Cybersecurity

Disconnected cybersecurity systems are a myth

In today's modern manufacturing environment, there is no such thing as a "disconnected" system from cybersecurity, and believing systems that are among the most vulnerable.

By Dirk Sweigart June 6, 2021
Image courtesy: Brett Sayles

In February of this year, I had COVID-19 symptoms and tested positive. I thought I was reasonably “disconnected.” Turns out, I was not. You may think your manufacturing systems or industrial control systems are similarly “disconnected.” However, you may not be aware of the number of factors working against your assumption that can make it essentially moot. After all, it only takes one time.

What are these factors? Here are some potential “back-channels” into your systems that could allow this to occur.

Almost any time a device is connected to a USB port anywhere on the disconnected network, you could be breaking the disconnect. If any USB ports are open, anywhere on the controls or manufacturing network, then connecting a device, even just to charge it, is breaching the barrier.  You are no longer disconnected. An operator plugs his cell phone into a USB port to charge it… using peripherals can break the disconnect.

Are there devices that use wireless in use within the network? If so, unless access is tightly managed, wireless can be a place where the disconnect is broken. Sometimes devices are added to a network (maybe temporarily) and they have wireless enabled on them. Have you ever connected a laptop to work on the disconnected network and have wireless enabled on the laptop? Printers sometimes have wireless available.  Using wireless can break the disconnect.

Sharing the wired network – does your control system ever share a switch with another network? This is sometimes done for convenience, cost or by an information technology (IT) department and perhaps using a virtual local area network (VLAN). Sharing switches with other networks can break the disconnect.

Even if you connect a workstation that is not actively connected to a wireless network, it may have been connected (and/or infected) recently.  After all, how are you going to get software updates or new configuration into your disconnected network? Connecting external devices such as laptops to the disconnected network can break the disconnect.

It is not unusual, especially during the pandemic, for methods of remote access to the control or manufacturing systems to be set up.  Knowledge of the existence of these may be closely held and they may also be connected only when needed. Regardless, these remote access techniques represent a break in the “disconnected” paradigm.

Perhaps what is meant by “disconnected” is actually “lightly” connected. The manufacturing or controls networks may have only a single point of access protected by a firewall that is tightly locked for in-bound traffic. Being actually connected by a firewall device, even one tightly controlled, is not disconnected. Also, pay attention to both the inbound and outbound firewall rules if you are using a common stateful firewall. If you lock down inbound requests but not outbound requests, you may have internal connections being made to e-mail or websites where malware can be encountered and introduced into your “disconnected” network.

This is not to say that you must find and kill all these new back-channels. Just be aware that they often do exist and evaluate your risks accordingly. You can maintain that “it won’t happen to me,” but don’t believe the myth that it’s because you’re disconnected. Cough, cough!

– This article originally appeared on MESA International’s blog. MESA International is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.


Dirk Sweigart
Author Bio: Dirk Sweigart, MESA cybersecurity working group chairman