Making Time for Security
By Gregory Hale, editor/founder ISSSource
Not too long ago when a young Polish boy found a hole in the network of a European tram system. He was able to get into the system, navigate his way around and then, using a television remote, he was able to switch tracks using the infrared device on the remote. The end result was four trains ended up derailed and 12 people suffered injuries.
All of that with a television remote control.Using a simple device, the attacker was able to penetrate a network and cause damage. In today’s hectic industrial environment, manufacturers for the most part cannot rely on themselves for protection. They need to focus on making product. That is where a solid security plan where workers are educated and know what, or what not, to do, or partner with a quality provider that can work its[?] magic on keeping systems up and running.
Manufacturers need to keep the process going. Security, company leaders will say, is this “new-fangled” thing that costs money and slows down production. They really don’t see it as a business enabler that can help keep systems up and running.
“In operations management there is very little time for security,” said Andrew Kling, Director of Cybersecurity and Architecture at Schneider Electric. “But as you go higher into the organization, you’ll find they increasingly have more time. The stories tilt away from fear and toward what is the risk to my corporate reputation and what is the risk to my ability to produce my widget and make a profit. That is where they do have time to think about cybersecurity. They are thinking about plant risk and risk management.”
FUD Fading Away
Fear, uncertainty and doubt (FUD) was all the rage 10 years ago when cybersecurity first came to light. But the chicken little, sky is falling fear mongering is going away with an intelligent approach to understanding the issue and methodically addressing it is coming to the fore.
Instead cyberattacks, internal and external, are continuing to grow. Just take a look at a recent Ponemon Institute cybersecurity research study. Fifty-three percent of respondents said they suffered at least one data breach in the past two years, while 68 percent don’t believe their organizations have the ability to remain resilient in the wake of a cyberattack. And 66 percent aren’t confident in their organization’s ability to effectively recover from an attack.
“Once senior managers are educated, they begin to look at cybersecurity, they see what is in the media, they see the risks and threats,” said Gary Williams, Schneider Electric Senior Director of Technology, Cyber Security and Communications. “They do an analysis as to whether they would be able to withstand a threat. And once they realize they don’t have a necessary skill set or the necessary hardware features to prevent an attack, they consider additional services. Because the alternative, of course, is to just disconnect.”
“…53 percent of respondents of a Ponemon Institute
cybersecurity research study said they suffered at least
one data breach past two years, while 68 percent
don’t believe their organizations have the ability to
remain resilient in the wake of a cyberattack, and
66 percent aren’t confident in their organization’s
ability to effectively recover from an attack.”
- Ponemon Institute cybersecurity research study
Case in Point
Of course disconnecting is not an answer, especially as advances in technology allow for manufacturers to achieve greater benefits. Take 3D manufacturing for instance where a growing industry area suffered a damaging blow.
A 3D additive manufacturing (AM) system fell to a cyber assault, showing how an attack and a malicious manipulation of blueprints can fatally damage production of a device or machine.
It is possible to sabotage the quality of a 3D-printed functional part, which leads to the destruction of a device, said researchers from Ben-Gurion University of the Negev (BGU), the University of South Alabama and Singapore University of Technology and Design in a paper entitled “Dr0wned.”
Researchers were able to destroy a $1,000 quadcopter UAV drone by hacking into the computer used to control the 3D printing of replacement propellers.
Once they penetrated the computer, the researchers found the propeller blueprint file and inserted defects. During flight tests, the sabotaged propeller broke apart during ascent, causing the drone to smash to the ground.
More than 100 industries, including aerospace, automotive and defense, employ additive printing processes. The AM industry accounted for $5.165 billion of revenue in 2015. On top of that, 32.5 percent of all AM-generated objects end up used as functional parts, according to a Wohlers Report.
Such an attack could cost lives, cause economic loss, disrupt industry, and threaten a country’s national security.
Security a Business Enabler
“People tend to look at safety and security from a liability perspective,” said John Boville, Market Segment Manager at Schneider Electric. “But they are missing a great deal in terms of how many days or hours of downtime follow a cyberattack and related safety incidents. You also have to look at cost of the investigation, which in some places will close lines down until a root cause is found. All of that is lost productivity, and it can add up pretty quickly.”
““It is possible to use real time accounting methods to quantify the financial impact of these incidents. We can help organizations develop cultures and implement measures to help improve safety and cybersecurity of their operations.”
That means manufacturers can focus on making product, while a third party can come in and protect the system and also help improve performance.
“It is inevitable we are seeing people moving toward a service where a third party is monitoring your system, where they can do predictive maintenance and where they can tell you when someone is logging on to your system at two in the morning, which is unusual,” Williams said. “IT will pick it up on behavioral analysis. If someone is logged onto the control room and at a site a mile away at the same time, the service will pick that up and flag it. These tools are available and they are very good for an IT environment. For OT, I don’t think IT will have the necessary skill set to keep up with the constant change in risk and threat. It is inevitable the industry is moving more toward services because it is only companies offering these services that have the resources and skill sets.”
Whether it is through a simple television remote control, or a highly sophisticated assault, attacks are growing and becoming more prevalent. That means manufacturers have to make the time for security.
For related information, click on any of the links below:
• [White paper series] Preparing for the IIoT, exploring the impact.
• Cybersecurity in the connected enterprise
• Marathon of Security - Securing Device-by-Device Will Elevate Cyber Profile
• Lesson Learned: IT-OT Convergence