As we monitor the news around the country, the assault on automation systems has seemed to have increased significantly since the National Security Agency (NSA) and US Cybersecurity & Infrastructure Security Agency (CISA) released their July 23rd advisory, in which they recommended immediate actions be taken to reduce exposure of OT systems to the internet. The most recent publicized attack was at a Florida water plant, where an attacker was able to modify the system to add over 100x the amount of lye to the water, attempting to poison the population.
CISA recently released a security advisory for Rockwell PLCs that is a 10/10 in severity, indicating significant risk. These, along with the multitude of security vulnerabilities in the Windows OS makes having the automation as a separate, secured entity - even from the main network - imperative.
How vulnerable are you?
The current attack vector appears to be through open connections to the internet and insecurity of those connections. The Florida hack was accomplished through TeamViewer, which is a relatively common software in the industry, and a leaked password that had not been changed since 2017. The released Rockwell vulnerability allows for the changing of PLC code without requiring access to engineering workstations.
Remote work was trending before the pandemic, and it is now a necessity for many businesses. Many businesses needed to quickly support remote work for employees who didn’t have that ability before. The OT network is no longer an island. Until recently, the OT network was often its own little world, unconnected to any sort of outside network, such as corporate IT or the internet. Now it’s become more connected: devices on the OT network have become accessible from corporate computers, allowing engineers to “remote in” and check things. Some facilities even have their OT and IT devices on the same network. These conveniences attract exploitation.
Working remotely means engineers could possibly allow access to a control system without proper security. An employee might make a spot decision to connect an isolated workstation to the corporate network, enable remote desktop connections, or use third-party remote access software such as TeamViewer. These choices can open the entire network to vulnerabilities – and it’s much more common than you may think.
An attack on the OT systems can result in the loss of product, possible damage to equipment, and access to IT systems through the OT systems. The damage is potentially catastrophic. The 2015 cyberattack on Ukraine’s power grid serves as an example of how something as simple as logging in remotely and not using two-factor authentication can have dire consequences for your business and your clients.
The automation industry’s response appears to be slow but increasing. There is significantly more discussion lately about automation networks in cybersecurity forums and discussions of cybersecurity in automation forums. Generally speaking, automation systems are very lax when it comes to security, due to it only being recently connected to the wider network. When the only devices connected to the automation system were those systems, then things like simple shared passwords that never change were not as big a problem as they are now. At this point, the automation network needs to have the same care and protection applied as the general office network itself.
What can you do?
Know what devices are on your network. This includes company-provided devices, as well as personal devices that may also be connected.
Automation systems should be completely removed from any internet access possible, both incoming and outgoing. Any internet connectivity required should happen through a secure proxy and firewall, which then is able to extremely limit where the devices have access to a handful of websites. Finally, the PLCs should always be placed in the RUN switch position where changes to the code are much more difficult. Also, system backups should be taken regularly and stored offline in case of any compromise.
Companies like Superior Controls can assist IT and automation engineers with risk assessment and a plan to fix these security vulnerabilities. This kind of problem is one that needs to be solved quickly. The longer the project takes, the more exposure companies have. If your team cannot self-perform quickly, consider bringing in an integrator to help with the risk assessment and mitigation plan.
Remember that cybersecurity concerns go beyond the Internet. With more facilities performing maintenance of OT network devices remotely from home, there is an opportunity for exploitation of these devices. Shut down any nonsecure access to OT devices.
Other things to remember:
Convenience vs security – this is an ongoing battle in companies. The companies themselves will need to decide how much risk to take on. Being able to access desktops and devices remotely may be very beneficial, but introduces major vulnerabilities. A device locked in a room with nothing but a power cord is very secure, but rather inconvenient to use. Get your IT team and your operations team talking to find a balance that works for you.
IT vs engineering and collaboration – this is another ongoing battle between IT and engineering teams. IT groups may believe that all of the Windows systems fall into their purview and want to patch on their schedule. Engineering teams are all about production uptime; patching and rebooting the systems is not an option for them. It’s possible to achieve a happy medium if the groups can collaborate. The time it takes to implement critical security updates is nothing compared to what facilities will have on their hands with a security breach.
Accidental IT/OT network convergence – Unplanned expansion can lead to organizations having all their OT and IT devices on the same unmanaged network or having critical systems spanning the OT and IT networks. This leaves them open to multiple vulnerabilities and can threaten systems on both sides.
Tim Ingalls is a Project Engineer at Superior Controls, an E Technologies Group. E Technologies Group is a certified member of the Control System Integrators Association (CSIA). For more information about E Technologies Group, visit its profile on the Industrial Automation Exchange.