Three cybersecurity changes that manufacturers should implement
It is difficult to paint a rosy picture of security today, with the hike in sophistication and the broadened attack surface, the answers are not easy, but the reality is there are solutions and manufacturers can win out in the end.
"The systems you are in charge of are under attack," said Dr. Joel Brenner, MIT/Internet Policy Research Initiative (IPRI)-CIS during his keynote address at the Industrial Controls System Joint Working Group 2017 Fall Meeting in Pittsburgh, PA, in September. "The ability to carry out the attack are not only with nation states, but by well-funded attack groups."
That means critical sectors need protection, but keeping all the critical areas secure would not be possible.
"There are critical sectors and then there are really critical sectors," Brenner said, breaking the critical areas into four key sectors. "The four sectors are oil and gas, financial, electricity, and communications."
Recent attacks on the British national healthcare services, Ukrainian power suppliers, Saudi oil company Aramco, and Qatari gas enterprise Ras Gas demonstrate that there have been an increasing amount of assaults against critical infrastructure organizations.
While there are advantages to a more digital manufacturing enterprise, there are dangers.
Increased connectivity, digitization, and application of the Industrial Internet of Things (IIoT) can make companies more vulnerable to new types of attacks.
Brenner offered three security recommendations for manufacturers:
1. Key operations technology (OT) controls must be isolated from public networks if they are to be reasonably secure.
Not all networks need to be segregated, only key aspects of OT controls, he said. He admitted there are differences of opinion about appropriate degrees of separation. "Taking control off the Internet does not mean taking it away from digital," he said. "Not all functions need to be facing the public Internet. Some functions need to be locked up. There are lots of ways to figure out how to isolate."
2. Governments should support a market for simpler, safer control technology.
In this world, complexity is the enemy and malware is easy to insert into the millions of lines of code. In addition, he said, general-purpose microchips and general purpose controls are unsuitable for controlling sensitive OT. "If we are going to have simpler controls, there has to be a market for them—and it needs support from governments across the world," he said.
3. Market incentives must be realigned for cybersecurity.
Retirement of legacy systems should be a priority. Brenner said governments should create tax incentives to accelerate the retirement of legacy systems. When it all comes down to it, he said, "The most difficult cybersecurity challenges are economic and political—not technological."
He believes the main challenge in doing security research is to quantify network risk. There needs to be more facts and figures; the inability to quantify risk impedes security.
"The biggest issue of risk is not the silicon-based element in the computers, it is the carbon-based unit in the chair," Brenner said.
The industry has been working on security issues for 20 years and Brenner doesn’t feel there has been any real difference in risk.
"We have been facing the consequences of 20 years of wishful thinking," he said.
"Cybersecurity is not getting any better. We have been walking backward on cybersecurity for 20 years. Your security may be better, but we are not more secure. We have got to understand the fundamental problems are political and connected to national will. Now is the time to be clear headed and honest with ourselves on the depth of the problem."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, email@example.com.
See related stories from ISSSource linked below.