Cyber attacks that make the evening news usually feature large organizations and often announce the theft of personal information. While they rarely make headlines, these kinds of attacks can, and do, happen to smaller businesses too. In these cases, not only are your employees’ personal data at risk, but so are “smart” machines and equipment in the Industrial Internet of Things. The key to understanding cybersecurity in a manufacturing setting is being aware that once a device is connected to the internet (even indirectly through a company network) it becomes vulnerable to attack.
How Cyber Attacks Work
A recent example is the December 2015 cyber attack on a Ukrainian power distribution center, in which attackers successfully cut power to thousands of customers in western Ukraine. They did it by finding weak spots in computer networks and gaining remote access.
Even with firewalls in place, the Ukrainian power electric power control center was vulnerable and ultimately breached. This article in Wired explains how it happened:
- A “phishing campaign delivered email to workers at three of the [utility] companies with a malicious Word document attached. When workers clicked on the attachment, a popup displayed asking them to enable macros for the document … if they complied, [a program] infected their machines and opened a backdoor to the hackers.”
- “Over many months they conducted extensive reconnaissance, exploring and mapping the networks getting access to the Windows Domain Controllers, where user accounts for networks are managed. Here they harvested worker credentials, some of them for VPNs the grid workers used to remotely log in to the SCADA network.”
- “workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.”
Hitting Closer to Home
Chances are your manufacturing facility is not as extensive as a power distribution center. But before you decide cybersecurity doesn’t apply to you, consider that the same methods used in the Ukrainian attack can be used against organizations of all sizes. You still need to be aware of how attackers can wreak havoc with your “smart” IIOT enabled devices, including robots and other manufacturing equipment.
Research reported in Security Week highlights how vulnerable smart manufacturing equipment can be. Researchers easily found ways for “attackers to intercept communications between the robot and the application controlling it, remotely access critical services without a username and password, install malicious software, and extract sensitive information that is not encrypted properly.”
Once an intruder is in, they can spy on the operators and facility “via the robot’s camera and microphone, steal personal or business data,” or disable safety controls and sensors. Trade secrets, production and operations data, and worker safety are all at risk if equipment is compromised.
A Security Rule of Three
If that sounds scary, remember that the flip side of cyber threat fear is awareness and preparation.
A good starting point for securing the connected computers and components in your network (on-site, remote, and even mobile access applications) is the CIA triad:
- confidentiality – preventing unauthorized access to information, usually by encrypting data or by selectively providing access to users
- integrity – making sure the data are not changed or altered (accidentally or on purpose) and ensuring the information is consistent and accurate
- availability – ensuring users have access when and where they need it
While things can quickly get complicated and specialized here, there are several easy things everyone can do to enhance cyber security, including:
- being smart about passwords – always reset default passwords that come with equipment and software; create a different password for each user; don’t share, write down, or broadly distribute passwords
- administering accounts mindfully – keep track of who has access to applications and data; set up levels of access and restrict those who don’t need to get to certain features/functions/data; promptly disable access when employees leave the company
- thinking before you click – don’t click links or open attachments in emails from unknown senders
- Phishing is still one of the major ways would-be attackers gain access to a network. When phishing links or attachments are clicked, they install key logging software to track what’s entered, including signs or patterns indicating a username and password were just typed (yes, they can spy on your keyboard). Once that information is gleaned, an attacker can log into your network and wander in search of other accounts and directories. Even if they get into your business’s office computers, they can still find a way into areas of your facility’s network that control production equipment. Like we said, it’s all connected.
- using firewalls between your internal network and all internet-connected computers – some attackers routinely scan the internet for unprotected networks looking for access points and once they find one it’s simply a matter of looking around for the right paths
Keep in mind that the best set up is only as strong as the people who use it. As hacker-turned-security advocate Kevin Mitnick has observed, “it’s easier to manipulate people rather than technology.” In fact, according to research by Willis Towers Watson, 58% of breaches are due to employee negligence or malicious behavior. This means for all the advanced computing power, security protections, anti-virus software, and cyber hygiene policies companies put in place, the weakest link in data security is consistently human beings.
Staying Safe in the Cloud
Some organizations build in-house virtual private networks (VPN) or remote desktop connection networks (RDC), which can provide solid security. Often, however, they require expert IT knowledge that smaller companies lack or can’t afford to outsource. A popular alternative is cloud-based networking and storage, and many automation integrators will have a preferred vendor in place.
Cloud-based systems have three components: the gateway (which is connected to the equipment), the cloud server computer, and client software (the program you log into on your desktop or mobile device) to program equipment and retrieve data).
These systems require minimal configuration, which means getting set up is usually quick and easy. Most cloud services offer virtual IP addresses for multiple access points, meaning a physical computer is not required for each (which saves money and set up time). Another advantage is built-in administration features, which allow one “power user” to control who has access to the equipment and at what level.
In terms of remote access to your automation equipment, your staff can see, adjust, and even operate equipment at a distance, and your integrator can troubleshoot and program from their location too. Because all requests to connect to the server originate with either the equipment (at the gateway) or the client (the account you log into), the risk of attackers entering from the server is greatly reduced.
There’s a great deal to learn, and a great deal to gain when you make the move to internet-enabled automation equipment. From cobots to vision cameras to conveyors, connected equipment lets you monitor and adjust machines to optimize output and make decisions based on real-time data. We can help you navigate this new manufacturing frontier – contact us today.
