Giving Heart To the Tin Man: The Intersection Of the IT/OT in Modern Manufacturing

By David Furr

Protection of key manufacturing and critical infrastructure systems must be provided the same priority as other sectors of our economy if we are to protect basic operations and competitive superiority to which we have become accustomed.[1] Basic industrial and manufacturing operations that have long relied on commercial off-the-shelf products are sitting targets to the same maladies that enterprise networks face.  Modern industrial central systems (ICS or SCADA) must employ a security protocol that reduces operational risks, prevents system breaches and becomes compliant with all best practices while leveraging existing infrastructure and maximizing return of investment on existing equipment.

Since 2015, U.S. manufacturing entities considered critical to the economy and to modern life have been main targets of cyber attacks – outstripping energy, communications and other critical infrastructure, according to U.S. Department of Homeland Security Incident Response data.[2]  If anything their numbers may be understated because companies in key industries often do not report attacks for fear of diminished public perception.

Failure to evaluate and employ a modern security protocol creates the potential for extraordinary and even catastrophic physical damage that extends possible harm to individuals and property, including death or massive recall.  OT breaches simply cannot be restarted from a backup.  The reputation and the financial well-being of the enterprise and even the community at large have never been more at risk.

 1. Welcome Tin Man to the Internet of Things (IoT) and the Industrial Internet of Things (IIoT)

Over the last few years, the IoT has morphed from futuristic concept to a real-world framework. By the time you count 8 seconds or read the first section of this article, 150 new devices have been connected to the IoT.  That means 61,500 per hour; 1,500,000 per day.  Currently 7.4 billion devices are connected to the IoT, more than humans on the planet.  By 2020, estimates of connected devices range from 26 billion to 75 billion.[3]

This IoT revolution extends to the IIoT, the interconnection of millions of devices installed on operating technology (many of which are decades old) that incorporate sensors and monitoring to gather bits of data distributed via the internet to central servers – ALL perfect lily pads for the malicious intruder.  With billions of connected devices, all contributing data 24/7, it is more data than has ever been recorded or even imagined in human history.  Therein lies the quandary and the challenge that arises from simple machine-to-machine (M2M) technology of the 1980s and the necessity for modern manufacturers to address cyber security risks

2. Kansas to Oz – the Present and Future Realities

Newsweek recently identified Russian government sponsored hackers for being behind the penetration of computer systems at several U.S. nuclear power plants.[4]  Their goal – disrupt the nation’s power supply of at least a dozen nuclear power stations, including the Wolf Creek nuclear facility in Kansas.  By targeting industrial contract engineers with fake resume emails, the perpetrators, if successful, could have conceivably caused an explosion, fire or discharge of lethal materials.  The opening of infected resumes would have created the ideal lily-pad for unfettered access into the ICS/SCADA of the operating network.[5]

3. Twin Tornados Actually Sighted!

The largest threats to the ICS/SCADA environment may originate from the adjacent business or corporate and safety networks or IT.  A real life example of this can be seen in the targeted attack against a Ukrainian Operator of ICS/SCADA systems for the electric power industry, which took place on December 23, 2015, leaving 1.4 million customers without service for several hours.  Attackers used spear phishing and social engineering techniques to deliver a Microsoft Word document with malicious VBA macros to drop the BlackEnergy malware, Kasidet backdoor and Dridex banking Trojan.[6]  This event shows that many attackers are not only able to penetrate their target network but often successfully establish a beachhead and remain undetected for a significant period of time while continuing evasive and damaging actions.  As this blue print attack shows, the impact to an ICS/SCADA system can be far-reaching with devastating effects.

In a more recent and local event, malware entered AW North Carolina, a transmission manufacturing plant in Durham, North Carolina through its IT systems via an email phishing campaign.  Their goal was to flood the OT with data designed to stop production until a ransom was paid.  AW North Carolina stood to lose $270,000 in revenue, plus wages for idle employees, for every hour the factory was not shipping its critical auto parts to nine  Toyota car and truck plants across North America per the plant’s CIO.  Because of appropriate segmentation and firewalling, the company avoided any long term damage and payment of ransom.[7]

4. Wizard’s Advice

Understanding that the IIoT and M2M will integrate, merge and accelerate this decade is fundamental to recognizing the solution.  The undeniable fact:  IF IT CAN BE CONNECTED, IT WILL BE CONNECTED.  There is no curtain to hide behind.  With that knowledge, the proper merger of cyber security with the operation and safety networks is paramount.

        WHAT WE PROTECT (The Crown Jewels):

  • Valuable Intellectual Property
  • Secure Customer Data – whether direct sale or through valued partners
  • Application and network access for enterprise collaboration and supplier integration
  • Direct attacks through IT to the ICS/SCADA network including internet connected, factory floor equipment
  • Seamless and safe plant operations with secure operational and safety networks and processes
  • All network traffic at BOTH the application and user level to validate proper or anomalous use.

Effectively protecting today’s IT and ICS (OT) manufacturing networks requires a modernized security approach.

        HOW WE PROTECT

  • Segmenting the Crown Jewels: Any basic cyber security protocol starts with segmentation of the network.  The basic premise of segmentation is to isolate sensitive and critical data from the general network with appropriate air-gapping, using the concept of zero trust to allow content to be accessed only by a limited and identifiable set of users, through a well-defined set of applications, blocking everything else.  Prevention of unfiltered ingress or data exfiltration is critical.
  • Multifactor Authentication and Encryption: Basic passwords are no longer adequate for authentification.  Creating protected zones with specific and authorized entry is necessary in the modern security environment.  These, along with segmentation, are the two pillars of modern cyber security.
  • Next Generation Firewalls – Utilizing a Platform Approach: With the migration and inevitableness of the cloud and IoT and the resulting waterfall to the IIoT, the manufacturer must seek real time visibility and cohesive security for its cloud, network, end point devices and content.  Only a platform based model can deliver:
    • Next generation security capabilities – including firewall, IPS, decryption, unknown threat detection, networking antivirus and URL filtering that work together to deliver application, user and content visibility and control, along with protection against network-based cyber threats.
    • Threat intelligence that correlates, synthesizes and analyzes evolving threats and related metadata gathered from global platform deployments.
    • Advanced endpoint protection that stops zero day exploits and modern malware on devices from network servers to remote laptops.

With the adoption of nextgen platform-based technology, the manufacturer can:

  • Effect more efficient operations: By reducing the attack foot print, organizations can minimize the time spent in remediation and endpoint patching.  More importantly, time can be spent on strategic planning and implementation.  Next-gen platform-based firewalls will expose wasted precious network resources and employee time on unauthorized and unnecessary applications.
  • Increase Visibility and Intelligence: Understanding WHO is on the network is fundamental to modern competitiveness.  Not only WHO, but WHAT files are being accessed and WHEN.  A key question is whether applications and files are being accessed by users – including suppliers and valued partners – that align with needs and defined corporate policy and capitalistic goals.
  • Increase Visibility at the Most Granular Level: Even if nothing more is done than to place an application-based firewall in monitor-only mode to document all network traffic, the enterprise will gain invaluable knowledge that can prevent catastrophic disruption.  Legacy-based solutions based on stateful inspection firewalls do not provide Layer 7 visibility and user-based access controls required to effectively minimize cyber exposure.  Again, catastrophic disruption can easily mean death or massive recall.
  • Reduce the Attack Footprint: Along with the fundamental principles of segmentation, the manufacturer can create security zones (DMZ’s) and role-based access controls – thereby reducing both malicious and accidental exfiltrations.  Segmentation can be compartmentalized easily on a need-to-know basis.
  • Create comprehensive threat prevention – whether intended maliciously or accidentally, whether threat or reason-based, the critical operating systems can be protected.

5. The Balloon Ride Back To Earth

We are in an unprecedented assault on our everyday lives.  Just as assessable as our banks and grid are our ICS/SCADA manufacturing systems.  Whether a news alert or an actual Ukraine disaster, the threat and potential for unprecedented harm is real.  OT breaches cannot be repaired by simple backups – CEOs, CFOs, CIOs and CISOs have to recognize failures as potentially catastrophic, including physical damage to individuals and property – even death or massive recall.  With reputational damage to the enterprise and the community at large, the need for a grounded modern review and implementation of a cyber security policy has never been more paramount.

To insure a safe landing, the following steps are recommended:

  • Engage a qualified security expert to perform a security health check. This may or may not be your current IT vendor per this author’s opinion, unless they truly understand next-gen protocols.
  • Understand what solutions best fit your organization. Are you an enterprise-based solution or will expert managed security solutions give you the protection you need within a defined budget?
  • Obtain a buy-in from key management and the Board of Directors as well as all managers. All parties must have a stake in cyber security.
  • Understand that nothing written herein protects from the rogue employee.
  • Insure with specialized cyber insurance.
  • Make sure proper cyber security responsibility and liability is contractually assumed across the supply chain.

Reach David Furr at  dfurr@gastonlegal.com or at 704-790-6013.

[1] The genesis for this paper was the Next-Gen Security for the Manufacturing Industry Panel Presentation for the US Chamber of Commerce/SC Cyber Security Summit, Columbia, SC (May 23, 2017).  Panelists included David Furr; Steven Tibreo, CIO Savannah River National Laboratories; Dr. Mikael Lindvall, Technology Director Fraunhofer USA Cese; and David Buie, Senior Security Analyst Michelin.

[2] Take Down: Hackers looking to shut down factories for pay: http/www.journalnow.com/local/article_95ae-16e9-e182-5de8-aifc-4ecc66baOdez.html (Aug 10, 2017).

[3] Navigating the Digital Age, Chapter 32, The Internet of Things, The Chertoff Group by Mark Weatherford (2016).

[4] Russia is the Chief Suspect in U.S. Nuclear Power Plants Hack, by Tom Porter:  http:/www.newsweek.com, 633160 (July 7, 2017).

[5] Id.

[6] http./www.welivesecurity.com/2016/01/04/black-energy-trojan-strikes-again-attacks-ukrainian-electric-power-industry.

[7]  Take Down, supra.