Adopting new technology shouldn’t be avoided over worries that a security system will be breached. Miri Schroeter finds out how companies can benefit from upgrading their systems while staying away from hackers.
With more manufacturers looking to improve the software systems and connectivity of their factories, there is an increase in information for the public and staff to get their hands on. In a world where “all organisations in all sectors can become prey to cyber security incidents”, companies need to ensure their information isn’t being used for anything more than to benefit them. University of New South Wales (UNSW) Canberra cyber director Nigel Phair said that any company can become prey to these incidents, which can range from phishing scams targeting key staff, denial of service attacks against organisational IT infrastructure, or ransomware attacks using crypto-locker. Because of this, Phair said that all manufacturers must take a risk-based approach. “They need to identify key information resources and invest an appropriate amount of time and money in protecting the most important data assets.
“They need to focus on how valuable this information is and why a criminal would be interested in gaining access to it. They need to look at where data is held and who and how, people access it,” said Phair.
“Criminals have different motivations. [While] state- sponsored attacks may be seeking intellectual property to replicate a manufacturing process, criminals may be seeking money by encrypting data and seeking a ransom demand, or phishing staff to divulge log-in credentials.”
While these motivations are real, rather than not updating a software system, or connecting machinery, Phair re-iterated that steering clear of these attacks comes back to a risk- based approach.
“Any technology purchase decision should be based on this,” he said.
While this could mean implementing an ERP software system that allows information to be stored securely, other measures such as taking advice from the Australian Cyber Security Centre (ACSC) can also be beneficial.
A well-thought out approach
In implementing a risk-based approach, the ACSC advises businesses to understand their threat environment. They must understand who might target their organisation, what particular infrastructure they may target and how bad the impact of an attack could be.
“Threat modelling your organisation will help answer some of these questions to identify what systems are critical for delivering essential services, and will allow you to appropriately set priorities and budget for cyber-hardening activities,” the ACSC explains.
Essential mitigation strategies that businesses can implement to protect their industrial control systems from a range of cyber threats include:
- Tightly controlling or preventing external access to the control system network – segregating it from other networks such as the corporate network and the internet,
- Implementing two-factor authentication for privileged accounts and access originating from corporate or external networks,
- Disable unused external ports on control system devices,
- Visibly mark authorised devices inside the control system environment with organisation- unique anti-tamper stickers,
- Make regular backups of system configurations and keep them isolated. Test the restoration procedure and validate the backup integrity periodically,
- Regularly review firewall settings are in an expected state,
- Prevent devices inside the control system network from making connections to the corporate network or the internet,
- Enable logging on control system devices and store logs in a centralised location. Institute regular monitoring and incident response practices to ensure that anomalies are identified, investigated and managed in a timely fashion,
- Define a process for introducing external software and patches
into the control system. Where necessary (on exceptionally critical components), review code and whitelist approved binaries,
- Use vendor-supported applications and operating systems, and
patch associated security vulnerabilities in a timely manner.
Taking daunting, but necessary steps
SEW-Eurodrive marketing officer Michael Kitanovski said for manufacturers going digital and using cloud-based software, to connect their devices may be a daunting step on the security side (cyberattacks), risk side (requirements, flexibility and complexity) and in costs (such as upgrading systems and software, and outsourcing IT).
“For some manufacturers, a properly planned agenda to go digital and use cloud based software makes companies aware of the need to handle their data more responsibly and securely. Thus, making a cyberattack less likely.
“Analysing your ‘big data’ from your connected devices opens many doors for improving your factory and/or products by enabling faster recognition of procedures. For some manufacturers, their products and systems can now detect faults, maintain themselves and adapt to new situations,” said Kitanovski.
Kitanovski said a network can always expose easy targets, but there are security solutions on the market that provide effective protection for corporate and customer data in the cloud.
“The problem doesn’t necessarily fall back on technology, but a greater risk factor is how humans handle that data. Outsourcing IT for small and mid-size companies, who cannot afford in-house IT security experts is essential to keep data safe.
“Companies should not start on a large scale right away, focusing on manageable and closed private clouds makes perfect sense. Think big, start small – have a clear strategy. Even start off with a small pilot project – if this proves a success, it can be implemented into the long-term,” he said.
SEW-Eurodrive is implementing complete smart factories. In its Graben-Neudorf plant for example, real customer orders meet smart processes, intelligent assistance systems and mobile robots. “Our production is based on lean principles, made only achievable by smart cyber physical systems and autonomous assistants which are error free,” said Kitanovski.
He explained that by not implementing these changes, a company may be held back from taking those necessary steps forward.
ZI-Argus operations manager Richard Roberts said when engaging with companies that provide these security services or paths to implementation, businesses must be diligent and ensure the necessary security measures for their company are being considered, handled and implemented.
“Ask providers for documentation and evidence of what measures they take. Look for depth within their policies – security should be applied at all levels,” said Roberts.
Educating employees in risk- approach implementation The ACSC explains that staff will always be an organisation’s greatest asset and greatest risk – especially when it comes to cybersecurity. “One wrong click by a staff member, whether intentional or not, can destroy networks.”
Improving staff awareness of cybersecurity issues and threats, including the risk environment for an organisaiton, needs to be a priority for all businesses, and there are some easy and effective ways to do it, according to the ACSC.
Documenting and training staff in an organisation’s cybersecurity systems and plans helps drive a clear and shared understanding of expectations and culture. The ACSC explains that cybersecurity documentation loses its value if staff are not made aware of its existence and use. Businesses should also design a program to be delivered over the next year or two, based around the current awareness level and goals for improvement. Basic components should include:
- Training for new starters,
- Refresher training for existing staff members,
- Regular communication to staff about cyber threats,
- Reminders about safe online behaviour, both at work and at home.
Many staff members are cyber- weary, hearing constant messages about password safety, clicking only on safe links and so on, so the ACSC explains that awareness programs need to be fresh and empowering, not repetitive and arduous. Developing training and information that is interesting to staff, highlights the value for them as well as the organisation. The ACSC also suggests using examples of cyber breaches to illustrate risks and ensuring messages are current and relevant to the industry and a business’s specific needs.