The news about hackers attacking industrial systems is grim. But do we need to worry, and is there anything we can really do to defend ourselves?
The last ten or more years have seen huge changes in industrial networks in manufacturing facilities as these communication systems have grown and become more sophisticated. But more critically, the extent to which they are integrated with traditional business or IT networks has changed dramatically.
A few years ago, the equipment used in your manufacturing plants probably stood alone. It might have had a programmable logic controller (PLC) and some sensing devices controlled through a human machine interface (HMI), but it was not connected to your office network, and certainly not to the internet.
The nature of network connectivity has changed dramatically over the past decade, since a plant is almost never completely disconnected from external networks. This new reality of default connectivity can invite cyber security problems.
Many of the controllers, sensors and HMIs running plant equipment were not designed to be integrated into larger networks. Suppliers and users concentrated on network connectivity, but didn't spend much time on cyber security. The belief was hackers could not reach industrial networks and, even if they did, the industrial protocols in use would be too confusing. Unfortunately, such is not the case. Hackers can penetrate industrial networks thanks to these new levels of connectivity, and they don't seem to have much trouble with industrial protocols.
Who Would Attack a Lubricant Plant?
While it is true that hacking into a lubricant blending and packaging facility doesn't offer the drama of disrupting a nuclear power plant or an oil refinery, any industrial facility can be a target. Security studies have shown cyber criminals are not picky and they have been known to target a location at random or because they want to explore a specific type of vulnerability that could be used elsewhere.
You may not realize it, but there is a 95+ percent probability your networks have been at least probed if not violated over the past few years, with the cyber criminal's door tapping unnoticed simply because there is no means to spot the signs of a probe.
Hackers can do a variety of things even in a small manufacturing environment: erase or scramble PLC programming, steal or disrupt recipe files, cause product spills and harm equipment. Industrial networks are also used as less-protected gateways to enter more hardened IT systems, where much sensitive financial data is stored.
Asset owners who accept the new reality look at ways to establish defenses. In heavy process industries with complex control systems, they conclude the cyber defense needs of plant networks are much different than with office networks, so IT strategies don't help much.
On the other hand, for smaller facilities such as blending plants where equipment such as mixers and packaging lines do not have to run interrupted for months at a time, many IT strategies are applicable as is or with slight modifications.
Introductory Cyber Defense
Like all applications of defensive measures, cyber defense begins with a basic mindset or philosophy: every industrial control system and network is a target. Nothing is too small or obscure. Many smaller plants or facilities across the world are finding themselves targeted more often as larger corporations establish sophisticated security defenses.
So what should you do? In large corporations, security risk management efforts now look at all potential internal targets, and then prioritize them using a scored hierarchy of importance. After the list is established, defensive measures are applied to the most critical systems first. Smaller plants can do this scoring as well, identifying systems hackers are most likely to attempt to exploit, such as PC-based HMIs connected to critical systems.
According to the Australian Signals Directorate Top 35 list of mitigation strategies, at least 85 percent of intrusions could have been thwarted by following these four mitigation strategies:
- Patching applications
- Patching operating system vulnerabilities
- Restricting administrator privileges
- Implementing application whitelisting
The first two points are basic digital hygiene but cover a lot of ground.
For computers on industrial networks, there is no better high-value mitigation than regular operating system (OS) updates. For Windows, these should be set to automatic, but if you suspect your computer is out of date, do it manually. The same applies to other OSs such as Linux. Operators should establish an update policy and do the updates on a monthly schedule if possible.
Computers on your industrial networks should be stripped of unnecessary software. The system running a packaging line does not need Web browsers, Adobe Acrobat, Microsoft Office or Adobe Flash. Anything not needed to perform the required specific functions should be uninstalled. These common applications are prime targets for hackers to exploit. Add an anti-virus platform and keep it up to date. An out-of-date anti-virus is sometimes worse than none at all because it makes you feel safe, but it does not spot new vulnerabilities.
Devices on your industrial networks should be updated to the latest software version. This is especially important for items like switches and routers. Hackers love to use old system vulnerabilities to establish a permanent presence in your network.
Restricting administrator privileges helps keep safety features in place. Whenever possible, most logins should only grant standard user privileges. Administrator privileges should be used sparingly and only when specifically required.
Application whitelisting keeps out rogue programs. A whitelist identifies entities cleared for a particular privilege, service, mobility, access or recognition on a system. It is the reverse of blacklisting, the practice of identifying entities that are denied. For most office systems, whitelisting is not practical, but the list of programs appropriately enabled on industrial networks will be shorter and change less frequently.
The whitelisting platform can pick up when strange applications are running, such as the reappearance of something you removed earlier, a bit of malware picked up from a bad website, or if a service technician plugged into your system and left something bad behind. It can shut down the application and warn you of its presence in the system.
Have I Been Hacked?
There are many ways to detect if your industrial network has been hacked. Some are very sophisticated, but there are useful qualitative assessments within the reach of users with basic technical skills. Early indicators include:
- System unexpectedly runs more slowly: Malware processes are running in the background.
- System suddenly takes noticeably longer to boot: Hacker installed hardware drivers are loading.
- System makes strange noises or screens display unfamiliar information at odd times or at startup: Malware is running but not coded well.
- System applications do not run as desired: If system update, system restore or antivirus platforms can't update, it could be from a hack.
- Web services such as searches are redirected to unusual sites: Could be caused by malware or adware.
In general, if you have observed any of the above, contact an IT security professional to resolve the problem. Once the near-term issue is resolved, the computing asset should be rebuilt from a fresh OS load media during the next maintenance shutdown.
Am I Now Protected?
No network is ever 100 percent protected. A skilled and persistent hacker can always find an entry point. An initial task for an industrial control network administrator is to lock out most hackers, eliminating 85 percent of the easy intrusion methods. This locking out can be performed without having to undertake a major security program. Hackers generally look for easy targets, and there are enough of those around to make them move on if they encounter much resistance from your more hardened systems. Moving to the next level where you can lock out 90 percent or 95 percent will require a bigger commitment.
Fortunately, for most operations, the potential worst-case loss is relatively small compared to disruption of a natural gas pipeline or the electrical distribution grid. Exceptionally strong defenses make operation more cumbersome, and the trade-off might not be worth it. The goal should instead be to keep your plant running with an acceptable level of risk by following the basic security procedures outline above.