Manufacturing is at risk in the U.S.: Manufacturing, Operational Technology, and Cybersecurity
Manufacturing is a broad term and can include anything from manufacturing wires and cables, developing custom parts for the Department of Defense, or brewing and bottling beer. Today’s manufacturing environment is highly technical and often includes not only administrative information systems but incorporates operational equipment that manages and monitors the creation of products on the manufacturing floor. OT is often described as hardware and/or software that detects or causes a change in the manufacturing process. OT provides direct monitoring and control of industrial assets. OT emphasizes the distinction between the traditional Information Technology IT systems (which usually host administrative tasks) contrasted to OT systems that handle the aspects of the manufacturing floor environment. The OT environment will often entail a few to all these technologies including:
1. PLC (Programmable Logic Controller): A PLC is a computer that has been adapted to control an aspect (or aspects) of manufacturing processes. A PLC can control the assembly line, robotic devices, and other devices that are configured, managed and monitored through programming languages and various sensors necessary to monitor the status of these devices on the factory floor.
2. SCADA (Supervisory Control and Data Acquisition): SCADA is a technical architecture that provides control via network data and communications. SCADA typically involves graphically controlled user interfaces that support high-level supervision over the machines and processes in a manufacturing environment. SCADA incorporates sensors and PLCs into the mix (remember: PLCs control plant processes or machinery).
3. CNC (Computer Numerical Control): CNC is the automation and control of manufacturing hardware devices, such as drills, lathes, routers, etc. that are used in producing manufacturing components using metal, wood, plastic, etc. to meet a customer’s expectations for a manufactured object (like a screw, a table leg, etc.). A CNC follows coded programming specifications to complete it’s task. The CNC is a device that can also be monitored by a PLC/SCADA, in the ‘constellation’ of production items that a manufacturer may have on their shop floor.
4. Other OT items. This is the ‘miscellaneous’ bucket. Rather than blow up this article with a comprehensive list of OT items, outside of the big 3 noted above (PLC, SCADA, CNC), manufacturers also incorporate into their environments items like a) lighting control, b) energy monitoring, c) security and safety systems, d) transportation systems, and many other OT aspects. For a more comprehensive list, additional research on the web can provide you with an in-depth list.
Cybersecurity incidents in the OT environment
Cybersecurity incidents in the operational technology (OT) environment can have significant consequences, as OT systems are often critical to the safe and reliable operation of industrial processes and infrastructure. These incidents can range from simple network security breaches to more complex attacks that exploit vulnerabilities in OT systems, potentially leading to disruptions, financial losses, and even physical damage. Some additional examples of cybersecurity incidents in the OT environment include:
· Malware infections: Malware is a type of software that is designed to infiltrate or damage computer systems. In the OT environment, malware infections can have serious consequences, as they can disrupt or damage critical systems that are responsible for the safe and reliable operation of industrial processes and infrastructure. Malware can be introduced into OT systems through infected USB drives, phishing emails, or other means, and can be difficult to detect and remove.
· Unauthorized access: Unauthorized access to OT systems refers to any attempt to gain access to the system without permission. This can be done by hackers or malicious insiders, who may try to gain access to the system to steal sensitive data, disrupt the system, or make unauthorized changes. Unauthorized access can be difficult to detect and prevent, as it may involve sophisticated tactics such as social engineering or the exploitation of vulnerabilities in the system.
· Network breaches: Network breaches refer to unauthorized access to an OT network, either through unsecured connections or by exploiting vulnerabilities in network devices. Network breaches can allow attackers to gain access to sensitive data or disrupt the system and can be difficult to detect and prevent.
· Industrial control system (ICS) attacks: Industrial control systems (ICSs) are used to control and monitor industrial processes, such as those in manufacturing, energy, and transportation. ICSs can be targeted by attackers who try to gain access and manipulate the system, potentially leading to physical damage or safety risks. These attacks can be difficult to detect and prevent, as they may involve sophisticated tactics such as spear phishing or the exploitation of zero-day vulnerabilities.
Preventing OT Cybersecurity Incidents
Preventing cybersecurity incidents in the OT environment requires a combination of strong security measures, such as securing networks, implementing access controls, and regularly updating and patching systems, as well as robust incident response planning to minimize the impact of any incidents that do occur.
· Malware infections: Malware is a type of software that is designed to infiltrate or damage computer systems. In the OT environment, malware infections can have serious consequences, as they can disrupt or damage critical systems that are responsible for the safe and reliable operation of industrial processes and infrastructure. Malware can be introduced into OT systems through infected USB drives, phishing emails, or other means, and can be difficult to detect and remove.
· Unauthorized access: Unauthorized access to OT systems refers to any attempt to gain access to the system without permission. This can be done by hackers or malicious insiders, who may try to gain access to the system in order to steal sensitive data, disrupt the system, or make unauthorized changes. Unauthorized access can be difficult to detect and prevent, as it may involve sophisticated tactics such as social engineering or the exploitation of vulnerabilities in the system.
· Network breaches: Network breaches refer to unauthorized access to an OT network, either through unsecured connections or by exploiting vulnerabilities in network devices. Network breaches can allow attackers to gain access to sensitive data or disrupt the system, and can be difficult to detect and prevent.
· Industrial control system (ICS) attacks: Industrial control systems (ICSs) are used to control and monitor industrial processes, such as those in manufacturing, energy, and transportation. ICSs can be targeted by attackers who try to gain access and manipulate the system, potentially leading to physical damage or safety risks. These attacks can be difficult to detect and prevent, as they may involve sophisticated tactics such as spear-phishing or the exploitation of zero-day vulnerabilities.
Preventing cybersecurity incidents in the OT environment requires a combination of strong security measures, such as securing networks, implementing access controls, and regularly updating and patching systems, as well as robust incident response planning to minimize the impact of any incidents that do occur.
Recovering from a cyberattack in an OT environment
Recovering from a cyberattack in an OT environment can be quite complex, as the mix of technologies on a manufacturing floor can present quite a bit of complexity in a recovery plan. Here are some general steps that may be involved in recovering from a cyberattack in an OT environment:
· Isolate and contain the attack: The first step in recovering from a cyberattack is to isolate and contain the attack to prevent it from spreading or causing further damage. This may involve disconnecting the affected OT system from the network, shutting down non-essential systems, or physically isolating the affected equipment. It is important to take these steps quickly to minimize the impact of the attack and prevent it from spreading to other systems.
- Assess the damage: Once the attack has been contained, it is important to assess the damage that has been done and determine the extent of the disruption to the industrial process. This may involve reviewing log files, analyzing network traffic, and inspecting the affected equipment. It may be necessary to bring in experts to help with this process, depending on the complexity of the system and the nature of the attack.
- Restore normal operation: The next step is to restore normal operation of the industrial process. This may involve repairing or replacing damaged equipment, restoring data from backups, and reconfiguring the affected OT system. It may also be necessary to coordinate with other teams and stakeholders, such as maintenance personnel, in order to fully restore the system to normal operation.
- Strengthen defenses: Once normal operation has been restored, it is important to take steps to strengthen the OT system’s defenses against future attacks. This may involve implementing additional security measures, such as improving network security, implementing access controls, and regularly updating and patching systems. It may also be necessary to review and update incident response plans to ensure that the organization is prepared to respond to future attacks.
- Review and learn: After a cyberattack, it is important to review the incident and learn from it in order to prevent future attacks. This may involve conducting a root cause analysis to identify the cause of the attack and any vulnerabilities that were exploited, and implementing corrective actions to address these vulnerabilities. It may also be necessary to review and update security policies and procedures to ensure that the organization is better prepared to prevent and respond to future attacks.
In general, recovering from a cyberattack in an OT environment can be a complex and time-consuming process, and it is important to have robust incident response plans in place to minimize the impact of any incidents that do occur.
Summary
Recovering from a cyberattack in an operational technology (OT) environment can be a complex and challenging process, as OT systems are often critical to the safe and reliable operation of industrial processes and infrastructure. The specific steps involved in recovering from a cyberattack will depend on the nature and severity of the attack, as well as the specific OT system and industrial process involved. While this article presented a summary list of recovery steps and mitigation for potential problems with backup data, the OT environment is often quite complex, and every manufacturer is quite unique. Time to develop a robust recovery plan is essential for manufacturers.
About the Author
Ron McFarland, Ph.D., CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, an MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security, and other Cisco courses. He was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications, including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, Ph.D., MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured
