Connectivity in industry, for better and for worse, is here to stay. Manufacturers and critical infrastructure companies across the world are joining the digital revolution. The IIoT is ushering in a new era of innovation. Emerging technologies, such as cloud computing, big data analytics, artificial intelligence, and more, are enabling industrial companies to grow and transform in ways never imagined even just a few years ago.
Along the way, these open platforms and widely interconnected systems have opened new doors for cybercriminals, as many of the legacy systems used to control manufacturing operations weren’t built to account for today’s security threats. This has led to a rise in the frequency and severity of cybersecurity attacks on some of the world’s most critical and volatile manufacturing processes. Almost every cyber-incursion can disrupt industrial operations. The result can be loss of money, privacy, equipment, intellectual property, and reputation. Increasingly, with the rise of malicious nation-state actors with geopolitical vendettas, some attacks have the potential for catastrophic consequences, impacting a country’s economy, triggering environmental calamities, and even costing human lives.
Hackers follow a process to launch an attack, and there’s a concurrent process for manufacturers to defend themselves from these attacks. By describing both of them, organizations can ensure they’ve addressed every element of their cyber risk strategy.
How an Attack is Executed
No two attacks are the same, but there is a general process for how they’re committed, whether they last for a few minutes or several months. Let’s examine.
- Scouting the target. An attacker can usually recon the attack target using such non-invasive techniques as Dorking, which means looking for information released in documents and presentations. Social media is also an avenue for attackers to monitor and engage in targeted social engineering before they make their move.
- Mapping and probing. After the initial recon, the first invasive step can include mapping and intruding the environment. An attacker might probe the network to better understand the landscape of operators and cyber assets onsite—and which ones might be particularly vulnerable.
- Insertion of malware and lateral movement. After the initial two phases, the intruder is ready to attack. With multiple successful exploits to gain a foothold, raise privileges, and land—with necessary permissions—on the target, they can execute their mission.
- Exfiltration, malicious action. This next stage depends on the goal of the attack. The attacker might either move targeted data out of the attack site (exfiltrate), or actually execute the attack if the purpose is something else, e.g., distributed denial of service (DDoS), data change, Remote Access Trojan (RAT), etc.
- Cleanup, backdoor. Once the attack is complete, the actor works quickly to remove all evidence of the attack, such as logs, login attempts, etc. They will often leave backdoor malware to make reentry easy.
In a perfect world, a manufacturer will never have to worry about a malicious actor taking these steps to inflict some type of damage on their site, but failing to be prepared could leave them flat-footed, which is an unacceptable situation in today’s hyper-connected world.
Preparation for an Attack
Attack prevention should already have begun and is a long-term, ongoing process. There are many facets to it, starting with modeling the cyber-threat landscape. This can help analyze security threats and gaps specific to an organization’s industry and particular plant. Plant owners should first perform a risk-and-threat assessment and gap analysis, and establish zones and conduits as a way to segment and isolate similar devices or systems according to security levels. It’s important to be aware of every system network connection, and then ensure they have all been secured. This also helps in the event of an attack: If zones are established, investigators only need to take down portions of the operations, saving organizations valuable costs and impact on revenue.
A strong security culture has its foundation in industry and government standards, protocols and best practices. From a governmental perspective, a notable example is the National Institute of Standards and Technology (NIST) framework in the United States. This is considered the authoritative source for cybersecurity best practices, and it was recently expanded to address evolving identity management and supply chain topics. Standards such as this are not limited to the United States; in some countries, such as France, these standards are even carrying the weight of law. Within industry specifically, the most essential standard is IEC 62443, the rigorous standard for industrial automation technology that works to safeguard operations across multiple layers. Cyber threats change by the day, which means these standards are always being refined.
To ensure the integrity and security of plant technology and processes, people are the first and best line of defense. Because the gap between IT and OT continues to close, everyone across the organization—whether in the plant, the field, the office, the boardroom, or anywhere else in the enterprise—plays an essential role in mitigating cyber threats.
Swift and Effective Reaction to an Attack
No manufacturer is inherently safe from attack, so they must be prepared to react if and when an attack happens. They should be prepared to take the following steps:
- Isolate the attack/malware. The end user needs to be well-informed enough to take this action, which goes back to ensuring you hire the right people, then continually train them. Isolation could include disconnecting network and internet connections and switches.
- Alert and incorporate the experts. If the organization has a solid risk management plan, an incident response team will have been identified. This team needs to be contacted immediately after an incident. They can help capture logs, lock credentials and close remote access. In some cases, reporting an incident to government officials is mandatory.
- Assess the mode and scope of the attack. The incident response team and end user should collaborate to determine how the attack occurred and its full impact. It’s worth examining if and how human error contributed.
- Ensure business continuity. This plan should include a system restore from a secure backup. Only then should the plant go back online.
- Communicate as appropriate. Whether it’s to plant executives, software suppliers, regulatory bodies, etc., it’s essential to determine who must be contacted and do so quickly.
- Identify room for improvement, enact remediation. Any attack should serve as a wake-up call to the affected user. To reduce the likelihood of another attack, the user should conduct a full-fledged analysis and remediation plan.
- Share information. As part of the attack postmortem, the organization should look for ways to share information about the attack so the industry as a whole can benefit from lessons learned. Think about sharing vertically with government agencies. Seek out opportunities to share horizontally across the industry. Collaboration among the various stakeholders connected to the industry and cybersecurity can only strengthen preparedness for increasingly complex attacks.
There is no way to eliminate cyber threats, but industrial organizations can do plenty to beef up their cybersecurity hygiene and protect their critical infrastructure.
No business would leave their front doors wide open and unattended 24/7, yet industrial networks, assets and even entire operations often are. There needs to be a shift from reactive to proactive cybersecurity management, and a commitment to standing together in the face of cyber threats. The entire industry is counting on it.
Written by: Andrew Kling, Senior Director of Cybersecurity and System Architecture, Schneider Electric, for Automation.com.