Cybersecurity Affects All Manufacturers

By Ken Modeste, Director, Connected Technologies, UL Commercial & Industrial Business Unit

In March 2018, the Department of Homeland Security (DHS, Washington, dhs.gov) and the Federal Bureau of Investigation (FBI, Washington, fbi.gov) issued a joint Technical Alert (TA) about the Russian government’s actions targeting U.S. government entities, as well as organizations in the energy, nuclear, commercial, water, aviation, and critical-manufacturing sectors. The DHS and FBI have seen cyber-attackers targeting small commercial-facility networks where they staged malware, conducted spear phishing, and gained remote access into energy-sector networks. After obtaining access, the Russian cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS).

In 2015, DHS identified a doubling of cyberattacks against critical manufacturing, including automakers, aviation-equipment manufacturers, and producers of metals, machinery, and electrical equipment. The U.S. National Center for Manufacturing Sciences (NCMS), Ann Arbor, MI (ncms.org), stated that, in 2016, there was an increase in cyberattacks in the manufacturing sector from 33% of all such events in the U.S. to 39%, at a cost of between $1 million and $10 million.

In the manufacturing sector, these attacks are growing by way of competitors attempting to steal IP (intellectual property), manufacturing processes, and process components. Their targeted attacks, if the intent is to disrupt operations, can also pose a risk to safe facility operations. As plants become more connected with software systems, the Industrial Internet of Things (IIoT), and other means of increasing automation and addressing productivity, they eventually create greater opportunities for adversaries to compromise these systems.

Manufacturing systems traditionally have been developed to focus on safety and production.  However, with greater connectivity and the creation of new attack surfaces (weaknesses in the design of a plant that an adversary can use to compromise a system), security is becoming increasingly critical for today’s—and tomorrow’s—industrial operations.

As facilities increase in size and complexity, organizations are now integrating operational technology (OT) networks with business IT networks. This requires OT and IT staff to work closely to address security issues. Having competent staff that can traverse these domains is also becoming more challenging.

According to information from the Herjavec Group report, Los Angeles (herjavecgroup.com), there will be a global shortage of 2 million cybersecurity professionals by 2019. That shortage will increase to 3.5 million by 2021. The resulting, and ongoing competition to acquire talent from a smaller pool will generate additional problems for manufacturers.

Nature of Attacks

Some types of cyberattacks, such as those listed in the Joint DHS/FBI report, can be phishing emails (from compromised legitimate accounts) that target key people in an organization with advanced malware, using watering-hole domains, credential gathering, open-source and network reconnaissance, and attacks against the ICS infrastructure. All of these attacks can result in a loss of IP or trade secrets, providing a market advantage for the hacker and/or financial and reputational damage for the organization that was attacked.

The process typically involves a premeditated attack on a specific target, rather than a target emerging from a random attack or reconnaissance. The attacker then uses publicly available information to gain access to the facility’s network and to search for data about network design and control-system functions within the operations.

In one case, cyberattackers used an online photo of the facility. When the image was downloaded, it was discovered to be a high-resolution photo that contained, in the background, control-system equipment models and status information.

Once cyber-criminals understand a network layout, they can target employee credentials through phishing (sending emails to employees with malware of corrupt links that, when accessed, allows insertion of an attack code on the victim’s system). That action, in turn, can be used to pivot into targeting other key systems within the company.

Facilities need to consider plans to prepare for these eventualities. An attacker who extracts sensitive data can compromise an organization’s plans to differentiate with new processes.

Downtime or hazards in the manufacturing processes can also become public fairly easily.The associated reputational harm that can come to an organization in some situations can make them prone to blackmail with sabotage of processes, extortion, and malicious damage to networks and information systems being a real concern.

One of the biggest threats to the manufacturing industry lies in securing the ICS that are responsible for driving production for an organization. Typical ICS can have lifetimes of 15 to 30 years before being upgraded.

Systems such as these have inherent challenges with updating to the latest patches and software. Historically, manufacturers “air gapped” them by denying connectivity to outside enterprise systems or the internet. Newer IoT solutions that increase productivity and automation are tending to remove these air gaps. Modern ICS components, however, are increasingly connected to the internet, enterprise, and/or third-party systems.

With these types of challenges, and the use of legacy equipment, a facility’s plans to deploy newer technologies shouldn’t be deferred for security risks, but should move forward accordingly.

Organizational Preparedness

To be clear, organizations need to address cybersecurity as an important element of their systems’ well-being and make it a focus in management and executive decisions, workforce planning and education, and future investment budgets. Cybersecurity needs to be viewed as an enabler for constantly changing capabilities around automation, robotics, and connected plant floors. Therefore, an organization needs to protect its manufacturing operations from criminal organizations, nation-state actors, and hackers.

To prevent loss of company secrets or disruption in productivity, an organization needs to develop a plan that is based on its cybersecurity objectives and associated risks, as well as specifying how to respond to those risks. Start by training responsible employees to protect an organization where it matters the most, in its production. EP

UL’s CAP Protects Manufacturer Assets

In 2016, UL (Underwriters Laboratories Commercial and Industrial Business Unit, Northbrook, IL, ul.com) launched its Cybersecurity Assurance Program (UL CAP) to help manufacturers, system integrators, end users, and operators.

It is designed to work with stakeholders in the manufacturing industry who are concerned about cybersecurity risks. The program is based on three main elements:

• securing a manufacturer’s supply chain

• educating a manufacturer and its contract-team workforce

• assessing a facility.

UL offers testing, assessments, and, ultimately, certification to an end-user supply chain by providing standards based on worldwide best practices for securing factory automation. The UL 2900 series of standards provides guidance on how to test, evaluate, and certify products, devices, components, and systems that can be used in factories. The standards are designed to evaluate these products, and “hack” them throughout the process based on best-practice guidelines.

The standards are also designed to look at a vendor’s best practices and assess and certify those vendors. A combination of using an independent, trusted third party to test and certify products and validate processes can provide a manufacturer with clear criteria for project designs when soliciting vendors for a design out.

These standards can be used to vet the cyber health of the products and systems. UL can also test, evaluate, and certify to other relevant standards, such as the IEC 62443 series of standards for industrial automation.

UL has developed an educational program to train employees on some of the best practices available. These educational programs point to best practices such as UL 2900, IEC 62443, NIST Cybersecurity Framework, procurement language guidelines from Department of Energy (DOE) and National Institute of Standards and Technology (NIST), and other industry best practices.

UL can work with organizations to perform site-implementation assessments based on reviewing facility operating procedures, interviewing staff, and testing the actual industrial-control system implementation for security design flaws and weaknesses. Organizations can use site assessments to determine their cybersecurity readiness and measure against what other organizations in the industry have adopted as best practices.

For further information, visit UL.com/cybersecurity or contact the company at ULCyber@ul.com.