Manufacturing and industrial systems are the new battleground between hackers and companies
Today, the question is no longer whether you will be hit by cyberattacks – but when. And consequently, which systems will be hit and how to deal with it. Hence, it is crucial to be methodical in defending all company’s systems, from the administrative level to production. The international security standard IEC 62443 for automation and production systems provides a good foundation for building your lines of defence. Technology specialist Morten Kromann at Siemens said, ‘Cybercrime is now a very real threat to the production on the factory floor. It’s important to act now, if you’re not already doing so – and to scan your system setup to get an overview of your devices and their vulnerabilities and potential threats.’
He continued, ‘Once you have an overview, you can make risk assessments and prioritize areas for action. The most important activity is to separate administrative systems from production systems. Most cybercrime targets traditional corporate IT systems – and if production systems are linked to these with no security measures, it is an open door for cyber criminals.’
Defence in depth
Security standard IEC 62443 is a general approach to OT security that works independently of a technology platform. The standard recommends several security levels that can be used to define a company’s defence. The approach to security is based on probability, impact, and priority of action.
‘The method is risk-oriented,’ said Morten Kromann. ‘It looks at how you might be attacked, such as a firewall breakdown or an attack on a SCADA system, the probability of it happening, and the potential consequences of an attack, such as a sewage leak or a chemical spill. These are subsequently graded against various levels.’
He further added, ‘An example could be the production of a PLC. Here, the process is to make the printed circuit board, wrap plastic around it, apply code to the printed circuit board, and then package it. In this example, it is the coding on the printed circuit board that requires the highest level of security. If the encoding on the printed circuit board is infected, it could have serious consequences for the company as well as its customers. In this case, a particularly secured area should be set up with added access and security requirements, such as a metal cage.’
At Siemens, the defence of OT comprises three areas: production/plant security, network security, and system integrity. To ensure production security, several methods are employed to prevent unauthorized people from gaining physical access to critical components – from general building access to securing particularly sensitive areas using key cards. To secure networks, it’s important to establish protection of the systems that are easy to access and to protect automation networks from unauthorized access. To assure system integrity, integrated security functions can be integrated to protect against unauthorized configuration changes. These functions prevent copying of configuration data and make it easier to notice attempts to manipulate files.
Comprehensive competencies are required
It is generally important for manufacturing and industrial companies to match up with partners that have the breadth and depth to manage the often complex challenges within OT. Morten Kromann said, ‘When production and technology are integrated in the industrial ecosystem, there are typically many players involved: OEMs that produce machines, integrators that integrate to ERP systems – and everything has to run smoothly at the physical location as well.’
‘So it is highly beneficial to have business partners equipped with comprehensive competencies. Siemens, for instance, has a certified CERT team dedicated to round-the-clock monitoring of all products and updates. This is to ensure immediate action if vulnerabilities are exposed and to make sure that all patches are installed.’
The service technicians at Siemens can review and secure production environments ranging from major nuclear plants to manufacturing and industrial companies. Morten Kromann concluded, ‘We live in turbulent times – and have previously seen instances of systems, such as Ukraine’s electrical power supply, being breached by hackers; or the case of Stuxnet, which attacked Iran’s nuclear program. Responsible operation of manufacturing and industrial companies demand that we not ignore these threats, but take action now to counter the threat.’