Cyber attacks are on the rise in nearly every industry and show no signs of slowing down anytime in the near future. Where there once was a dedicated effort to gain access to the programmable logic controller (PLC) and interfere directly with a specific program, cyber criminals have now moved into a higher tier of intelligence. Now, gaining access to a PLC can provide hackers with access to entire network systems, amplifying the chaos they are able to create.
According to a research paper from Claroty (an industrial cybersecurity software supplier), “These hackers are attempting to exploit the network through the engineering workstations and any disparity between your IT and OT operations can really open a window of opportunity for what we have seen called an Evil PLC attack.”
With this kind of access, criminals can hack into your entire system and mess with your production line, electrical grid, or water systems that service entire regions. And with labor shortages being experienced across the industrial and utility markets—along with the looming retirement of many subject matter experts—the threat is more real than ever.
Facing the ever-growing threat of cyber-attacks, It may seem like a no win situation, but there are measures you can take now to protect yourself and ensure those you bring into your organization are following protocols meant to protect you. But what are those measures?
By now, we may all have seen more phishing videos and scenarios than we could possibly count. But phishing cyber-attacks are just the tip of the iceberg. Stolen identity and external attacks are on the rise and quickly the becoming the largest cyber threat, not just with the smartphones, but on large utility and industrial systems.
In some ways, the protection measures for both personal devices and large systems echo each other despite the larger scale. Let’s examine a few:
No more sticky notes: How many operations require several operators to activate the same systems throughout the course of a 24-hour shift or 7-day workweek? This obviously requires password access to a system—and with multiple users—that can be a challenge. But this challenge is not effectively or safely met by placing a sticky note on the machine itself containing the username and password. Require your operators to set a memorable, strong password—12 characters or longer—thathas not been used before to authenticate access.
Multi-factor authentication: Research from Microsoft indicates use of multi-factor authentication can prevent up to 99% of cyber-attacks. Have your IT team institute multi-factor authentication across your company, especially on systems that control your production and business processes. The more gated arenas a cybercriminal must work through, the more likely they are to go another direction.
Appropriate levels of access: Everyone in your organization does not need access to every bit of information within your organization. Managing access to your most vital systems or opening windows of access that close after a specific time frame, limit the number of open access points to your systems. Strong communication with any external teams will allow them to be effective while onsite, but also keep you protected. This is a balancing act, as you cannot update or make changes to the system without access but limiting that need to just a few individuals or for a limited amount of time mitigates your risk significantly.
Policies and procedures: After assessing your own plant risk, as well as the risk tolerance of your organization, implement policies and procedures and educate your employees about them. Forcing compliance with those policies and procedures is critical. And this extends to any outside assistance you bring in. Requiring qualified partners and vendors to follow your policies and procedures puts one more level of security in place.
Use a certified system integrator: Certified integrator businesses have taken the time to ensure their engineering practices are solid. They have also gone to lengths to make sure their business practices are backed by an external audit. Teams with that kind of backing are a good bet for ensuring engineers are up to date on the latest patches and cyber concerns.
With cybersecurity, there is no silver built that will 100% guarantee prevention of a cyber-attack on your system. Prioritizing the security of your physical plant and digital network can lessen the chances that you’ll be facing a tough scenario when systems go down and code is held hostage. Start by doing a risk assessment in your own organization or hire a certified expert to help you walk through the process to make you as safe as possible.
Keith Mandachit, PE is an Engineering Manager, and Eric Chambers is a Senior Network/IT Specialist at Huffman Engineering Inc., certified members of the Control System Integrators Association (CSIA). For more information about Autoware, visit its profile on the Industrial Automation Exchange.