated Henning Rudoff, head of plant security services, Siemens PLM Software (Plano, TX). “In order to protect plants, systems, machines and networks against cyberthreats, it is necessary to implement—and continuously maintain—a holistic, state-of-the-art industrial security concept as described, for example, by IEC 62443,” Rudoff said. “With increasing digitalization, industrial security becomes more and more important.
“Industrial security is a core element of the Digital Enterprise, the Siemens approach on the way to Industry 4.0,” Rudoff noted. “Unlike prior dedicated attacks on focused targets, current ransomware attacks are broad and can impact any operator of industrial networks.”
Siemens is tackling cyberthreats on many fronts, including the creation of its CSOC (Cyber Security Operations Centers) globally with security operations in Munich, Lisbon, and Milford, OH, where industrial security specialists monitor facilities worldwide for security incidents and react with appropriate countermeasures (see “Securing Manufacturing Data in the Cloud,” Manufacturing Engineering, July 2016.)
What else can be done by companies to prevent hackers from disrupting manufacturing operations or infiltrating government facilities and utility infrastructure? “All levels must be protected simultaneously and independently—ranging from the plant management level to the field level and from access control to copy protection,” Rudoff said. “This is why the Siemens approach to comprehensive protection offers defense throughout all levels—defense in depth.” This is based on the recommendations of ISA99/IEC 62443, the leading standard for security in industrial applications.
To do this, Siemens’ products and solutions undergo continuous development to make them more secure, Rudoff added. For its own industrial products, Siemens has defined an industrial holistic security concept (HSC), based upon IEC 62443, he said. “The HSC protects integrity and safeguards confidentiality of the development and manufacturing environment. HSC measures are defined and monitored in development and production departments along the life cycle of products, solutions and services.”
Siemens’ HSC has five levers: awareness, state-of-the-art functionality, process improvement, incident handling, and security of the products, solution, service and security in the surrounding IT infrastructure, Rudoff added. “Siemens has received an IEC 62443 certification from the German TÜV [Association for Technical Inspection] for its development processes in the divisions Digital Factory and Process and Drives, demonstrating its commitment to protect the company’s own development processes. In addition, industrial systems like PCS 7 have been certified according to IEC 62443 standards.”
Applying product updates as soon as possible and using the latest product versions are strongly recommended, Rudoff said. “In addition to making our own industrial products more secure, Siemens offers advanced security features for our automation products, and our own network security products and security services. Security features of S7 controllers, for example, include the know-how protection of PLC program blocks, copy protection, access protection and communication integrity. Network security products from Siemens [such as the Scalance and Ruggedcom lines] support use cases for remote access, building demilitarized zones, secure redundancy and cell protection,” Rudoff said.
Siemens Plant Security Services represents a holistic approach, he said. Threats and malware are detected at an early stage, vulnerabilities analyzed, and comprehensive security measures initiated. “Continuous monitoring gives plant operators transparency regarding the security of their industrial facility.”
Integrating Safety with Cybersecurity
The global threat from ransomware has ended industry’s sense of complacency. “NotPetya successfully targeted Ukraine’s critical infrastructure and affected over 80 other countries; the hardest hit were Germany, Russia and the UK,” noted Crosby of Spohn Security Solutions, who said 49% of US businesses have dedicated IT/data security programs. “In Europe, the highest percentages I have seen were 37% for the UK and 34% for Germany. Given how NotPetya works, there is a possibility that other attacks will occur with credentials harvested during the Mimikatz stage [a tool used by hackers]. Based on a Tripwire survey, most organizations will not be much better prepared if that occurs than they were before WannaCry and NotPetya hit in May and June.”
In the Petya/NotPetya attacks, widespread encrypting malware was aimed at distributed denial of service (DDoS) to those companies affected, noted Lee Lane, chief product security officer for Rockwell Automation Inc. (Milwaukee). “That did some real damage to companies like Maersk, FedEx, and a couple of life science companies. With denial of service, they elicit a bunch of servers to attack targets at once. It would be a different style of attack, but it would have a huge impact,” Lane said. “They’re coming in and stopping the end target from being able to operate.”
Such shutdowns not only handicap the directly affected companies, but also have a chain-reaction effect, he said. “Think of what [would happen] without your manufacturing ERP [enterprise resource planning] software,” Lane said. “It would take away all of the orders, all of the manufacturing plans, and information about where you’re shipping to.”
The malicious code—be it ransomware, DDoS, or zero-day malware, like the Stuxnet code that’s dormant and lies in delayed state until it’s activated—is employed by a wide range of cyberattackers. “There are a lot of so-called ‘bad actors,’ everything from nation-states looking to target Lockheed or other defense companies, to one that many people miss: insiders, employees inside a company,” Lane said.
Terror groups like ISIS and hacktivists also are targeting crucial infrastructure like power grids and utilities, he said. “A recent IBM security intelligence report noted that from 2015 to 2016, there was a 110% increase in the number of attacks, and that’s just what’s been reported,” Lane added.
Rockwell Automation, focused solely on industrial automation, develops not only the hardware and software involved with integrating safety with security, but also offers customers consulting on industrial safety, automation and cybersecurity. “You need to have the right people, processes, and the right tools in place,” Lane said, “and the same would be true of cybersecurity. You have to have people available to defend your networks.”
Identifying and documenting assets is a key starting point, he said. “Cyberthreats are real, on the rise, and can do material damage,” Lane noted. “You have to identify and weigh the criticality of the asset.” Using the National Institute of Standards and Technology’s Cybersecurity Framework also is a good starting place, Lane added.
Rockwell offers its FactoryTalk Asset Manager software along with security features and hardening for cybersecurity protection. “Before you acquire an automation system, talk to a company and see if they have a security program. Roadmap how security features and hardening are done across the company,” Lane said. “Look for products with hardening features that are better able to withstand a cyberattack. For example, if you get hit with a data storm, does your communications system just shut down or go to sleep?”
Some safeguards include being able to detect changes to hardware like Rockwell’s ControlLogix control systems that can alert operators to the existence of malware, allowing them to shut down the system and/or remediate the problem. “You can password protect the PLC,” said Lane. “There’s a key switch on the control. Each PLC has a port, as well as a keyport switch.” The system also gives users an archive ability that helps with recovery. Automatic or a controlled recovery from these situations is a key feature of advanced cybersecurity tools.
“Today, we have safety systems that have been in manufacturing for years. If you do have a cyber breach, you can’t rely on a lot of those safety systems,” Lane said. “Putting the two together is critical. It’s the right practice. Safety and security have traditionally been separate.”
The UL CAP program gives users guidelines and tools to combat cyberthreats. Last year, UL published the first edition of its UL CAP standard and UL is testing 35 products today, Modeste noted. “They have anti-malware tools and they’re starting to add more ransomware tools,” he said. Operating system controls like preventing overriding of the boot record or the administration of the file system are important, he said. “More and more tools are coming and there are sensors deployed in a lot of different products.”
Lying in Wait
In some cases, cyberattacks aren’t discovered until well after the intrusion, making resolution even harder. Cyberattackers successfully installed malware on the firmware of Cisco routers in 2015, on systems at the National Security Agency (NSA), and even in
electronic components installed in military applications, noted Steve Chen, co-founder and CEO of PFP Cybersecurity (Vienna, VA), formally called Power Fingerprinting Inc.
PFP’s cybersecurity system uses device monitoring, signal processing with radio frequency (RF), Big Data analytics and runtime detection and remediation tools. Using technology licensed from Virginia Tech, PFP Cyber started getting some government contracts and last year received four new patents, in addition to two previously licensed patents, for its cybersecurity system, Chen said.
“We use anomaly detection instead of signature detection,” Chen said. “The next challenge is how to detect malware faster. The so-called detection gap is about 200 days typically. Our belief is that we can detect and remediate an attack, and we have demonstrated that.”
PFP showed its system at the Black Hat USA conference, held in Las Vegas in July. “You cannot prevent an attack,” Chen said. “You have to assume you will be attacked.” The company has two deployment models, one internally inside the device, and others on the outside, he added.
“If we’re inside, then we can detect [anomalies] and remediate automatically,” Chen said.
PFP aims to offer a security platform for IoT devices, using cloud-based software and services, or for on-premises software, with its RF scanning technology to detect and remediate malware. The company’s PFP Dashboard is used in a SaaS (Software-as-a-Service) platform provided by its partners.
“We try to emulate what the Stuxnet is,” Chen said. “It cannot be seen.”
In addition to malware detection, the system could be used for counterfeit chip detection without opening the boxes that products are shipped in, Chen said. “In this case, the customer can blind test them. It does a soft scan of the memory chip.” This potentially can save a great deal of money, he added, for companies that buy their products in bulk from overseas.
“We have a patent pending on this. We use the same process, the same math, the same solution,” Chen said. “In this case, we just put energy, radio-frequency, into a device that’s not powered up.”
Chen is hoping to eventually license PFP’s technology to semiconductor manufacturers. The company’s cybersecurity kit currently is aimed at enterprise and government applications, but the goal is to come out with an antenna for Cisco routers that were the targets of firmware implant attacks.
“For the home user, our plan was to come out with a portable scanner,” Chen said. “The world will be safer. Right now, with all the IoT devices, there’s no security.”