This article was contributed by Marc Baret, Global Operations Director at Rockwell Automation.
Security incidents involving household-name companies understandably attract news headlines, especially where individual customers may be directly affected by the breach. Attacks on industrial businesses, however, appear less likely to garner public awareness, but this doesn’t mean the risk to manufacturing isn’t real or growing.
In one high-profile instance last year, a ransomware attack on one of the world’s largest aluminium companies resulted in tens of millions of dollars in damage. And that’s just one business. Attacks such as this are taking place at an increased pace – according to joint research by Forrester and Tenable, 94% of executives say their firms have experienced a business-impacting cyberattack or compromise within the past 12 months. The average cost of a data breach for a company is $3.86m.
It’s not just about the money either. Factories and plants are packed with potentially dangerous machines. Surrender control of your equipment and processes, and the consequences could be interrupted production, injury, or worse.
We know that phishing attacks and malware pose some of the biggest threats to businesses, but in an industrial environment, there’s also a very real threat of physical danger. The most important part of safety in manufacturing is preventing accidents or risk to life, and industrial leaders must take every physical step necessary to prevent such.
When it comes to protecting people, cybersecurity is intrinsically linked to real-world safety.
Identifying Hidden Risks
It was once the case that in typical industrial settings, there was a clear demarcation between information technology (IT) and operational technology (OT) systems. These environments rarely touched and were usually managed by separate teams.
In modern manufacturing, the convergence of these two worlds has required an entirely new approach; not only for ensuring smooth operation, but in guarding against a new vector for cyberattack.
For those seeking to disrupt manufacturing operations, the controllers involved in industrial processes are a desirable target. Think of some of the continuous processes in an industry such as oil and gas. They can’t be turned off with the simple flick of a switch, but hackers could gradually reduce pressure through valves or vessels to shut things down without anyone noticing. The notorious Stuxnet virus did something similar. By pushing nuclear centrifuges above safe speeds at an unnoticeably steady rate, nobody saw the failure coming. Not even the automation systems.
That's just one of several attacks that have been conducted in recent years. In fact, if a company has a data breach, it typically takes around six months for them to notice. So, whether through covert attempts to hinder production or brazen demands for money through ransomware, cyber-attackers that take control of your processes also hold your employees’ safety in their hands.
While this is clearly a risk that manufacturing leaders need to be cognisant of, it doesn’t mean that you should seek to isolate all OT systems. As with any form of risk, the aim is to mitigate rather than remove altogether.
Finding a Safe Balance
With the right measures in place, there’s no reason you should forgo the benefits of connected industrial processes and risk falling far behind your competitors.
Having a connected environment is a valuable asset to your business and, with appropriate security measures in place, can be deployed both safely and productively. Imagine, for example, a motor for a pump system in a refinery in the middle of the desert. You could keep it offline and unconnected to reduce the risk of outside interference, and rely on sending an engineer hundreds of miles every time you want to check the equipment. However, without the instant information from a connected algorithmic system, faults or problems could go undetected for longer and cause breakdowns, or worse – depending on the volatility of the materials involved in the industrial process.
In a situation such as the Stuxnet incident, air-gapping the systems from the internet wouldn’t have prevented the damage caused. It spread through infected USB flash drives by targeting internal resources with access to the facility.
So, if it’s not going offline or isolating your systems…
What are the right cybersecurity measures?
A multi-layered problem requires a multi-layered approach. Securing hardware and software is clearly part of the solution, but you can't ignore the role of people. You need to have the right design methodology for your network, access to the skills necessary to keep it secure, and a commitment to monitoring it for the long haul.
This is the kind of cybersecurity advice and implementation we specialise in at Rockwell Automation. Working with our customers, we seek to gain a close understanding of how the environment has been managed historically, what new risks may have emerged – or could emerge in future – and find a security model that can be employed consistently and sustainably. This can involve:
- Assessing your risk through proper OT network assessment
- Designing your OT network to comply with industry best practices
- Securing remote access to your OT network through a secured architecture
- Monitoring your operations to detect threats and anomalies in real time
- Keeping a contingency plan to isolate and recover from a Day 0 cyberattack
The Full Picture
The threat of cyberattacks is real for all manufacturing facilities. The costs could be disrupted production, financial loss, or even safety risks for you and your team.
Faced with these risks, it’s easy to believe the solution is to forgo the digital transformation and connectivity by which these criminals can gain access. Yet, this transformation also drives competitive benefits and increases productivity in your business. Disabling them isn’t an option. Instead, the solution is a multi-layered cybersecurity approach that blends the physical with the digital and takes into account your people.
We may rarely see stories of industrial automation hitting the headlines, but we all need to be equipped with the right technology and understanding of the risks and actions we can take to mitigate them.