Get wise to cyber threats

Register for Free  Sign In

Essentially, cyber security issues are the same across all industry sectors. The issues stem from the fact that all industry sectors are starting to automate their processes to help increase productivity and efficiency and this requires greater connectivity, which can also expose systems to attack. 

The biggest differences between the different industry sectors really comes down to the consequence of a successful attack. “We are seeing attacks taking place on a daily basis across all sectors of industry,” said Paul Hingley, product security and solution officer at Siemens Digital Industries. 

“Many are criminally motivated while some are sneaker hacks, from people trying to gain access for their own entertainment. The criminal attacks are usually looking to create a denial of service and so ransomware is becoming more prevalent across industry. This has resulted in hackers turning their attention to the softer targets provided by the operational technology (OT) layer.”

Industrial OT investments can have anywhere from 10 to 20-year cycles, while IT investment is more usually in cycles of between one and four years. This means that the IT infrastructure will generally be better protected. A great deal of legacy equipment still in operation in the OT world was not originally designed for external connectivity and will never have been patched and this is why it offers a softer target for cyber-attacks.

Hingley, who gave a plenary presentation on the issue of cyber threats at Siemens’ Digital Talks conference In the UK earlier this year, has been involved in helping many food companies recover following a cyber-attack. 

One particular attack instigated a denial of service which resulted in the plant being offline for two weeks, costing the company billions of pounds in lost production. “To regain control of production, it was necessary to strip the software system and undertake ‘clean slate’ processes in order to bring the plant back into normal operational activity. This involved looking at the installed software to find anomalies and to apply the correct patches. 

“We found that this particular attack was instigated onsite, via a USB. On another site we identified an attack as coming via a PC employed in the automation layer which had been used to download patch updates which at the same time had inadvertently installed a vulnerability,’ continued Hingley. 

“Such events often occur due to the lack of protection originally installed on OT equipment – and this highlights the importance of undertaking security audits, so that engineers can understand what their installed base actually is and what connections they have. We find that many customers have remote access connections in the plant that they didn’t know had been applied by their solution providers.”

In many factories there will be no levels or depth of security due to the particularly long lifecycles of OT equipment. Today, however, there is a growing sense of purpose among engineers to better understand how legacy systems have been adapted over the years to incorporate other elements of control. Often engineers will find that a lot of work has been undertaken on installed systems over the years – additions to the system and to plant equipment – which has not been documented. This is why an audit is always a good place to start when considering cyber security solutions.

Traditionally, new machine or equipment installations have required integration of a new PLC or controller into the existing system. Most end users have relied on the competence of their solution provider to install this correctly and to the relevant compliance standards. However, the technical file that gets created will usually relate specifically to safety compliance. 

“Appreciation that one the biggest areas of compromise of a cyber-attack is denial of service is not widespread,” said Hingley. “So, while a new system will have been correctly applied from the perspective of the technical file, the bigger problem is that if the safety system is affected by a security breach it may result in a complete denial of service of the safety system and so it would, legally, become a non-compliant machine!” 

It is for this reason that the worlds of safety and security are moving closer together and the HSE is becoming more involved with the requirements of security. “There is a whole new world of systems starting to appear because of the digital transformation that many factories are starting to undertake,” said Hingley. He advises that best practice, when it comes to security, is firstly to gain an understanding of existing architectures and networks and to develop a database of these systems.  The next step is to develop an audit around the connectivity and what is happening within the system. “Most audits undertaken by Siemens will take a bespoke approach because legacy equipment and systems need different types of auditing to understand how a connection is interfacing across the whole of the automation layer,” he said.

The next step is to aspire to follow the guidelines of IEC 62443. This covers technical specifications as well as the maturity levels and processes that are required within the OT domain, such as passwords and how to control them. “These are processes can be applied with technology and when they work together you will have created a defence-in-depth approach,” concludes Hingley.

The IEC Standard 62443 creates a defence in depth approach, looking at the technology that needs to be applied to the automation layer, it also looks at the maturity of the processes themselves that have to be applied into that level of control. The National Cyber Security Centre (NCSC) also offers guidance documents on best practice relating to automation control and discussing the practices that should be put in place.