Wayne Ashworth, Product Manager of industrial IT provider SolutionsPT, addresses the increasing threat to industrial cyber security and why prevention is better than the cure.
Over recent years, industrial cyber security has been creeping further up the agenda and become a topic which can no longer be ignored. The issue has been surrounded by hype similar to that surrounding 'Y2K' and has crossed into the national and consumer media, as well as industry press.
Although the infamous Stuxnet attack of 2010 was not the first of its kind on industrial IT systems, it was the first designed specifically to target specialist industrial automation. Since then, IT managers across the world have had to re-evaluate their security.
Nevertheless, some companies are still not heeding the advice to act. Security strategies are too often driven by individual experiences, and managers often wait until they become victims of attack before taking the matter seriously enough to make changes to their systems.
Cyber security for industrial automation
It has also become clear that traditional IT approaches cannot guarantee safety from cyber-attack and that industrial automation requires a tailored approach. Conventional IT methods tend to concentrate on preventing loss of confidential information, rather than ensuring reliability and integrity of systems, and ultimately avoiding downtime.
It is a mistake to assume that an attack will come from an external source, as security breaches from within an organisation can often pose the most dangerous and imminent threat. Although usually not deliberate, internal corruption is frequently the cause of costly disruption to production. Patching – which is the practice of using software to fix or update a computer programme or its supporting data – is designed to alleviate technical issues, but can often introduce more problems than it solves, particularly if the patching is poorly designed. Also causing major problems are viruses, which have long been the most familiar mode of attack for many companies' IT systems.
However, malware is also emerging as a common form of attack. This is a type of software used maliciously to steal confidential information, attack systems or disrupt operations. For example, one of our blue-chip clients fell foul to malware on its system when an employee inserted a USB stick into a machine, unaware that it contained hidden malware which was inadvertently brought in from a home PC, and transferred onto the company's network.
The real cost of industrial cyber security breaches
This situation can cause major disruption to production and even the briefest interruption can cost a company immeasurably. Any single incident could see production at a plant that usually runs 24/7 brought to its knees, costing hundreds of thousands of pounds, setting back its schedule significantly and ultimately damaging customer relationships, illustrating just how imperative it is to put the best possible protection in place.
In addition, manufacturers often have a raft of secret formulas, processes and techniques that are crucial to their brand's success – and so the theft, loss or destruction of these can also have a devastating impact. All of these things make them even more vulnerable to breaches in security, regardless of whether they are intentional or accidental.
Prevention is better than cure
All in all, prevention is definitely better than the cure. A combination of system design, specialist security products and on-going managed services would provide the ultimate defence against threats.
Traditionally, IT changes to operational systems are kept to a minimum. It is more common to take the opportunity to 'design-in' security considerations when specifying new architectures. But, increasingly, decision-makers are turning to more than just the regular precautions of firewalls and virus-checking software.
Typically recommended is a secure and preventative architecture where open ports and USB sticks are never allowed on the network. An overhaul of the business security system would be carried out in order to create a security package specifically designed for the individual company's needs.
Industrial cyber security risk assessment
An initial risk assessment will identify the security 'holes' in any operation. Its architecture would be examined and reviewed to identify potential weaknesses or flaws in the network security. Often this can take the form of poorly laid out network topology, or potentially exploitable areas such as legacy systems and PLCs that are not protected and therefore open to viruses, malware, and other hostile and intrusive software.
From this, recommendations can be made on how to close any security holes and help to tailor the correct approach for that particular company and its system. It may require a number of different elements to make a plant secure. A combination of the right policies, procedures, physical security, network security, computer security and device security are all considered. Threat protection solutions are then installed to provide high levels of control, and monitoring of any attempts to communicate with a system. It will also detect and prevent access to the plant network.
Ultimately, the greatest danger posed by security breaches to the industrial and manufacturing sector is the threat of downtime. Addressing these risks with the correct, most applicable approach is key to maintaining availability, minimising downtime and retaining customer relationships.
For further information about industrial cyber security, go to www.industrialit.co.uk.