03 Aug

Cybersecurity Controls for the Manufacturing Environment

The endless barrage of cybersecurity attacks and data breaches in recent history is cause for concern for every company in every industry including manufacturers. Perhaps especially manufacturers – since manufacturing may be the only industry where a cyber-attack may result in explosions or even car crashes. For example, in 2014 attackers disrupted the plant control systems in a German steel factory to such a degree that a blast furnace could not be properly shut down, resulting in “massive damage”.

Large boilers like this are often monitored and controlled electronically.

While IT security practices apply there are some nuances at the plant level that should be considered as well. Here are a few examples:

Physical Security

Physical security might seem obvious, but it’s an area manufacturing facilities fall short time again. But why? Location. Most manufacturing facilities are located in rural locations so plant management naturally feel less at risk than those companies in more congested areas. Feeling safe means people let there guard down. Here are a few things you should look for:

  • Access to the manufacturing facility,
  • Access to IT components and infrastructure,
  • Access to network equipment,
  • Access to the plant floor, and
  • Security cameras and alarms.

Note: It is also noteworthy that many manufacturing systems can be breached if you can connect physically (we’ll get to that in more detail later).

Wireless Networks

Wireless access points are often used as communication points between equipment components in the plant. Wiress is easier (and often safer) because physical wiring doesn’t have to connect disperse equipment components; however, it also introduces cyber-risk. A recent report even discussed drone malware delivery systems for hard-to-reach wireless access points like those in the manufacturing environment. Here are a few things to consider:

  • Are all wireless access points accounted for?
  • Are routers, hot-spots, and devices up-to-date and hardened?
  • Have the default administrative credentials been changed?
  • Who has access to these systems?
  • What is the range of the wireless signals?
  • What mechanisms are in place to detect a potential breach?

Process Control Networks

For me, this one might be the most important. The Process Control Network (PCN) is the crux of the manufacturing environment. It is the components that control production – and if compromised could lead to plant downtime (or those explosions we talked about earlier). Here are a some things to consider:

  • Internal and external access to the PNC,
  • Change Management around the PNC (and PLC),
  • Patches and updates to the PNC and related IT infrastructure,
  • Physical fail-safe mechanisms in the event the PNC is compromised, and
  • Backup and DR of the PNC.

Note: More on PNC security.

IT Infrastructure

Managing IT infrastructure at the plant level is a challenge. From my experience, the physical environment (heat, dust, location) combined with resource restraints (dedicated IT professionals, money for updated equipment) makes for a hard-to-solve problem. But there are a few things consultants should think about:

  • Is there an inventory of critical IT infrastructure (business impact analysis)?
  • Is IT infrastructure up-to-date (think patches, firmware, software)?
    • Can IT infrastructure be updated at all (or will it break things?)?
  • Where are the failure points (related to business impact analysis)?

PCs and Laptops

Data shows that most cybersecurity events are the result of humans. So anything that humans interact with on a regular basis are subject to higher levels of risk. This is why PCs and Laptops should be closely monitored. Here are a few things I like to see:

  • Pay close attention to PCs and Laptops that have internet access and also access manufacturing equipment (PNC or PLC).
    • How are these PCs and Laptops managed and controlled?
  • Devices considerations include:
    • Encryption methods,
    • Patches and Antivirus,
    • Restoration methods,
    • Network and wireless access methods, and
    • Administrative access to the device.

If you can get these five things right you have the beginning of decent cybersecurity program.

2 thoughts on “Cybersecurity Controls for the Manufacturing Environment

  1. Christian,
    The PNC issue is very real. In one manufacturer, during a penetration test, I was able to take over the PNC server. I suddenly had control over A/C, pumps, everything. Everything in a million square feet of manufacturing space.

    And what was protecting it? A default password.

    In another company, also manufacturing, during a routine review of an employee’s workstation (who was walked out the door for hacking), I found a link that provided whoever clicked it admin access to the ecommerce server on which all the dealers ordered their products. This link worked through the firewall from the Internet.

    At first, I thought the employee created the link, but I found out the link was put there for the use of the developers (it was a homegrown app).

    Again, this is why I left manufacturing. The cost pressures are often so high that some businesses can’t afford to remediate.

    Unfortunately, the more cash-heavy sectors are often just as bad, but they have the money to throw at it.

    • That’s a great anecdote about the PNC. I really think it is something that should be higher on every manufacturing (and consulting) company’s list. Luckily, with the increased concern about cybersecurity manufacturing companies are finding the money to remediate.

Leave a Reply