15 minute read
Cybersecurity
CYBERSECURITY
Expert Insights from Market Leaders
Advertisement
Protecting Industry 4.0
The whole concept of Industry 4.0 is one of “super-connected plants” with product and service on demand and instant access to real time data. The principle it embodies includes the creation of interoperable manufacturing environments, integrated sales and delivery data sets, real time plant management data and remote and autonomous service and maintenance management. It is the embodiment of the future that was imagined in the science fiction of the seventies and eighties.
However with this all connected, autonomous and self-managed industry environment comes a set of risks and threats and the potential for system breakdown that the same science fictional world relied on for its story lines.
Andrew Cooke, Head of Consulting, Airbus CyberSecurity
Coming back
Insecurely Driving Industry Forward to reality for a moment the Coming back to reality for a moment the drive for efficiency and our drive for efficiency and our ‘on ‘on demand’ society has placed an expectation on industry that a demand’ society has placed an consumer’s order today will be delivered tomorrow. This result is a expectation on industry that a real need for super connectivity to translate demand into service consumer’s order today will be delivery instantly. From that societal requirement consequently delivered tomorrow. This result is comes a need for high availability of plant, the requirement for an a real need for super connectivity ability to make instant configuration change and to maintain plant to translate demand into service and equipment remotely to maximise up time and minimise delays delivery instantly. from travel and repair time. In order to deliver product and service to the customers expectations supply chains have to be more integrated, services and processes need to be capable of evolving to meet changing need and data needs to be made available instantly to the supplier and the customer to manage the delivery programme.
This connected world clearly presents us with a whole set of different cyber challenges. If the supplier has remote access to your systems to manage inventory, upgrade firmware or maintain control systems then you can bet someone who wants to steal goods or intellectual property can get the same access. If power demand and transmission needs to be balanced across a network from a remote control centre then it can equally be interfered with and potentially control taken by a malevolent actor as well. Interoperability and openness of systems is a huge advantage in management and control of process but also allows malevolent code, malware and viruses to spread rapidly around a system as well.
15
industry 4.0 Issue no 3 - AUGUST 2018CYBERSECURITY
There are huge efficiency and intelligence benefits in sharing data between systems, functions, suppliers and customers. We must recognise though that it presents a huge risk in terms of aggregation of information and intelligence. It makes breaking in and stealing that data more attractive and more lucrative and presents the attacker with more information potentially allowing him to penetrate deeper into systems and networks proliferating damage or generating more and more intelligence for future attack. The potential for an attacker to access that critical “big data” not only risks the integrity of your systems now but also brings the potential for data loss and a prosecution under the General Data Protection Regulations if you are operating in Europe.
It all seems very gloomy at first sight but help really is at hand. Increased digitisation doesn’t have to mean increased threat of attack or compromise. Technology can offer as much protection as it can create the threat in the first place.
Furthermore it is always tempting to look to for a technological solution to a technological threat yet technology is not always the answer.
The first thing that industry must do to protect itself is to understand what it has in the first place. What does its network really look like? What is connected to what? What big data sets are being used to create critical information? What is critical and what information can safely be made available to anyone? Which systems are more vulnerable to external threat? How does the networks and processes work and which processes are dependant on those more vulnerable systems. A large (confidential) European FMCG manufacturer only discovered an external line connecting its control system network to the internet when one of its suppliers engineers was seen by a network discovery tool and a previously assumed air gapped system was revealed to be open to the internet.
For any organisation to start to manage the risks it faces as it moves to Industry 4.0 it needs to start with a comprehensive risk assessment. Particularly in the Industry 4.0 environment a cyber risk is a business risk and vice versa.
16
CYBERSECURITYIssue no 3 - AUGUST 2018 industry 4.0
In Industry 4.0 business does not exist without interoperable technology and the networks that provide them. Before investing in technology it is critical to invest in an understanding of the risk that that technology is subject to and where the threats to it might come from. Understanding the network and processes and where risk sits on those processes is the first step in developing an effective strategy to protect Industry 4.0.
Once those networks and processes are understood and the risks are identified and quantified then appropriate mitigation strategies can be developed, investment in protection can be planned and technology can be mobilised. Cyber risks are first and foremost business risks so the essential next step is to link the cyber risk to the top level organisational goals. What is important to the business and how can cyber cause you to fail. This will help to prioritise systems and processes and moreover prioritise what data is critical to the mission. Understanding what needs to be kept most secure and what data is less important or more critically needs to be made available to external bodies presents the key to a strategy for sharing it in a secure way.
Once you have this understanding of business risk and how to mitigate then you can look at the technology that can help you to do that. The first thing should always be to have a protective monitoring solution. The protective monitoring regime needs to be appropriate for the business. There is no point in having a solution that generates 500 alerts a minute and is therefore unmanageable, or have the protective monitoring team working office hours while the business works twenty four hours. Similarly there is little point in investing in expensive operational technology threat assessment and protective monitoring equipment if the organisational architecture makes it inoperable.
It all seems very gloomy at first sight but help really is at hand. Increased digitisation doesn’t have to mean increased threat of attack or compromise. Technology can offer as much protection as it can create the threat in the first place.
17
industry 4.0 Issue no 3 - AUGUST 2018CYBERSECURITY
Unblurring the blurred boundaries
The second critical technological consideration is in data sharing. Making sure information is available where it is needed but only shared securely and with those who really need it is paramount in having an effective, efficient and secure business. As eluded to above, the most important interface to manage is the sharing of information between operational technology (OT) and enterprise systems (IT). The blurring of the boundaries between OT and IT has both facilitated better more effective information sharing but also raised the risk of malware, viruses and other malevolent code proliferating across operational technology networks.
The classic recent example of this is the Ukranian power network attack in December 2016 when the Industroyer malware crossed to the OT network, rapidly spread across the network, disabled control systems with a resulting lengthy power outage across the country. Historically organisations planned to keep those systems separate and not share data but in Industry 4.0 that separation is impossible as operational data is critical to delivering the mission. Data diode based solutions have been used in the past to make sure data can only pass one way and malware can’t get from enterprise technology to operational technology. This is not necessarily the only or even the best technology though to protect operational technology networks. An appropriate risk assessment is needed but increasingly end point protection and encryption devices designed specifically to function with IoT and operational technology protocols can prove more effective and offer greater utility.
Industry 4.0 is driving manufacturing and critical infrastructure to adopt 21st century communications and technology into its daily delivery processes. There is no realistic reason why it should bring 21st century IT risks with it.
In summary:
• Use technology to its best effect to deliver business benefit;
• Understand your cyber risk because there are business risks and will map directly against organisational goals;
• Understand the network and processes and which processes offer the greatest security risks;
• Invest in appropriate technology but Industry 4.0 doesn’t mean technology for technology’s sake;
• Protect the perimeter of the organisation;
• Know what is critical and what doesn’t need protecting; and
• Manage the gap between IT and OT in an appropriate way that serves business purpose but protects critical data and systems.
Video:
Cyber Risk in Advanced Manufacturing
18
CYBERSECURITY
Issue no 3 - AUGUST 2018 industry 4.0
EXPERT OPINION FROM DARKTRACE
“Typically, industrial security has been approached differently to IT security. Industrial control systems in manufacturing companies have long operated in isolation from IT and online networks. However, as manufacturers digitise and integrate ‘smart’ technologies into physical controls to boost efficiency, more connections are made to the wider, more accessible, enterprise networks. This means that industrial systems are becoming exposed to the full force of modern cyber-threats.
Andrew Tsonchev, Director of Technology, Darktrace Industrial
“The reality is attacks on industrial environments have the potential to cause wide-scale disruption and catastrophic damage. Breaches could see assembly lines sabotaged, and supply chains disrupted, leaving manufacturers with hefty financial losses and often irreparable reputational damage.
“Historically, manufacturers focused their cyber defence on big IT systems using only perimeter controls, such as firewalls and antivirus software. These defences rely on the attacks of yesterday to prevent repetition. In the midst of the fourth industrial revolution, this approach to securing their networks is no longer enough.
“Production plants are fast becoming digital jungles, as new technological innovations such as IoT sensors, robotic automation, and integrated cloud services intertwining with antiquated industrial machinery.
“Production plants are fast becoming digital jungles, as new technological innovations such as IoT sensors, robotic automation, and integrated cloud services intertwining with antiquated industrial machinery. Patches simply do not exist for some of these older systems, or at best, take substantial expertise and money to maintain. This isn’t just a problem for SME’s who have fewer security resources. Even a large manufacturing organisation with a cohort of highly-trained security experts cannot pre-empt all the potential threats to their network.
“Compounding the challenge, threats in this industry are almost always zero-day attacks. Mass, indiscriminate attacks are likely to fail given the uniqueness of industrial networks. Successful attacks are bespoke to specific machines, in specific organisations. Valuable learnings from previous attacks are therefore limited, and security teams need to adopt proactive defences that spot and stop ‘unknown unknowns’ to protect their networks.
“More and more manufacturing organisations realise the need for AI technology in their cyber security posture. Analogous to the human immune system, these technologies use machine learning to learn the normal ‘pattern of life’ for every device, controller and user on the unique network. Using this dynamic understanding, they then detect and autonomously fight back against never-seen-before attacks.
“If it seems like the fingerprint sensor used to access a power plant is making strange connections, instead of interrupting the entire system and preventing legitimate access to the plant for several hours, cyber AI will slow down or stop that specific connection. With one million unmanned cyber security positions worldwide, this capability has proven invaluable by granting security teams time to catch up.
“The fact that these responses are proportionate, and in real time, means that manufacturing companies halt in-progress threats in their tracks, preventing any damage and system downtime. This new breed of cyber technology can be installed in one hour, learning instantly and detecting subtle threats in a matter of days. Flooded with threat alerts and false positives AI technology enables security teams to focus on only the genuine threats, enhancing the efficiency of the organisation’s security posture.”
19
industry 4.0 Issue no 3 - AUGUST 2018CYBERSECURITY
Tripwire answers questions on the key issues affecting the adoption of Cybersecurity Solutions:
What threats are present for manufacturing and why should SME’S be investing in Cybersecurity solutions?
There is a significant threat for cyber espionage targeted at the manufacturing industry, as highlighted in Verizon’s latest Data Breach and Incident Report. Therefore, manufacturers should be concerned with protecting their company’s intellectual property and other sensitive data. And of course, manufacturing is all about uptime and preventing unplanned downtime. These processes are very dependent on having automation systems up and running in order to complete a particular process. If just one part of the
Gabe Authier, Senior product manager, Tripwire
automation system goes down, that impacts the company’s bottom line. The risk of operational disruption increases as more and more industrial control systems are connected to the internet. And it’s not just cyberattacks that can disrupt these processes; it could be a bad configuration change, which is more common.
What technologies are available for firms to adopt without a huge investment and downtime?
Industrial operators need to get better visibility into what’s going on in their environment. A good starting point it to start leveraging log data more effectively by aggregating all system data, from various devices, into to a centralized place. It’s a very non-disruptive approach. Most automation systems have the ability to send log data, they don’t need to be taken down for this, and it’s fairly cost effective. With log data aggregated and normalized into a central location, you can more easily identify activities that are out of the ordinary. You can set correlation rules to alert you of certain activities. For example: if a particular system is experiencing certain amount of retries for a particular process, and it’s not starting up for whatever reason, an alert can be set for detecting that kind of activity through log data. The log data also enables forensics; after an issue, teams can use the logs to determine what caused a system to go down.
As a highly recommended next step, organizations should have a way to ensure their devices are set up and configured correctly, and then see if their environments match up with industry policies and hardening benchmarks (such as IEC-62443 and NIST 800-53). This takes a little more effort and investment than the above, but with a solution that can automate the testing of configuration data against policies and best practices, this isn’t as hard as some operators might think. This would help ensure compliance with industry standards, improve hardening of devices, and reduce risk of downtime caused by a misconfiguration.
What considerations are to be taken into account when adopting a cybersecurity solution?
All industrial operators will want to adopt a solution that can be implemented relatively easily and won’t disrupt operational processes (or at least have the most minimal impact on process possible). Operators should consider how intrusive a particular tool might be going to do some analysis on their network. Solutions should also be specifically designed to work within operational technology (OT) environments and be implemented with the involvement of the OT team, not just IT. Technology made for traditional IT environments can’t simply be copied over into OT environments as it may cause operational shutdowns. You also need to be sure that the solution can communicate effectively with your OT environments, and should therefore have the appropriate industrial protocols and integrations to give you the most visibility.
20
CYBERSECURITYIssue no 3 - AUGUST 2018 industry 4.0
Video:
How a large Japanese Manufacturing Company made Factory Cybersecurity its Strategic Differentiator
21
industry 4.0 Issue no 3 - AUGUST 2018CYBERSECURITY
CYBERSECURITY FOR MANUFACTURING DIRECTORY
Below is a selective list of firms involved with Cybersecurity for Industry 4.0. If you would like to like to include your firm in our online directory of Industry 4.0 firms please send details to digital@gbmediaevents.com
Daresbury Park, Warrington, WA4 4BT, UK. T: +44 1925 741 111 www.abb.com www.linkedin.com/company/abb
30 Fenchurch Street, London, EC3M 3BD, UK. T: 0808 1011169 www.accenture.com/gb-en/security-index www.linkedin.com/company/accenture-uk
Quadrant House, Celtic Springs, Coedkernew, South Wales, NP10 8FZ, UK. T: +44 (0) 16 33 71 30 00 www.airbus-cyber-security.com www.linkedin.com/company/AirbusCyber
Second Floor, MidCity Place, 71 High Holborn, London, WC1V 6EA, UK. T: 0800 783 3040 www.atos.net www.linkedin.com/company/atos
1–3 The Strand, London, WC2N 5EJ, UK. T: +44 (0) 20 7930 1350 info@darktrace.com www.darktrace.com www.linkedin.com/company/darktrace
1st Floor, GPS House, 215 Great Portland Street, W1W 5PN, London, UK.T: +44 (0) 20 7291 9520www.gemalto.com
22
www.linkedin.com/company/gemalto
CYBERSECURITY
Issue no 3 - AUGUST 2018 industry 4.0
Lovelace Road, Southern Ind Area, Bracknell, RG12 8WD, UK. T: 01344 656000 www.honeywellprocess.com www.linkedin.com/company/honeywell-process-solutions
Kaspersky Lab UK Ltd. 2 Kingdom Street, London, W2 6BD, UK. T: +44 (0)20 3549 3499 www.kaspersky.co.uk www.linkedin.com/company/kaspersky-lab-uk
Bletchley, Denbigh Road, Milton Keynes, MK1 1EP, UK. T: +44 870 242 5004 www.rockwellautomation.com www.linkedin.com/company/rockwell-automation
UK House, 180 Oxford St, London, W1D 1NN, UK. T: +44 0 203 907 6280 F: +44 0 870 085 8556 www.secureworks.co.uk www.linkedin.com/company/secureworks
3 Furzeground Way, Stockley Park, Uxbridge, UB11 1EZ, UK.T: +44 (0) 330 808 4684www.linkedin.com/company/tenableinc
US Headquarters, Tripwire, Inc. 101 SW Main St., Ste. 1500, Portland, OR 97204, USA.
T: 503.276.7500www.tripwire.com
www.linkedin.com/company/tripwire 23
