Cybersecurity is at the forefront of everyone’s mind. When we connect our machines and share information digitally, we are potentially exposing ourselves to hackers and malware, specifically ransomware. Ransomware has grown to be one of the biggest issues on the web. It’s a form of malicious code which encrypts all data on infected systems, and victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware. A ransomware infection is detrimental to a control system that a manufacturing facility is dependent upon. A successful ransomware attack on an ICS network will threaten the victim with an unacceptable duration of downtime by halting operation and hampering restoration efforts by stealing the program on the PLC and locking users out. Furthermore, if certain processes like perishable food manufacturing are interrupted by the ransomware, the victim facility suffers additional downtime due to having to flush out the system, re-sanitize the equipment, and reboot the entire process after recovering the PLCs In addition to ransomware, there can also be targeted attacks on systems from external sources, such as nation states targeting critical infrastructure. The payloads designed to wreak havoc on critical infrastructure could also cause collateral damage to a manufacturing facility if the same type of control equipment is used. Malware and viruses exist on the Internet waiting until they “see” a target that meets the criteria they are designed for. If a facility is unlucky enough to be infected, they will not realize it until it is too late, and the target is found in the control system. A final cybersecurity risk to be aware of is an internal attack. Internal data leaks stem from employees. Sometimes it can be hard to believe that an employee would willingly sabotage their own company, and although sometimes it happens willfully, most of the time it is purely accidental. The main objective for cyber-criminals is to attain the credentials of someone on the inside to make it both easier to move around the network and harder to track where the hack is coming from. This is where employee training on cybersecurity becomes extremely valuable. The cybersecurity landscape is constantly shifting and evolving as new cybersecurity threats and security solutions emerge. There are more forms of attacks in addition to the types I’ve already mentioned, but the approach considered here will provide a level of defense against any type of attack. You will not prevent all attacks, but with the proper methodology and equipment, you can determine the level of risk that your control system or systems are willing to maintain. Cost and use versus risk are factors to be considered during an audit of your facilities. There are a few things that organizations can do to minimize their cybersecurity risks – here are eight suggestions that should be considered when evaluating your facility for security measures:
- The first step in evaluating your facility for security vulnerability is to know what you have. Create as much documentation regarding what SHOULD be on the network. If you cannot continuously monitor the network, you can create a network analysis to establish a baseline. What does normal network traffic look like? What does the architecture look like, or more specifically, what hardware components exist on the network and how are they configured? With this information, it is possible to create anomaly detection and be notified if something doesn’t look right from a network traffic perspective.
- Access controls should be setup on the network as well as individual applications. Typically, this does not occur within industrial control systems because they were not built with network security in mind. For proper network security, it should be required that devices and users authenticate to a controlling device or application. This could be at the local switch or the network domain level. It should not be easy to connect an unauthorized device to the network
- Do you have a backup and change management system in place? If an unauthorized device does happen to get through your systems of access control and physical security – can you detect what has been changed before damage is done to the control system? There should be an auditing system in place to log what changes were made and if equipment on the network was accessed, either on purpose or unknowingly.
- Once the network has been evaluated, the applications should be assessed for vulnerabilities. The difference between IT and OT information systems is that it is not easy to manage patch installations for PC operating systems. The running applications are susceptible to changes to the operating system and must be tested offline before rolling out a patch to production. Virtual systems are a good way to test patches, but even then, it is sometimes not possible to make sure the latest patches have been applied.
- Keeping the control system networks off direct access to the Internet is helpful. This goes back to the original network architecture, firewalls, and network paths. Proper design can help, but users of the control system must understand when they may accidentally inject malicious code. This might happen if a rogue wireless access point is placed on the network for “ease of use”. This circumvents all the proper network security. If a personal laptop is used for both control system and day-to-day work, malware could reside on the PC and get propagated when it is plugged into thecontrol system network. Awareness of email security will help with this aspect.
- Training employees to recognize potential attacks through email is a very important part of cybersecurity. One of the most common ways to access a system is to bypass the “front door” company firewall. This is too big of a hurdle; it’s much easier to send a phishing email and have an employee click on a virus. If a hacker is actively targeting someone in your company, they could find the “Controls Engineer” from LinkedIn and send them a crafted email, potentially allowing them access to that employees PC remotely. This access can then be used to “jump” onto the control system bypassing, and even tricking, the existing security features that are in place. For this reason, another option is to limit the rights that users have within the control system.
- Everyone should not have administrator rights to the system. This is harder within a control system than the corporate environment. Usually, administrator rights are required to perform the required actions. The best way around this is to setup service accounts within each operating system and application to limit the individuals with administrator access. If a hacker gets control of a laptop with user logins, they would not automatically have the same rights as the service accounts that are running the applications within the control system.
- In addition to the technical controls listed above, organizations also need to implement security policies as a form of administrative control. In fact, these policies should really be a starting point in developing an overall security plan. A good information-security policy lays out the guidelines for employee use of the information resources of the company and provides the company recourse in the case that an employee violates a policy. The first step toward a secure control system is to know what you have. What SHOULD be on the network? Once you know that, you know what SHOULDN’T be on the network. Evaluate for the most critical assets and decide the best way to protect them. There is always some risk involved, but the risk is necessary to provide value to production. The balance needs to be found, and once controls are established, they should be checked and evaluated on a regular basis (if not continuously).
CBT has a team of cybersecurity experts to help you work through any network or data security issues you may have, we're always here to help!