According to cyber security specialists F-Secure the chief motivations for hackers targeting the manufacturing industry are financial gain and industrial espionage. The “Duuzer attacks” of a few years ago is one of the best known examples of cyber criminals launching malware attacks to steal sensitive data and intellectual property. Physical damage remains another significant threat. In 2014, for instance, a steel mill in Germany suffered heavy damage after hackers gained access to the mill’s control systems via a spear phishing campaign — targeted e-mails that appear to come from a trusted source and trick recipients into opening a malicious attachment or clicking on a malicious link. The hackers stole the login names and passwords they needed to gain access to the mill’s office network, and from there crossed over to its production system.
IT vs. OT
A US government report published last year suggests that understanding the differences between IT and OT is key to achieving cyber resilience. For IT environments the priority is confidentiality of data. While this is also important for operational environments, the priority for the OT technologies is availability of data to ensure that systems can continue to produce. The problem is that when engineers designed many of today’s industrial environments cyber security was not a concern. OT teams were used to working within closed systems that relied heavily on physical security mechanisms to ensure integrity.
With the emergence of IIoT and the integration of physical machines with networked sensors and software, the lines between the two are blurring. As more and more objects connect, communicate and interact with each other, there has been a surge in the number of endpoints, and the increased possibility of computer failures, human mistakes, malicious attacks and natural disasters to affect physical systems. A variety of threat actors, ranging from lone hackers to organized cyber criminals and nation states, are continually finding ways to exploit vulnerabilities to move from the digital sphere of IT to the physical sphere of OT.
The growing interconnectedness of technology has exposed manufacturing, as well as other industries such as power and utilities, that also rely on industrial control systems (ICS) that use OT and IT. Generally speaking, an ICS integrates hardware and software for the purpose of automating and operating industrial processes. The issue, in terms of cyber security, is that an ICS must allow access to a wide range of different operators and even third-party vendors. For example, operators need to be able to manually override automated systems in case production is in danger of stopping, or if there are threats to health and safety, for example, or the environment. A number of international studies and reports have highlighted an alarming increase in cyber attacks targeting the supply chain. One such survey, conducted in the Americas, Asia and Europe, suggests that two thirds of companies have experienced a cyber attack on their supply chain.
A risk-based approach
Companies must be able to identify which of their assets are critical to achieving their stated mission in order to ensure that appropriate resources are allocated to protecting them. This is known as a risk-based approach to cyber security. The aim is to balance the cost of security threat mitigation against the potential impact of a successful cyber attack. Any solutions implemented must be monitored over time to ensure their continued effectiveness and to ascertain whether possible attacks could potentially overcome the control solutions. IT and OT security experts can then work together to erect a defence-in-depth architecture.
IEC Technical Committee (TC) 65, Industrial-process measurement, control and automation, has developed the IEC 62443 series of standards on Industrial Communication Networks – Network and System Security. Designed to keep OT systems running, it can be applied to any industrial environment or critical infrastructure facility. Because standards provide even more value when they are combined with conformity assessment the industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.