Recent research from Information Technology Intelligence Consulting revealed that the opportunity cost of stopped production for SMEs is more than $300,000 per hour for most businesses. For nearly half of companies, an hour of downtime costs in excess of $1 million. Downtime costs and risks, and the associated logistics and contract difficulties that extended downtime creates, are well understood by decision-makers in manufacturing.
Likewise, cybersecurity risks have been broadly publicized, and many manufacturers have begun comprehensive evaluations of cyber risks and vulnerabilities, creating plans to close off routes for external access and mitigate the risk of external hacking.
While focusing on the risks of external threats, many manufacturers may have overlooked the inherent dangers of internal cyber threats that often pose greater risks than external hacks. Insiders have the access and knowledge to cripple a business, and often internal access routes into critical systems can be completely unsecured. Insider risk is harder to mitigate for many reasons. To be efficient, staff and contractors need access, often broad access. Mitigating risk first comes with understanding the cyber risks surrounding industrial control systems (ICS)/OT environments.
The Risks
Who can perpetrate “insider” attacks? Employees with grievances, an outside OEM in a contract dispute, contractors brought in for a specific project, and really anyone who can gain access to internal networks directly without using the internet. With unsecured WiFi, this could even be someone sitting in your parking lot on a device.
What sort of damage can they do? Insider attacks can be extremely hard to recover from. With internal access, systems could be locked down, completely reprogrammed or wiped. Unsecured data ports may mean anyone with a USB drive or Ethernet port and the right knowledge can control the whole facility at will. With insider access, the potential for harm is extreme. Downtime and direct costs are only the beginning. Reputation risk from missed deadlines or logistics issues created by an insider attack can be much more damaging to a company’s bottom line.
The most substantial potential hazards, though, are risks to health and safety. Each situation is different, but industrial cyberattacks often have the potential to harm employees, customers or even people who live nearby, in extreme cases. The LA traffic light hack by disgruntled employees and the German steel mill attack are pointed examples.How To Mitigate the Risk of Insider Attacks
The first and sometimes most overlooked solution to any attack, including insider attacks, is having a robust process for disaster recovery that includes routine offsite backups. The ability to execute a rollback to the backup on demand can revert back to a state before the attack was perpetrated. Being able to enact this process quickly and efficiently minimizes downtime. Disaster recovery is not a new concept but often has been looked at in the context of natural disasters. Comprehensive processes that consider cybersecurity risk may not be in place.
An effective disaster recovery plan should include all aspects of regaining access and comprehensive functionality to IT/OT infrastructure. The maximum allowable downtime in the case of a disaster needs to be identified. Risks to the business and business-critical assets need to be understood to ensure all aspects are covered by the plan. What to back up and how often is a crucial consideration. Do the requirements necessitate a custom solution or is there a ready-made disaster recovery service or software suite that will cover these needs?
In addition to disaster recovery, implementing policy to prevent breaches is essential. Putting into practice training and procedure for anyone with access must coincide with any changes. Is there a process if you see an unidentified device in a machine, such as a USB drive? Frequently, “workarounds” done to save time, such as leaving PLCs with default or no password security, provide easy vectors for insider attacks. Even though credentials, ID verification, access restrictions, and extra levels of security can introduce inefficiencies for individual tasks, the risks inherent to insider attacks considerably outweigh the inefficiencies of robust security.
When employees leave a company, they lose access to their email and intranet accounts, but what about access to the plant floor equipment? Often the two systems are not tied together so the former employee will still be able to log in to PLCs and HMIs. Good cyber hygiene minimizes the people authorized to make changes, but also systematically removes access if not needed, or if they are no longer with the company.
Monitoring equipment for changes in the source code as well as key production parameters should be implemented. A log of who made the change, what changes were made, and the reason should be sent via email or text to key stakeholders. Monitoring checksums and modification dates on code is a start, but what steps are in place when an unexpected modification occurs? Is the machine shut down and isolated from the network? If an event occurs, is there a post-analysis process in place to patch that particular vulnerability? Identify, respond, analyze – in the OT landscape, the identification step is often missing or overlooked until it is too late. This means the response and analysis components are also missing. Creating a proactive and evolving cyber security program for your OT assets should be a priority for all companies.
IEC 62443 standards provide an excellent metric to measure your security. There are different risk levels coinciding with different standards to measure your own process and policy against. According to ISA, “These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is a holistic one, bridging the gap between operations and information technology as well as between process safety and cybersecurity.”
Finally, does the cybersecurity protection in place even allows you to detect an insider attack? Is someone on your cyber team alerted when an unrecognized device connects to the network? If systems are accessed or operating unusually, are alerts programmed in? Can you enable network-sniffing software and run it without IT noticing? You have a problem. Often, even with very robust IT security, OT security may look like the Wild West, with an “anything goes” approach to allowing devices and connectivity, even to critical systems.
Implementing OT cyber security is a vital part of having comprehensive protection against attacks. Understanding the dangers, investigating vulnerabilities and implementing practices that mitigate risk can be the difference between an attack being a major inconvenience and a complete disaster.
About the author: Kimberly Cornwell is a System Engineer with Siemens Digital Industry Factory Automation Division and a member of the Factory Automation Cybersecurity Tech Team. She enjoys helping clients tackle their tough industrial engineering challenges. An MIT mechanical engineering graduate, she fell into industrial controls working for a semiconductor OEM and has never looked back. At MIT “hacks” were viewed positively – she now uses that mischievous spirit to help identify vulnerabilities in the industrial OT landscape.