Cyberthreats Targeting the Factory Floor
As more and more industrial control systems (ICS) become connected to smart devices, enterprise IT systems and the Internet, manufacturing operations are increasingly exposed to cyberattacks. These attacks can cause manufacturing disruptions, leading to defective products, production downtime, physical damage and even threaten lives.
Cyberattacks targeting manufacturing companies are on the rise, according to a recent report from IBM X-Force Research’s 2016 Cyber Security Intelligence Index. The report noted that the sector is the second most-attacked industry behind healthcare. Automotive manufacturers were the top targets for criminals, accounting for almost 30% of all cyberattacks in 2015, while chemical companies were attackers’ second-favorite targets.
The 2016 Manufacturing Report by professional services firm Sikich also found a growth in attacks on the manufacturing sector. The report states that because cybersecurity is not at the forefront of most manufacturers’ priorities, these environments remain vulnerable.
Vulnerable Manufacturing Infrastructures
Most manufacturing companies are behind the curve on security. The Sikich report noted that only 33% of the manufacturers it surveyed were performing annual penetration testing within their IT groups. When it comes to ICS networks even less is being done to secure them. Because of lax security standards, manufacturers are leaving themselves exposed at every point of their networks.
Hackers Zero In on Leaky ICS Networks
While some manufacturers are starting to fortify their networks and corporate systems, industrial control systems pose serious challenges.
Unlike IT networks, operational networks offer poor or non-existent visibility into ICS and specifically the industrial controllers, which automate industrial processes and manage industrial equipment (I/Os).
Trends such as the Industrial Internet of Things and Industry 4.0, are driving organizations to facilitate more connections between the physical process world and the Internet. This connectivity exposes the previously isolated operational environments to cyberthreats."—Barak Perelman, CEO, Indegy
Industrial controllers like PLCs, RTUs and DCS, are dedicated industrial computers that make logic-based decisions to control industrial processes. They operate in every industrial environment, and play a vital role in complex processes such as power generation, oil transportation, management of electrical and water utilities, and various manufacturing processes.
Due to the design of ICS networks and the lack of basic security controls such as authentication and encryption, most ICS attacks do not need to exploit software vulnerabilities. Once the network is breached, the attacker gains unfettered access to all the controllers and can alter their configuration, logic and state to cause disruptions.
Without fully understanding which assets exist in an ICS network, and who is accessing them at any point in time, they cannot be protected. This includes access over the network, or direct physical access to the device.
The Control Plane Is Difficult to Secure
One of the biggest security challenges manufacturers face is dealing with the variety of different communication protocols used in ICS networks.
Standard data plane protocols like Modbus and DNP3 are used by HMI/SCADA/DCS applications to communicate physical measurements and process parameters such as current temperature, current pressure, valve status, etc.
Meanwhile, the control plane protocols — which are used to configure automation controllers, update their logic, make code changes, download firmware, etc. — are proprietary and vendor-specific. Each vendor uses its own implementation of the IEC-61131 Standard for Programmable Controllers. These implementations are rarely documented, making it very difficult to monitor critical activities.
Since the goal of most ICS cyberattacks is to cause operational disruptions or physical damage, an attacker will try to change the way the process executes. While a predefined set of process parameters can be changed through HMI/SCADA applications, the logic maintained on the controller defines the process flow and its safety settings. Therefore, changing the controller logic is both the easiest and most successful way to cause such disruptions.
Contrary to popular belief, this is not extremely difficult. Once inside the network, an attacker can easily download control logic to an industrial controller or change its configuration. Since these actions are executed using proprietary vendor-specific protocols, there is no standard way to monitor these control plane activities. As a result, changes made by an attacker can go unnoticed until damage starts to occur.
More Weaknesses — Connected ICS Networks
Until recently, industrial networks were separated from the rest of the world by ‘Air Gaps.’ In theory, an ‘Air Gap’ is a great security measure — disconnecting the industrial network from the business network and the Internet. However, an ‘Air Gap’ is no longer operationally feasible in today’s connected world. Trends such as the Industrial Internet of Things and Industry 4.0, are driving organizations to facilitate more connections between the physical process world and the Internet. This connectivity exposes the previously isolated operational environments to cyberthreats.
What Can Be Done to Protect ICS Networks?
Gaining visibility into ICS networks is the first step in being able to protect them from cyberthreats. Discovering all assets, especially industrial controllers, is critical. This includes maintaining a reliable inventory of configurations, logic, code and firmware versions for each controller.
Once these baselines have been established, continuous monitoring of control-plane activities for unauthorized access or changes is required. This is especially true since the controllers are often modified by third-party integrators. This can result in changes which are not captured by network monitoring alone. Fortunately, new specialized monitoring and control technologies for ICS networks are now available.