Manufacturing Execution Systems (MES) are integral components of modern industrial operations, bridging the gap between the shop floor and management systems. They enable companies to optimize their manufacturing processes, improve productivity and maintain high-quality standards.
However, their importance also makes them attractive targets for cyber attackers. They are often seen as a weak link in the information technology (IT) infrastructure and can be exploited to gain unauthorized access to sensitive data, intellectual property and production processes. More importantly, adversaries can gain control of operational technology (OT) and take systems offline, leading to unwanted downtime. Recently, ICS Pulse talked to Sung Kim, chief product and technology officer at iBase-t on the ICS Pulse Podcast about how to protect MES from threat actors.
The following has been edited for clarity.
ICS Pulse: We usually like to start off by learning a little bit about the background of the people we’re talking to. Tell us a little about how you got here and what stoked your interest in cybersecurity.
Sung Kim: I started in technology as a software engineer in the telecom industry. This was back in the late ’90s, early 2000s. And then I went to grad school to get my Ph.D. After getting my doctorate, I worked as a professor at a university before I joined iBase-t. At iBase-t, I play different roles, from architect, now I’m the chief product and technology officer.
In regard to cybersecurity, before the pandemic when we got an RFP, or request for proposal, from prospects, cybersecurity was just a checklist item. Do you do this, do you that and what kind of framework do you follow? We check that off because we do most of those things as an independent software vendor. But throughout the pandemic, people were working remotely and deploying their application on the cloud, so it became reality. I mean, they need to protect their assets. And you heard about the ransomwares and different attacks. It became really concerning, and I’m getting, “Can you provide evidence of the things that you have, you said you were going to do or you are doing? Provide us the evidence.” It is something that every enterprise application vendor, any software vendors, will need to keep mindful of and keep persistent with. It’s not just a one-time thing. I think it’s just a cultural and persistent practice that you have to carry out.
ICSP: Why do attackers target MES systems and what makes them vulnerable?
Kim: MES is a core to manufacturing. It’s an execution system that allows shop floor personnel technicians to follow certain steps. iBase-t caters mostly with complex and discrete manufacturing facilities. [We have] a lot of defense contractors and a lot of Department of Energy (DoE) contractors, as well, where it requires a lot of compliances and stringent procedures of doing things that come with their core IP. For example, the fire planes and the satellites, the missile systems that they design in the engineering system like PLM, those 3D models and visual instructions, go into an MES system. It’s an IP. Those kinds of things. At the same time, MES systems kind of connect IT and OT, IT meaning the engineering side of things and OT meaning like sensors and devices, edge devices, operational technology.
So truly MES is in between those two, in the core two enterprises. That’s why attackers are targeting MES to just look at the precious IP that those manufacturers have developed for the last many, many decades. A lot of these companies go back from the early 1900s with their IP. So not only the actual models but the actual process of doing things. And it has become even more important because in manufacturing, as you heard, the digital thread and digital twin is the reality. I’ve heard that even the Department of Defense (DoD) is requiring their contractors to provide a cyber asset — we used to call it digital twin, but now people have started to call it cyber asset — otherwise, they’ll hold 10% of the payment back, because they need to be able to look at the cyber asset and see what’s been done on this physical asset that they get and be able to trace things out. Then, they use it for manufactured items, as well as at the services like MRO, the maintenance, repair and overhaul.
Those cyber assets get used throughout the life cycle. And we’re talking about decades. When you think about the airplane, the life cycle of the airplane is about 34 years. You go premier airlines and then go second tier and then third. It goes up to 40 years of production, and then it comes with all the services. So naturally attackers would want to attack MES and MRO systems.
ICSP: When you’re talking about protecting IP for these very important industries, keeping them secure is triply important.
Kim: What we see on the movies and TV is national security. This is national security. Most of our customers are stringent on high-tech control, meaning that only the authorized person can see the data and even know the data exists. So that is a core priority of the MES system, as well.
ICSP: What kind of role does zero trust play in protecting MES, and what can happen when an MES gets attacked?
Kim: Zero trust has been around for a while. It used to be with any technology, or anything that you do, convenience used to trump everything. I want to be able to do this quickly and serve our customer quickly, so that left a lot of systems and persons and resources having access to something that they’re not allowed to have access to after a certain period is over. For example, if you are going into dev and test out some project, and you are developing something, I want to be able to quickly deploy this into a test environment. You usually have superuser privilege, because I want to be able to log into the system and look at the log without talking to the IT or talking to the DBA (database administrator), because I need to do things and I’m in a time crunch.
Naturally, you ask for the super admin and the root access to things. With this zero trust, especially with this cloud age, everything is based on a network model. So in two-tier and three-tier architecture, the applications used to have just a closed communication between the modules within the application. Nowadays with the cloud, even within the application, the communication between different containers or different microservices is network based. They go through IP and ports. Having a root access, having a super user access, is going to be the biggest threat because a lot of these cyberattack cases are people losing their username and password or compromising their credentials. With zero trust, what you want to do is, you only have access, just right access, to do things, and you shouldn’t have access to anything outside of the area that you are playing with. As an application developer, you shouldn’t have access to anything outside your application.
If you must have access to the logs or change the configuration of the system, that has to be elevated with a different access. The actor, and then that actor on behalf of the application developer, does that for you and provides the results back to you, and the application developer can carry on her task. For example, in AWS, we have the identity and access management IAM module, and when you deploy things, you create a services account that creates different types of resources like VPCs and networks between different modules, and even DNS control. Then it locks it down, and then application gets deployed on the cloud. That API will provide the data for that application. You no longer can actually go after the file system and grab the log and parse it and do things.
That’s the main concept for zero trust. As an enterprise, you need to ask your software vendors what they mean by zero trust and what kind of segregation they have on the access control versus the end-user authentication, as well as the different types of accounts that application creates, not only at the runtime, but also from the very beginning at the network architecture and deployment and all of those along the line.