The IT/OT convergence that is propelling the Fourth Industrial Revolution has opened up a can of worms in terms of risks to both IT and industrial control systems. Meanwhile, these risks are being compounded by the divide between these two worlds.
At the product level, industrial equipment providers are introducing a myriad of new advances to their automation technology. Especially with respect to networking, which is producing more intelligent controllers (PLCs, RTUs, etc.), devices and objects (e.g., industrial sensors) that can share vast amounts of data. The data generated by these networked devices is being used for machine-learning and operational analysis in order to make real-time adjustments to industrial control processes.
The benefits are undeniable, providing enhancements in safety as well as operational efficiency. Those benefits, however, come at a cost. Particularly in terms of cybersecurity. The new risks introduced by the interconnectedness of these advancements, create opportunities for threats to extend into areas that were previously unreachable or completely isolated.
Some organizations have a false sense of security and believe their industrial control systems can’t be easily compromised. After all, these are complex systems that require in depth engineering knowledge to operate. Others feel their systems are not high value targets. Even if an organization's infrastructure is not high profile or easy to compromise, it remains a target. Primarily because cyber criminals have become experts at monetizing all forms of hijacked computing resources.
Many of these newfound risks did not previously exist, mostly due to the lack of interconnectivity and the network ‘air-gap’ — which has become a thing of the past. As industrial organizations race to keep up with advances in manufacturing technologies, IT is increasingly encroaching into the OT world. It’s no longer uncommon to find IT technologies like Ethernet, Wi-Fi, the Cloud and cybersecurity products like virus scanners, firewalls, Intrusion Detection/Prevention Systems and Security Information/Event Management (SIEM) products being managed outside the purview of IT.
Each advancement introduces new devices, network connections and vulnerabilities to manage. The opportunity for attackers to monetize systems when combined with weak security, creates a perfect-storm of risk.
One recent example, is the proof-of-concept ransomware developed by researchers at Georgia Institute of Technology, named LogicLocker. This malware, when (not if) used by criminals, scans the network looking for exposed Allen Bradley Micrologix 1400 and Schneider Modicon M221 PLCs with weak security configurations. Once a device is compromised, the ransomware locks out users from accessing the PLC while the cybercriminals extort the organization for money. If the ransom is not paid, the ransomware sets off a logic bomb that manipulates the physical outputs to create dangerous conditions for the equipment, which can potentially result in catastrophic damage.
Mitigating such threats is both difficult and expensive. For example, to maintain the safety of operations following at attack, it may be necessary to shut down manufacturing processes. In some industries, one minute of downtime per production line can cost $1,000 or more. With some facilities running dozens of production lines, losses can mount quickly. The financial impact of downtime associated with ransomware can be enormous, and does not include any damage to the facility or the products it houses.
One of the primary challenges associated with addressing cyberthreats in manufacturing environments is selecting tools that help bridge the divide between IT and OT, while providing value to both. In most cases, OT Engineers are not well versed in cybersecurity threats and how to mitigate them. Conversely, IT staff are not intimately familiar with industrial control processes, systems and the impact that control changes can have on operations.
As more and more IT systems are connected to OT systems, the problem grows in complexity. A dangerous byproduct of this complexity is it introduces a lack of visibility and control typically found within IT managed systems. IIoT devices without proper IT controls and protections are plentiful and gaining in popularity among industrial operators, which will only compound the issue. Connecting these two environments without appropriate IT controls in place, creates green-field opportunities for hackers and cybercriminals to wreak havoc.
To weather the storm, manufacturing organizations should consider implementing proven IT controls and best practices in the OT world. These include managing the IT/OT convergence from the top-down, cross-training human resources staff, increasing visibility into IIoT activities, and deploying tools that straddle both IT and OT.
Chris Grove, CISSP, NSA-IAM, is Director of Industrial Security at Indegy.