Cybersecurity threats are the same across all industry sectors. The issues stem from the fact that all industry sectors are starting to automate their processes to help increase productivity and efficiency and this requires greater connectivity, which can also expose systems to attack.
The biggest differences between the different industry sectors comes down to the consequence of a successful attack. “We are seeing attacks taking place on a daily basis across all sectors of industry,” said Paul Hingley, product security and solution officer at Siemens Digital Industries.
“Many are criminally motivated while some are sneaker hacks, from people trying to gain access for their own entertainment. The criminal attacks are usually looking to create a denial of service and so ransomware is becoming more prevalent across industry. This has resulted in hackers turning their attention to the softer targets provided by the operational technology (OT) layer.”
Industrial OT investments can have anywhere from 10- to 20-year cycles, while information technology (IT) investment is more often in cycles ranging from one to four years. This means the IT infrastructure will be better protected. A great deal of legacy equipment still in operation in the OT world was not designed for external connectivity and will never have been patched and this is why it offers a softer target for cybersecurity attacks.
Hingley, who gave a plenary presentation on the issue of cyber threats at Siemens’ Digital Talks conference In the UK earlier this year, has been involved in helping many food companies recover following a cyber attack.
Denial of service attack
One particular attack instigated a denial of service, which resulted in the plant being offline for two weeks, costing the company billions of pounds in lost production. “To regain control of production, it was necessary to strip the software system and undertake ‘clean slate’ processes in order to bring the plant back into normal operational activity. This involved looking at the installed software to find anomalies and to apply the correct patches.
“We found that this particular attack was instigated onsite, via a USB. On another site we identified an attack as coming via a PC employed in the automation layer, which had been used to download patch updates, which at the same time had inadvertently installed a vulnerability,” Hingley continued.
“Such events often occur due to the lack of protection originally installed on OT equipment — and this highlights the importance of undertaking security audits, so that engineers can understand what their installed base actually is and what connections they have. We find that many customers have remote access connections in the plant that they didn’t know had been applied by their solution providers.”
In many factories, there will be no levels or depth of security due to the particularly long lifecycles of OT equipment. Today, however, there is a growing sense of purpose among engineers to better understand how legacy systems have been adapted over the years to incorporate other elements of control. Often engineers will find a lot of work has been undertaken on installed systems over the years — additions to the system and to plant equipment — which has not been documented. This is why an audit is always a good place to start when considering cybersecurity solutions.
New machine or equipment installations have required integration of a new PLC or controller into the existing system. Most end users have relied on the competence of their solution provider to install this and to the relevant compliance standards. However, the technical file that gets created will usually relate specifically to safety compliance.
“Appreciation that one the biggest areas of compromise of a cyber-attack is denial of service is not widespread,” Hingley said. “So, while a new system will have been correctly applied from the perspective of the technical file, the bigger problem is that if the safety system is affected by a security breach it may result in a complete denial of service of the safety system and so it would, legally, become a non-compliant machine.”
It is for this reason the worlds of safety and security are moving closer together and the HSE is becoming more involved with the requirements of cybersecurity threats.
“There is a whole new world of systems starting to appear because of the digital transformation that many factories are starting to undertake,” said Hingley. As a best practice, when it comes to security, he advised gaining an understanding of existing architectures and networks and to develop a database of these systems. The next step is to develop an audit around the connectivity and what is happening within the system.
“Most audits undertaken by Siemens will take a bespoke approach because legacy equipment and systems need different types of auditing to understand how a connection is interfacing across the whole of the automation layer,” he said.
The next step is to aspire to follow the guidelines of IEC 62443. This covers technical specifications as well as the maturity levels and processes required within the OT domain, such as passwords, and how to control them. “These processes can be applied with technology, and when they work together, you will have created a defense-in-depth approach,” Hingley said.
The IEC Standard 62443 creates a defense-in-depth approach, looking at the technology that needs to be applied to the automation layer, it also looks at the maturity of the processes themselves that have to be applied into that level of control. The National Cyber Security Center (NCSC) also offers guidance documents on best practice relating to automation control and discussing the practices that should be put in place.
Suzanne Gill is editor, Control Engineering Europe. This article originally appeared on the Control Engineering Europe website. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, firstname.lastname@example.org.
See additional threats and vulnerabilities stories including:
Protect PLCs and PACs from cybersecurity threats
Six answers on industrial cybersecurity effectiveness