The process of digitizing industrial operations does not only relate to the traditional entities of IT infrastructure. It also plays a role in the area of the Industrial Internet of Things (IIoT), whose components used to be virtually unreachable for malicious actors. How can organizations benefit from modern infrastructure management approaches without falling victim to hackers?
When taking the route of digital transformation, companies need to combine different devices into a single network and configure data exchange between them for process control. Essentially, this is a miniature IIoT functioning at the level of a specific organization.
At the next stage, technological information systems need to be tightly integrated with enterprise management systems to ensure deep automation of all business workflows. Then, cutting-edge technologies such as machine learning and big data analytics kick in to minimize human involvement in data analysis and decision making.
Not only does the increasing digitization of industrial processes provide new business opportunities, but it is also a source for new risks. It might allow cyber criminals to tamper with accounting systems and even the production process remotely.
Emerging Security Challenges
Present-day manufacturing companies are often scattered geographically, with production sites being hundreds or even thousands of miles away from the head office. Aside from “classic” risks to IT infrastructure that facilitates business management, companies could be confronted with leaks of sensitive data in transit.
This is not necessarily about industrial espionage through targeted attacks. Confidential records may end up in the wrong hands due to crude data access policies within the organization. A predicament like this is particularly impactful if the malefactors – and ultimately the competitors – get hold of information regarding regulatory violations and suchlike slip-ups. This will affect the company’s stock prices or its relationship with business partners down the line.
The worst-case scenario, though, occurs if threat actors directly interfere with the technological process, which may entail accidents caused by IT system failures. Automated process control systems (PCS) and supervisory control and data acquisition (SCADA) systems used to be considered virtually invulnerable due to their physical isolation from the rest of the IT environment. Unfortunately, this is no longer the case.
Some notorious evidence of the opposite was the Stuxnet worm attack targeting the Iranian nuclear program or, for instance, hackers’ interference with the operation of energy companies causing massive blackouts around the world.
The booming digitization of the production process makes matters worse as it increases the overall dependence on IIoT while presupposing bidirectional data exchange between business systems and technological IT solutions. When these systems are deeply integrated, even a garden-variety ransomware infection can badly disrupt the production.
The recent Conti ransomware assault against the major Industrial IoT chip maker Advantech demonstrated how devastating such incidents can get. In addition to encrypting files, the attackers stole gigabytes of proprietary data. They demanded a ransom amounting to 750 BTC (worth more than $14 million) for decryption and non-disclosure of the extracted information. Because the raid affected one of Advantech’s servers, it took the company a while to get some of its services back on track as part of the incident response.
No matter if the failure of an intelligent system is an outcome of someone is intended action or not, it may lead to serious damage. It is not always possible to resume the technological cycle properly in the aftermath of an emergency shutdown. In some cases, companies have to write off the wasted materials, repair their malfunctioning equipment, and suffer financial losses because of a lengthy transition to a new stable production cycle.
Even worse, IT problems can cause a serious technological disaster resulting in casualties and environmental damage. It comes as no surprise that many industrial automation solutions are categorized as objects of the critical information infrastructure (CII) and need to be protected accordingly.
The traditional threats are getting worse as well. Businesses operating in consumer markets must protect the personal data of their customers in order to comply with the relevant laws and regulations. This is increasingly challenging as the level of digitization grows.
Meanwhile, data leaks result in huge penalties and reputational losses. The British Airways data breach that took place in 2018 is a good example. The attackers obtained a huge amount of passenger data, including credit card numbers. As a result, the airline had to cough up £20 million in fines.
With so many threats out there, it may seem that the digitization of the manufacturing process makes no sense. Nevertheless, the necessity of this transformation is out of the question because companies get a handful of game-changing competitive advantages by going digital. In this new paradigm, working the old way is a losing strategy.
The dynamic adoption of IIoT technologies combined with enterprise resource planning (ERP) systems is underway and cannot be reversed. Under the circumstances, the fundamental objective is to come up with ways to protect the new types of IT infrastructure in which industrial control systems and SCADA systems are no longer isolated from the outer world and its security threats.
Sadly, a lot of the present-day production systems run outdated and unsupported software such as Windows 98/XP/NT. If threat actors infiltrate a network like that, the post-exploitation is insanely easy. Some specialists in the area of industrial systems have obsolete perspectives about information security. To top it off, many enterprises still neglect to deploy intrusion detection and prevention systems.
Instruments like incident management, security audits, and penetration tests are still mainly used in the office section of the enterprise, and the industrial powers continue to lag far behind in terms of information security. Some specialists fail to change the default passwords, install critical software updates once available, or specify new potential points of failure.
The famous motto "If it’s not broke, don’t fix it" used to work wonders when industrial control and SCADA systems were isolated from the fascinating digital world. Nowadays, following this principle is a slippery slope.
The problem can be partially addressed by upgrading industrial automation solutions whose makers have been actively switching to the use of secure protocols and reliable encryption methods while abandoning obsolete technologies in recent years. All interaction at the network edges should be physically unidirectional. If this is not possible, organizations need to use VPN technologies with gateway monitoring features onboard and limit connections at the endpoints of data acquisition.
These measures are undoubtedly worthwhile, but they will not suffice unless a comprehensive information security system is deployed within the enterprise. Integrated solutions that have been used in the office part for quite some time need to be implemented at the level of production facilities.
These include intrusion detection and prevention systems, behavioral analysis, malware protection, and other tried-and-tested security tools. Of course, they should be fine-tuned to fit the industrial context, which could imply multiple redundancy and backups in "hot-swap" mode. Traditional access control systems such as video surveillance, security alarms, biometric identification, and similar protection methods are also worth considering.
The silver lining is that many major developers have started releasing solutions adjusted for industrial purposes. The bad news, though, is that corporate InfoSec teams understand the security peculiarities of industrial systems no better than PCS and SCADA engineers do. The average enterprise is unlikely to be able to escape this loop on its own, and therefore the involvement of outside experts appears to make sense.
A thorough audit is a good starting point for creating a complex security system in the paradigm of production digitization. The analysis of current assets, incident history, threat models, and penetration test results before conducting risk assessments, planning, and system implementation – this is a well-trodden path every professional auditor knows.
Also, keep in mind that information security is not restricted to hardware, software, documentation, and human resources. Instead, it is a continuous process. This is the only way modern industries can stay afloat in the digital era and remain highly competitive.