What OT needs to know about cybersecurity
Source: William Pao, a&s International
Needless to say, industry 4.0
has become a widespread and popular concept among manufacturers, who increasingly rely on connected devices and the data they generate to achieve further automation and efficiency. However, this has also introduced new risks, particularly threats and security breaches
against OT devices and equipment that are not properly protected. Following certain best practices and industry guidelines governing the security of OT, therefore, has become a top priority.
The industrial revolution has gone through several stages. The biggest change seen in the transition from Industry 3.0 to 4.0 is the presence of more connected devices on the factory floor, generating data that help the OT team gain better insights into the overall health and status of operation. A production manager, for example, can be quickly informed of an impending machine failure and act accordingly.
However, this increased connectivity has also brought new risks. “With network connectivity, the security of connected devices inevitably becomes an issue,” said Robert Kuo, Product Marketing Manager for IIoT Solutions at Moxa
. “Once you’ve upgraded the network infrastructure of your facility, but not the security of the device itself, you will definitely face higher security risk, and that’s what we’ve seen today.”
And an attack on OT systems can lead to dire results. “A direct consequence of OT being attacked by threat actors is an immediate stoppage on production, which will cause the manufacturer to lose revenue, profit, as well as their brand image and reputation,” Kuo said.
What makes OT equipment vulnerable?
Common OT devices and equipment include meters, sensors, gateways as well as controllers such as programmable logic controllers. All of them are subject to security threats when connected to the network.
"The OT devices most vulnerable to attack are those that have the following characteristics: weak identification/authentication capabilities, default user name/password still active, insecure Web or Wi-Fi Interface, lack of encryption
, insufficient security built in and insecure firmware,” said Ernie Hayden, Founder and Principal of 443 Consulting
. “IIoT devices may not have adequate computing capability or battery power to effectively manage encrypted signals and data flow. Therefore, it may be ‘easier’ to not encrypt the signals, thus exposing the IIoT and OT networks to easier hacks.”
According to him, the pace of growth of the inventory of IIoT devices is extraordinarily high. “Thus, there are multitudes of options for plant engineers to install IIoT devices in the OT environment in order to make the plant easier to ‘read.’ That said, these extra devices can cause more problems than benefits if not managed properly as shown in the list above,” Hayden said. “Installation of each IIoT device into the OT network needs to be disciplined and analyzed on an item-by-item basis rather than rushing to install multiple IIoT devices without adequately assessing the impacts."
Following industry guidelines
Following best practices and industry guidelines dictating the security of OT also helps. According to Hayden, there are multiple guides in industry for the protection of operational technology.
"For instance the North American electric industry has mandated rules from the North American Electric Reliability Corporation (NERC) and the Critical Infrastructure Protection (CIP) standards. The American Water Works Association (AWWA) offers a security guideline for the protection of water/wastewater treatment plants,” he said.
Another useful set of guidelines to follow is the IEC 62443 standard, which constitutes a series of standards, reports and other relevant documentation that define procedures for implementing electronically secure industrial automation and control systems (IACS) and that, if followed properly, can significantly lower the risk of cyberattacks affecting the industrial network, according to Moxa.