Securing today’s manufacturing systems calls for a fresh approach
Author: Bruce Sneddon and TM Ching
Protecting information in a manufacturing organisation is very different from protecting information in other industries.
In 2010, the world was stunned by the news that the Iranian nuclear program had been attacked by self-replicating computer malware that attempted to disrupt the production of enriched uranium. The 2016 film “Zero Days” described in detail how this sophisticated attack was perpetrated by intelligence agencies exploiting the weaknesses of the industrial control systems used by the Iranians.
While the Iranian nuclear program is certainly not the typical manufacturing operation, the incident served as a wake-up call to manufacturers everywhere that this could happen to their organisations if they are not equipped to defend against cybersecurity attacks.
Adversaries can come in many forms: state-sponsored attackers, corporate espionage or hacktivists. Each adversary can bring harm by disrupting manufacturing operations, or by stealing sensitive product design information or proprietary and differentiating production techniques. On a small scale, a successful cybersecurity attack can affect the manufacturing organisation’s reputation and financial performance. On a larger scale, cybersecurity attacks can have a negative impact on national security and the nation’s gross domestic product (GDP).
Increased connectivity means increased security risks
The backbone of most manufacturing organisations is their investment in operational technology (OT), which includes industrial control systems that are connected via programmable logic controllers (PLCs). These OT solutions focus on the safety of human operators and the integrity of the manufacturing equipment. Most legacy manufacturing equipment uses proprietary control system network protocols that don’t connect to the internet, and thus the industry has not put much emphasis on cybersecurity.
Historically, it was deemed sufficient for manufacturing organisations to have an air-gapped network architecture, with separation between corporate business systems and the operational and control systems on the manufacturing shop floor. However, that approach doesn’t work any longer, as manufacturers implement more automation in their plants to improve production throughput and quality and to reduce operating costs. This new manufacturing equipment brings increased connectivity with surrounding processes, business systems and remote operators.
The ability to consolidate and centrally operate and control the manufacturing process from remote operations centres removes the need for human operators to be physically located on the shop floor. This connected environment helps increase productivity; but at the same time, it amplifies the security risk that production equipment can be remotely accessed and controlled by external parties.
In many manufacturing organisations, silos have existed across IT and OT domains, with each group operating almost entirely independently. In recent years, the OT domain has started to converge with IT, as modern manufacturing plants and equipment are now IP enabled and connected with other enterprise network environments.
From a security perspective, this IT/OT convergence is driving organisations to develop a holistic and harmonised approach to security in order to deliver an optimised technology solution and reduce business risk.
Additionally, manufacturers are seeing the traditional boundaries of their enterprise expand to enable and support the increasing level of connectivity and globalisation of manufacturing supply chains. The shift to demand-driven supply models requires increased visibility, with manufacturers expanding their reach across a growing network of supply chain partners, business partners and consumers.
Security must be built into manufacturing processes
To support these changes, a need exists for secured data exchange and connectivity among manufacturers, partners, consumers and an exponentially increasing number of connected devices, sensors and smart products. It is critical that all business-to-business
connections be protected — not just with firewalls and intrusion prevention devices, but also by monitoring all traffic traversing into and out of the organisation, so that anomalous network activities can be identified.
Covert activities and insider attacks can be spotted through the use of behavioural learning. By knowing which users typically access what systems at a given time, a system can detect unusual behaviour. An early cybersecurity attack can be detected before it starts to have an impact on the production process.
The proliferation of the internet of things (IoT) adds another wrinkle to the manufacturing security scenario, with the addition of countless new components and network-connected devices that communicate internally or externally in the organisation. These smart connected devices, sensors and controllers in manufacturing plants deliver real-time tracking of inbound materials and track-and-trace solutions for outbound finished goods. When these IoT components and devices are connected to the network, they instantly fall under the purview of the cybersecurity management process.
Today, while a number of IoT standards have been put forth, no dominant standard yet exists. It is important for manufacturers to address security risks with IoT and mitigate these with an enterprise-wide solution. Manufacturers should use IoT gateways and edge devices to segregate and provide layers of protection between insecure devices and the internet to help manage the overall lack of security present with IoT.
Unique challenges call for unique solutions
Protecting information in a manufacturing organisation is very different from protecting information in other industries. Where the financial, retail and healthcare industries focus on security of personally identifiable information (PII) and credit card records, the key protections required in the manufacturing industry are that the manufacturing process not be disrupted and that intellectual property be protected.
IT controls to protect information systems must be mature, ensuring confidentiality, integrity and availability, and able to be deployed in standard IT environments. In the OT domain, the same set of technology controls is not easily available to protect manufacturing equipment and control systems. This is an area where manufacturing organisations can learn from IT how to protect their production processes from cybersecurity attacks.
The introduction of advanced digital manufacturing applications will require next-generation solutions for monitoring both IT and OT, including sensors, networks and connectivity, and edge-oriented computing. Operating models for security management will need to be modernised and strengthened to ensure end-to-end integration, with security mandated as a prerequisite across IT and OT domains.
Common manufacturing practices that have been in use for years should now be deemed vulnerable and unsuitable for operating in a secure modern environment.
DXC Technology’s security services protect some of the largest manufacturing companies in the world. Our Advisory and Managed Security Services have assisted our clients in defending against modern-day attacks and helped them improve and strengthen their OT security, so that cybersecurity attacks can be mitigated through preventive, detective and proactive response measures.
Learn more at
www.dxc.technology/manufacturing