Hacking a manufacturing facility’s control system might sound like something from the pages of a comic book – a larger than life villain controlling robots and machines in a facility to advance his agenda. The superhero, in this case your friendly facility IT/OT guys, come to the rescue. The hero stops the villain, and all ends well.
In reality, a security breach like this severely impacts the company economically, causing people to lose their jobs and the villain is likely never caught. Not as romantic as what you were thinking, huh?
Security breaches can have even more severe consequences for pharmaceutical and food processors. The general public’s well-being is at risk. A manipulated batch of pharmaceuticals or adulterated food product could have nationwide impact. If that happens, the damage to your brand’s reputation may be irreparable.
Why Hack Manufacturing?
The manufacturing industry has migrated towards ethernet network protocols. It is easier than ever to connect network systems, which comes with both benefits and drawbacks. Data availability is better than ever, giving insights into your system and creating the ability for more complex control procedures. Unfortunately, interconnectedness also makes a hack easier to spread to other parts of your control system.
We could go on endlessly about the intentions and consequences of bad actors, but they can be summed up in a few statements. Hacks will do nothing positive for your organization. The intention of hacking a control system is most likely to set your organization back significantly. Hacks can come from virtually anywhere with no warning. It is most responsible to assume that everyone could be a bad actor and to cover all your bases all the time. Frustratingly, hackers are rarely found or prosecuted.
IT vs. OT
Creating a cybersecurity program requires an understanding of the difference between how information technology (IT) systems and operational technology (OT) systems operate. Therefore, both systems will require different approaches to security maintenance and rectification as they are fundamentally different systems. Hacks may have different consequences to your organization depending where they occur.
OT systems are structured to differentiate the network systems used for industrial process control from the IT systems used for business-side operations. Both OT and IT have the same basic infrastructure, however the applications being run on the networks are quite different.
IT networks focus on data security as their number one priority. New software patches and software upgrades can be done overnight or relatively quickly throughout the day. If there is a breach on a device, IT can isolate it from the rest of the system without major setbacks in system-wide productivity with relative ease.
IT networks are easier to maintain as there are many opportunities for down time. If a computer’s security is breached, taking that one machine offline does not typically cause major problems in other parts of the organization. IT has relative freedom to preform maintenance and to react to issues without causing severe operational obstacles.
OT cybersecurity varies depending on operational requirements. In operations that do not run full time or that have scheduled downtime, maintenance is not much different than IT. If the operation runs 24/7, good luck finding downtime.
With modern control systems, shutting down one portion will shut down some or all of the manufacturing process. During 24/7 operation, maintenance of the cybersecurity system is difficult if not strictly reactionary. Reboots and installations are not money-making activities, so they are usually not included in operational plans. It is a constant battle to find time to implement and maintain OT security in modern manufacturing environments.
Simply installing a new program or security system will require validation, which can never happen quickly enough for production planners. Even in the case of a breach with the potential to spread, there will be push back on shutting the line down. Shutting the line down is never a desirable course of action. Responding to infiltrations and threats is painful. Prevention is the name of the game.
Any way you cut it, industrial OT cybersecurity is difficult. It is difficult to find time and resources and difficult to respond to attacks. In addition, it is difficult to get buy-in for security operations because few decision makers understand the required processes. An outside consultant may remove the glazed eyes of decision makers to help realize what it takes to protect their assets, people, and products.
A prime opportunity to further secure your plant control system is when swapping old components for new components. Currently, PLC5 and similar technologies are going by the way side for more up to date and capable PLC formats. The new PLC formats are not just modernizing your plant’s control system, they are preparing them for the future. These new PLCs are ushering in the era of on-machine devices that will expand control systems’ capabilities significantly.
Software patches will no longer be available for legacy PLC platforms that are no longer being manufactured. This obsolescence is the catalyst for the replacing of old hardware. Keeping this old hardware will put your operations and production at significant risk with costly consequences. When these components fail, they will be increasingly more expensive and difficult to find, not to mention the extended downtime.
If your obsolete PLCs were to be hacked, you basically would have no option but to replace them. However, waiting until you are hacked to replace means that you will be waiting until an engineering plan is developed, parts arrive, and the solution in implemented while your plant and people sit idle.
This article is not meant to scare or intimidate you, rather to state the risks and realities that your facility faces. Cybersecurity threats are targeting control systems, specifically obsolete control systems, and OT teams are tasked with their defense. Difficulties including finding downtime and resources challenge OT teams in “no-downtime” plants. Thus, proper education and recognition of risks is a starting point for receiving buy-in to protect company assets. The actual replacement of obsolete controls and PLCs is than the next step to achieving a more secure and safe production environment.