Cybersecurity: Have a game plan
Cybersecurity is a hot topic in the industry, and for good reason. In the past year, we have seen several large scale malware attacks that crippled manufacturers across multiple industries globally. Attacks that began in Europe quickly made their way here, and vice versa. Some manufacturers had to resort to cutting their enterprise networks and using personal email accounts and cell phones to continue operations. Every day, it seems there is another alert on a new vulnerability found in some piece of automation hardware or software.
Cyber attacks feel like a far-off concept even when they hit close to home because for many of us the effects are intangible. A major pharmaceutical company having some computers attacked, or attacks on power grids overseas doesn’t feel like it poses a threat to everyday life because the attacks haven’t hit home in a way that matters. Focusing on and allocating resources to cybersecurity is very similar to focusing on safety. We have all heard of scenarios where safety precautions weren’t implemented because management didn’t see the value until they were hit with a hefty fine from OSHA due to an accident. Once an adverse incident occurs it is too late to avoid potentially large losses.
The feedback we have received from manufacturers is many don’t know how vulnerable they are. They have firewalls, air-gapped manufacturing networks, and DMZs, but many manufacturers were still affected even though they had these safeguards in place. Most cybersecurity presentations don’t have an easy-to-follow transition from defining risks and discovering the value of security to providing actionable items to help bridge the gap. Instead, many demonstrations end with sales pitches on cybersecurity vaporware or audit processes.
Not all platforms are vaporware and not every assessment is unnecessary, though. There are companies that have top-notch security assessments and cybersecurity platforms, but it is important to not fall victim to fear, uncertainty, and doubt (FUD) tactics, which provide a report of no value or a platform that can’t deliver on previous promises.
Cybersecurity is a complex issue and it requires a flexible, evolving, and multifaceted approach. It isn’t as simple as a single product, or set of standards. Every scenario presents a unique challenge and corresponding solution. There always are some common concepts that can act as a foundation for building a complete cybersecurity plan.
Legacy migrations can strengthen security immediately. Legacy automation equipment poses a variety of issues and dangers on any manufacturing network.
For starters, most manufacturers discontinue support on legacy systems. This includes technical support as well as patch development and testing to help mitigate security flaws (like the ability to poke OPC values into a controller) or other product faults.
A lot of legacy platforms do not support Windows domain authentication, and in these cases a common username and password is used for user groups. These usernames and passwords are usually very basic and the devices have no way to maintain an audit trail on who is logging in and what is being changed. With legacy equipment, it is very common to see sticky notes with the username and password posted right on the HMI granting any person access. This opens manufacturers up to internal and external threats alike.
Legacy platforms also usually run on legacy operating systems, which may not be supported by the vendor any more. This requires additional work and hardware to segregate the computers and it doesn’t necessarily guarantee absolute protection from outside threats.
Unfortunately, many legacy systems are still in place because they are part of a critical process where downtime just is not available. When it is understood downtime from a security event will be greater and more disruptive than downtime for a migration, the case for migration becomes imperative.
Modernization efforts bring about a whole host of process benefits, but they also bring along a variety of security benefits. Whether it is bringing on a more current and supported platform or getting rid of an unsupported operating system, there is more to modernization than shiny new plastic.
One of the lowest hanging fruits is Microsoft Patch Management. Deploying Microsoft patches is arguably one of the most basic but important pillars of cybersecurity. Every Tuesday Microsoft releases a set of patches, some of which are critical security patches that mitigate exploits malware attacks use to cause damage. Automation vendors then test the patches against their own software to develop a list of approved patches for manufacturers to reference.
The big issue with patch management is not every vendor makes this information available publicly, which we are hoping the industry or government will require in years to come. Those who provide information distribute it in a variety of different formats. The patch lists can sometimes span hundreds of pages, and it takes a team of engineers on the manufacturer side to make sure the right patches get on the correct operating systems.
This complexity increases with multiple software platforms as compatibility must be verified across every platform for each patch. This usually causes manufacturers to resort to two methods. The patch nothing approach can ensure there are no downtime events from unapproved patches. The problem is it doesn’t allow critical security updates to be deployed. The deploy all patches approach ensures critical security updates are deployed, but can also cause downtime events from unapproved patches breaking the software.
To curb this behavior, automated solutions can be used to ensure only vendor-approved patches are deployed. There are tools that can also check for compatibility across multiple vendor platforms. Tools like this can greatly reduce the amount of time required for patching while also increasing security.
Service provider partnerships
Cybersecurity is a group effort. It is our collective social responsibility to ensure security. Some of the manufacturers hit by the recent malware attacks had plenty of internal standards meant to safeguard them against disasters like this, but careless contractors and service providers introduced a variable they hadn’t planned for. Carefully selecting a system integrator or service provider is a crucial step. If companies are going to allow others access to vital systems, they need to make sure they have a culture of security themselves.
Asking potential partners how they handle security or what their own internal standards are around security is a step in the right direction. Any competent and equipped service provider will have no problem sharing this information. For example, Panacea runs all of its projects from a virtual infrastructure. Virtual images are not allowed to access the internet unless required, and project images are kept separate from other systems.
We understand a successful attack on our infrastructure could infect clients, so our network was designed to limit attack surfaces and heavily secure all critical processes. Our server room is kept under lock and key and only authorized personnel have access to administrator rights. We also have attack monitoring solutions in place to help alert us to potential problems.
We would gladly show any of our clients our setup because cybersecurity is important to us and we want them to know their information is in good hands. Any quality-driven service provider would do the same.
Adopting and nurturing a culture of security is vital for manufacturing success globally. Although it may seem like a major endeavor, you can start with a few key items that can help drive an overall culture change to make cybersecurity a team effort. Deploying critical Microsoft patches is a great foundational pillar. Migrating legacy automation installations can help shore up security gaps on your enterprise network.
Partnering with companies that understand security is our collective responsibility to protect our plants will have an immediate impact on your organization. Once steps like these are put into place, concepts like threat detection, real-time monitoring, and security-focused network design become easier to adopt. Cybersecurity has many approaches, but it is important to start now rather than wait for a security event to drive the change.
Will Aja is vice president of customer operations for Panacea Technologies Inc.