As I started delving into cybersecurity, I realized I didn’t know what I didn’t know. My mental image consisted of dark rooms, high caffeine beverages and green computer screens. I even didn’t understand where to begin on my journey into understanding the field and, like safety systems, acting out of ignorance can be dangerous.
Searching the internet for resources on the topic didn’t help. I’ve never seen so much fluff with vague marketing materials disguised as information in my 23 years doing control systems work. To get a good understanding of the field, you will need to take formal training. Some great resources are the Department of Homeland Security’s CISA ICS 301/401 courses, ISA 62443 standards training or spending time reviewing the NIST Cybersecurity Framework.
Where do we start?
In safety, there is no such thing as safe, just safer. Similarly for cybersecurity, there is no secure, just more secure. If a nation-state wants to hack you, the only way to stop them is to unplug everything, kill power to the building, burn it down and hope nobody emailed a document you care about to someone. You think I’m joking, but there are documented cases, such as the Stuxnet virus that managed to destroy equipment by modifying code in an air-gapped network.
What we can do is make ourselves not be the slowest gazelle in the herd. If we can reduce our “attack surface” and make it harder to compromise our systems than the next company over, we are much less likely to be targeted in the first place.
The first step is to consider your physical security. You may be wondering why we’re starting here. This is a “cybersecurity” article, isn’t it?
I’ve been in more factories with an unlocked back door than I have ones with locked doors. It’s a trivial matter to put on an official looking shirt, walk in through an unlocked door, and get into the network to do bad things with nobody looking at me twice. Locking the doors to your building and implementing an RFID badge system so people can get in and out is a cheap way to minimize a whole host of issues like theft, safety issues from untrained people or targeted physical cyberattacks.
Also, is your server room locked? If not, I don’t think I need to explain why it should be.
I’ve seen far more cases of employee-based sabotage than I’ve seen external breaches. The causes have varied from undertrained employees to disgruntled production staff.
One case that stands out is a company that laid off their maintenance staff and hired a third-party company to perform maintenance at a much lower hourly rate. That company hired the laid-off staff at a fraction of their previous salaries. This resulted in predictable downtime due to sabotage for the facility.
Whether it’s poor decisions like above or a bad apple on the staff, disgruntled employees are bad for your security and your bottom line. Do your best to keep people adequately gruntled and instantiate adequate access controls to prevent these problems.
It’s very common to give operational technology (OT) assets administrator rights to every single user. This “most-privileges” approach was historically necessary because a lot of software just didn’t work unless you logged in with an elevated privileges account.
A common risk is there will always be a bright employee that sees a problem solvable by a bit of clever software from a questionable source on the internet. Even reputable free software can get infected by malware. It just takes one person with infected software to take down a machine and, possibly, the whole facility. This is disastrous for security.
Modern control software makes it possible to take much more proactive actions toward security. The best path to this is to use a “least-privileges” approach to providing access to your OT assets. The unfathomable number of different automation platforms and devices can make this tricky as there is no singular rule set for implementation. Below are some simple guidelines:
- In the past, programmable logic controller (PLC) code was often only password-protected for intellectual property (IP) reasons. This kind of protection also can help prevent unauthorized changes to your system. Just make sure those passwords aren’t lost.
- Human-machine interfaces (HMIs) often have a way to get to the administration screen. This should be assigned to an access level only the engineering or maintenance teams have access to.
- Many HMI, supervisory control and data acquisition (SCADA), historian and reporting systems run a version of Microsoft Windows. Set up user access levels to allow operators to do their job and require elevated permissions to install software or make changes to the system. It may take some experimentation and advanced configuration changes to allow an application to run as a different user to make this happen, but this change is worth it.
- Lock USB ports. There are many ways to do this from disabling USB on the OS layer to physically locking access to USB ports to putting epoxy in the connector to permanently disable it. You probably need your USB ports for system maintenance so the very secure epoxy route is probably not viable, but they should not be accessible to anyone who doesn’t absolutely need them.
Not long ago, most industrial machines were stand-alone units with no connectivity to any network. There are still many machines that operate this way. These systems are relatively safe from internet-based cyberattacks.
As the need for more coordinated control and data collection grows, facility owners need more connectivity to systems. For smaller organizations with limited network resources, it can be tempting to plug your machine directly into the business network (see Figure 1).
This presents significant exposure to business and manufacturing operations. Many HMI and SCADA platforms run on some version of Microsoft Windows. This means the OT assets are now vulnerable to the same malware that could infect the business network in the case of a successful phishing attack or other infection.
On the other hand, many OT assets cannot be secured with antivirus and are often in an always-accessible mode. This means even without configuring these devices so they can talk to the internet, an operator could put a USB stick of anything on the OT network and both networks can be infected from one spot. This may sound a bit silly, but we’ve found pirated movies running on HMI computers in the past. Never underestimate the ability of a clever operator to do unauthorized things with the machines.
It’s impossible to remove all risk from either of these networks, but a simple architecture where IT and OT assets are separated by a firewall with needed data transfer between the two passing through a demilitarized zone (DMZ) can reduce risk. Does that machine need to be networked if you can’t implement better architectures like the simplified design in Figure 2?
In a dramatic call back to the “employees will install the tools they need to do their job” portion of this article, many facilities have multiple unauthorized remote access tools in use. Often, the chosen tool is whatever is free to use (whether it violates the personal use license or not) or is easy to set up. In this modern world, remote access is a necessity to maintain complex modern machines. Consider taking a proactive approach to this task before discovering the maintenance team installed remote access software with inadequate password controls in either the software or the network so they could login to fix the machine over the weekend rather than making the long round trip to the factory.
There are many ways to fix this, including hardware gateways specifically designed for remote access, many remote support software services or even building up a portable system using an engineering computer with remote access only connected and used when diagnostics are needed.
The important thing is to ensure these accesses are well controlled, and you have policies in place for who has access, when, and what the appropriate use cases are.
The most important part of any cybersecurity system is the people. Whether it is noticing an unauthorized person walking around the facility or notifying you of a suspicious email, it’s going to be your team that helps keep you safe. They’re also your biggest weakness.
“Phishing” refers to emails designed to trick users into giving up credentials or clicking on something to install malware into the computer. These emails are getting very sophisticated. Up to and including individually targeted emails (spear phishing) that are almost indistinguishable from legitimate messages. Your first thought is probably, “My people are smart; they won’t fall for this kind of thing.” Even smart companies will have their ups and downs, though. See our phishing test history in Figure 3.
We’ve improved since those early tests, but it only takes one person handing over credentials to compromise your network. Train employees to recognize this kind of activity, teach them how to report it and notify the rest of the team and conduct security tests to ensure the lessons are learned and stay learned over time.
Six key concepts to remember
We haven’t been able to cover everything in this article. However, we can boil this article down into the following six key points:
- Lock your doors
- Your team is crucial to cybersecurity success
- Take a least privileges approach to access
- Don’t mix your IT/OT networks
- Strictly control remote access
- Teach your team to recognize and report malicious activity.
These concepts are simple, but they also take dedication and effort to implement well.
You’re never going to be able to purchase “one cybersecurity” and you’ll never be “done with security.” Most of this is common sense and stuff you probably already knew what you should do. It’s also a bit overwhelming. A good cybersecurity partner can help perform these tasks and take away some of that stress, but you don’t need to hire someone to get started. Start small and find the low-hanging fruit. You’ll be able to be more effective as you exercise this skillset and every step you take moves you farther from being the easiest target in the herd.