AUTHOR
With the manufacturing industry more exposed to cyber attacks in recent years, Manufacturers’ Monthly speaks with RSM Australia’s cyber expert Ashwin Pal about the importance of understanding and dealing with the threats to the operational and information technology environments.
Throughout his 25 years in cyber security, Ashwin Pal has seen it all. Now heading Sydney's cyber security division at RSM, Pal spent 18 years of his career working with system integrators in the field, building and breaking different systems. He has always had a part to play in the manufacturing industry, seeing the impacts of underinvestment and a lack of knowledge in this area throughout the years.
Cyber security incidents are growing exponentially globally, and manufacturing continues to be a key target.
In June 2020, Australian beverage giant Lion was hit by a major cyber-attack that knocked out internal IT systems as well as operational technology, halting manufacturing and impacting customer orders. A second cyber-attack further disrupted the IT systems, prompting the company to strengthen its network defences while it continued to undo the damage from the first attack.
Global meat processing company JBS Foods recently paid $14.2 million to a criminal cyber gang to end a five-day attack that halted its operations around the world, including in its Australian facilities. The five-day shutdown threatened Australia’s meat supply chain, with temporary staff lay-offs at some of the company’s plants and reports from farmers of shipments of livestock being cancelled.
According to Pal, probability and impact are the two reasons why manufacturing is a logical target for hackers.
“The probability for them getting through is going to be a lot higher because manufacturing is arguably behind a lot of other industries in terms of cybersecurity.”
“The impact is much greater as well – when the factory floor shuts down, the cost is much greater because of all the inventory and raw materials involved.”
Because manufacturing revolves around operational efficiency, cyber security can be easily overlooked. More often than not, technology on the factory floor is managed by workers focused on operations, who may not have the skillset to manage operational technology (OT) systems if something goes wrong.
A huge focus – rightly so – is placed on ensuring the operational technology is running constantly, but a sole concentration on keeping the lights on leaves vulnerabilities, which hackers can and have exploited.
“A lot of the equipment which comes in hasn’t been set up to be secure. The operational workers who set it up aren’t security focused, they are focused on making sure that robotic arm for welding is working, for example. They might not have changed the default administrative password. All it takes is someone to set up a wireless network from the factory floor and they have access to that robotic arm, which in turn can inject ransomware into the network and kill all the robotic arms.”
When RSM engages with a client, the team undertake a holistic assessment from cyber through to the OT environment. A thorough risk analysis using the appropriate standards is done in conjunction with penetration testing on both sides (IT and OT), giving the client the perspective of what they look like to a hacker.
“In between both exercises you see where the gaps lie and how exploitable they are,” Pal said. “In essence, we can provide advice to what a transformation program might look like for a client and make sure once they have climbed the mountain they don’t begin to slide down it.”
Just like with digital transformation, the temptation to completely uphaul an entire cyber security network at once might be pre-emptive and ineffective. It’s more useful to drip-feed improvements, beginning with the fundamentals. Pal explained that it’s important to isolate the “quick wins” first, which are quick to deploy and show runs on the board. Committing to a million-dollar project in this space can lead to executives running out of patience, killing it, leaving areas for hackers to exploit.
Pal also emphasised the importance of separating the IT and the OT environments.
“You cannot talk about manufacturing in one set. IT and OT are two different things with different purposes, levels of importance and impact. The threats for both are very different and they need to be treated separately.”
When hiring new people to help businesses sure up their critical infrastructure and data, Pal looks for one main quality.
“Cyber qualifications certainly help, but the key is having that curious mind,” he said. “It’s the desire to constantly look and understand for problems, to me that’s the differentiator.”
Operational technology holds the key
OT is crucial to automating and driving efficiencies within the manufacturing process. Traditionally, OT environments have not been as well secured as IT environments, which is a big mistake for manufacturing.
Having no security on the factory floor opens the door for ransomware attacks locking up operations, costing far more money than an attack on the IT system.
“The impact of an IT incident in manufacturing is very, very different to say the impact of an IT incident for a company such as RSM, for example,” he said.
“At the end of the day, for manufacturers, remaining operational and getting inventory out the door is all that matters. We take that philosophy into all our manufacturing clients who really appreciate it because they see we are identifying their major pain points, understanding the importance and potential impact on the business and acting accordingly.”
To hackers, OT environments can be seen as a soft underbelly without the cyber security attention their IT cousins have had. OEMs aren’t cyber security experts themselves, so a lot of the vulnerabilities can stem from the equipment itself.
The internet of things is becoming increasingly prevalent in the industrial environment, and with OT and IT environments converging, the Australian Government has recently created a voluntary code of practice for IoT equipment to protect itself from cyber-attacks.
RSM partners with companies who are experts in OT, providing specialised security tools and technologies for the challenge. Another obstacle with securing OT is it proliferates around facilities quickly, which only increases the attack surface. It can become difficult to keep track of every aspect of OT (asset discography) and without control over visibility, it is impossible to understand the vulnerabilities which need to be addressed.
“Cover the devices, the connections, architecture, network configuration, security configuration, etc.,” Pal said. “Update this information monthly as OT devices tend to proliferate. Without knowing what you have, you cannot secure it.”
Pal outlined a multitude of ways RSM helps protect OT, including: segregating and cloaking OT networks, ensuring remote access security, device hardening, patching, security monitoring, basic authentication, authorisation and lockout controls, intrusion detection, malware detection and backing up all critical data and configurations. On top of these strategies underlies people and process – personnel should be security-trained specifically for OT environments.
“They need to understand basic security concepts and controls that have to be implemented within the OT environment that they will be managing.
“Security policies for OT environments must be developed that outline the controls that need to be implemented and typically emphasise required areas. Without these, OT security will likely be ad hoc and exposed to numerous vulnerabilities.”
Operational technology and Internet of Things security company Nozomi Networks’ recent report looked at the challenges facing pharmaceutical manufacturing. Securing intellectual property and data from theft, identifying and preventing vulnerabilities in complex supply chains and preventing unplanned downtime headed the list of problems.
“Pharmaceutical companies are rapidly embracing tools and technology to gain operational efficiencies,” the report says. “However, automation and outsourcing increase risk and expand the threat surface. This makes it challenging to quickly address operational disruptions and deflect cyber threats.”
The same applies for the broader manufacturing industry, where the industrial IoT is opening up organisations to new cyber threats, partly because internet-connected sensors and devices are built for 24/7 reliability rather than security and the majority of operational systems are not up-to-date and remain unpatched.
The relative immaturity of cyber security for OT environments represents a challenge, but also an opportunity, according to Pal.
“It’s not too difficult to secure OT environments if we just focus on the basics,” he said. “This is where the IEC 62443 standard comes into play. We follow that stringently and have expertise on the laundry list of items which goes into securing networks.”
Massive financial implications aren’t the only threat cyber-attacks have on manufacturing, with breaches in OT leading to potentially devastating security implications. The factory floor is a dangerous place, often with heavy machinery being operated in different directions.
Triton is a malware first discovered at a petrochemical plant in Saudi Arabia in 2017. The malware is designed to disable safety systems and targeted Schneider Electric technology. Coined “the world’s most murderous malware,” Triton demonstrates the potential safety risks cyber threats pose.
For further information
To learn more about cyber security within the manufacturing industry, please contact your local RSM office.
Article source: Manufacturers' Monthly