[BreachExchange] Security Game Plan for Smart Factories

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 17 10:55:03 EST 2018


Smarter, more efficient factories are coming, and that means AI,
automation, machine learning and IoT hardware will become commonplace,
where it isn’t already. There’s just one concerning element of all this:
cybersecurity. Yes, IoT and smart factories mean elements are
better-connected, but if the security of integrated systems and hardware is
not a priority, they can also mean more vulnerabilities.

The adoption of IoT and “connected” systems means modern factories can be
uniformly monitored, automated and made absolutely efficient. In turn, this
boosts profits to a maximum, thanks to the creation of a well-oiled
machine, so to speak.

But smart factories and IoT devices are considered “connected” and “smart”
because they are tethered to a network, other systems and hardware — and
it’s an open network, no matter how secure. Since this is a relatively new
concept to the industry security is still pretty undeveloped.

So, how can we beef it up?

1. Physical Security
Believe it or not, physical security is a major concern even with modern
systems. Hackers and cybercriminals who are able to gain access to factory
and plant buildings can wreak havoc. Furthermore, theft can also be a
problem, especially in automated plants where there are little to no human
workers onsite for extended periods.

One way to combat this is to bolster physical security and surveillance on
top of installing smart sensors and monitoring tools. Collectively, these
systems don’t just allow remote monitoring of live video feed. They can
also interface with the property and related hardware. Doors, for example,
can be opened remotely after verifying the identity of the personnel
requesting access, simply by pressing a button. Sensors and alarms can send
alerts to security teams if they detect movement on property when no one
should be there, or in unauthorized areas. Crash barriers are also a great
way to keep out physical intruders or unauthorized parties.

2. Establish a Risk Management Process
One of the initial steps in Information Technology and cybersecurity plans
is to come up with a risk management process, including proactive and
reactive strategies. Preventing access to open networks with secure
firewalls, advanced authentication and activity monitoring are all
recommended. But in the event of a breach or attack, you want to take
action as soon as possible. This means locking down the network from
outside access, preventing further damage and even blocking the offending

It’s a process that needs to be deployed and followed across an entire
organization, too, however. Employees and personnel must understand IT and
security policies, and they must be educated on how to protect themselves
and their systems. They must also adhere to limitations. Even something as
simple as properly securing a property access card or authentication key
can be crucial to strong security. Should that key fall into the wrong
hands, an inordinate amount of damage can be done.

3. Lock Down Industrial Control Systems
ICS or industrial control systems are designed to interact with the
physical world, and the information is relayed to plant hardware and
machines. Due to the nature of their inner workings and what hardware they
have access to, an ICS most always be secure. In fact, this is one security
element that should become a priority for all organizations, especially
over the coming years.

Ransomware has become rampant in the digital world, and it’s certainly
capable of not only locking down critical plant systems, but also damaging
or severing data connections that can keep entire processes operational.

Follow standards set forth in NIST SP800-82, ISA-00, or IEC 62443 to
improve security and maintain its reliability.

4. Manage IoT Devices, Embedded Systems and Data Access
The industrial internet will soon take hold, which means smarter more
connected devices for you. Unfortunately, there are few regulations in
place — or security reports — to help ensure this new form of technology is
protected, further increasing the risk for cyber attacks and threats.

To make matters worse, many of these devices and systems are considered
non-standard, which means they cannot be integrated with standard computer
security software. Sensors and pumps for embedded systems are a great
example of devices that cannot be conventionally secured.

To combat this, organizations will need to adopt a PKI or public key
infrastructure which relies on device certificates for communication and
data transfer. The system itself is designed at its core, to authenticate,
configure, communicate and control connected devices. Anything that lacks
integrity can be dealt with accordingly, if not automatically through the
monitoring system.

5. Involve Business Partners
Most of the security measures are handled locally and internally, which
makes sense. But there’s another source of potential damage that is
completely out of your hands: your business partner(s). Manufacturing data
will need to be transferred and accessed across the supply chain, which
means third-parties and various teams will need to be trusted with it.
Since data sharing is most often facilitated through cloud-based
applications and storage these days, security is a monumental concern.

The solution is to adopt and utilize encryption, advanced identity and
authentication, and context-based controls with a reliable form of
monitoring and reporting on the backend. This provides all the resources a
security team needs to identify, communicate and take action against
infringing parties.

6. Plan Damage Control Now
No business, open system or network is invulnerable. In fact, it’s likely
that you will be attacked or see a network breach at some point. The
question then is not “if” but “when.” That’s why you should have a damage
control plan in place, now, before anything happens. Once an attack or
breach has been detected, you need to lock down your systems, data and
machines. You also need to be able to identify corrupted channels, and you
must have some way to prevent the spread or increase of damage.

In a majority of cases, this will involve taking entire systems — maybe
even an entire location — offline  to conduct maintenance and damage
control. Is there a way you can segment this process so that parts of your
plant still remain operational? Are there things you can do to mitigate the
spread of an infection or attack? Do you have controls to purge user access
and regain control of your network(s)? These are all things you need to
consider, and then some.

7. Reduce Capex and Opex With Remote Security
Chances are your plants or factories are sparsely located across a wide
area. You could go about deploying a security team for each individual
property, but that would balloon your capex (capital expenditures) and opex
(operating expenses) considerably. This also makes it difficult to
facilitate collaboration and communication between said security.

The solution is to rely on a single, remote security team with the proper
tools and equipment to monitor your plants from one central location. One
leading oil and gas company — spread across more than 70 global sites — was
able to reduce costs by as much as $700,000 per site, over five years, by
deploying remote security teams.

8. Enable Device Profiling
BYOD, or bring your own device, is prevalent today because, while it does
introduce security risks, it helps alleviate costs for a company or
organization, eliminating the need to supply work-centric devices. This
allows personnel and employees to bring their own tablets, phones and
mobile devices to work and tap into a secure network. This also has the
bonus of making it extremely difficult for IT and security teams to
control, review and identify users — at least, not without the proper
systems in place.

Device profiling needs to be implemented and enabled to control and secure
a network. Related systems can identify devices and users to monitor their
activity, authenticate certain actions and even remove them from the
network entirely. Think, laying off or firing an employee, without taking
away their network and systems access — it could be incredibly damaging

This is also true of third-parties or outside contractors that come to work
or visit a plant. They may need temporary access to the network, but this
does not necessarily mean they should be unfettered. You’ll want to make
sure they are confined to the appropriate systems and software, and they’re
not doing damage. Remember, it’s possible for negligent users to
inadvertently cause damage through an infected system they were completely
unaware about.

9. Zone Defense
As per the ISA IEC 62443 standard, an industry best practice is to
configure zones or segments and isolate sub-systems. This is done using
something called a DMZ or demilitarized zone, which can be used to link
information and communicate between zones, while blocking them off and
keeping everything separate from major components and systems.

10. Educate and Maintain Compliance
Finally, it’s important to remember that many security issues arise due to
user or personnel negligence. This can be solved by educating and training
your workforce on proper security, and by walking them through what’s
required on their end of the process.

A bigger concern, however, is making sure you stay on top of your workforce
and personnel as time stretches on. This means continuing to train and
maintain their knowledge and security familiarity, especially when newer
systems are deployed, or older tools are updated.

Reliable Systems Security Is a Never-Ending Process
By following and deploying the security tips discussed here, you can better
prepare your plants and factories for the coming technology boom — if you
haven’t already adopted many of the systems discussed. It’s crucial to
recognize reliable and successful security is not something that is ever
fully complete or achieved. That is, security as a whole is a never-ending
process that continually needs to be updated, maintained, monitored and
measured. That’s true of your hardware and software, but also of your
personnel, partners and third-party contacts.

It’s only when you truly understand that security must be followed day-in
and day-out that you will see your plants and systems better protected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180117/7f2e9b94/attachment.html>

More information about the BreachExchange mailing list