Cybersecurity: making manufacturing secure
Graham Thomson, chief information security officer at Irwin Mitchell discusses cyberthreats and the ways in which the industry can secure its operations.
Manufacturing is the third most likely sector to experience a data breach, after financial services and insurance. But it’s among the least protected, according to the manufacturers’ organisation Make UK.
Cyber threats are constraining UK industry’s progress with digitalisation.
Companies can be hacked, covertly observed, and have their assets damaged or stolen while remaining completely unaware until it’s too late.
Because Industry 4.0 technology makes a company more connected to machines, the internet and other companies, firms are wary – with good reason – that high levels of digital adoption will increase their exposure to cyber attack. In a study with cyber security providers Vauban Group, Make UK found that while manufacturers are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
Cyber attacks also show how closely integrated business IT (business communications and computing, storage and back-office technology) is with operational technology today.
“For Industry 4.0 especially, IT and OT have already converged, and at a speed greater than companies have been able to secure them adequately,” says Graham Thomson, chief information security officer at Irwin Mitchell. Industrial cyber attacks will increase, Graham says, impacting industry in areas like breaches of security, outages, data and IP theft, physical damage to IT systems and to capital equipment.
There are several ways a cyber criminal can attack a manufacturing company, including phishing and other “social engineering” techniques, resulting in malware (virus) infections like ransomware and Trojan horses.
Phishing is the fraudulent attempt to acquire sensitive information like passwords and protected files, or to deploy booby-trapped files, by posing as a trustworthy party. It’s the most common form of cyber attack because there’s a constant stream of different vulnerabilities that a hacker can take advantage of. It could be elicited through a fake advertisement on social media, or masquerading as an email from a work colleague.
The risk is magnified with such attacks because companies can’t always detect the level of security risk being introduced. “Say a company installs a new HVACS [air conditioning] system, but they didn't know this is accessible via the internet,” says Graham. “It can be accessed from afar simply with a commonly-known password, if this isn’t set up securely.
“A hacker can play with the settings, making conditions too hot or cold to work efficiently, or possibly even use this system to then access other internal IT systems,” says Graham. “It's a very effective impact from a simple intervention.”
Hacking and modifying a factory operation can be achieved by attacking any management system of operations technology, or supervisory control and data acquisition (SCADA) architecture. Most manufacturing companies have a variety of these OT systems to manage their factories inside their corporate IT structure which are also accessible remotely, which is where criminals target.
Normally industrial companies have an ‘air gap’ between OT and machinery and their IT network, preventing easy access to the plant for cyber criminals. “Regularly we see simple methods like a USB stick breach the air gap,” says Graham, “So by itself, partitioning factories from the network with an air gap isn’t an effective measure.”
Password or credential stuffing
A rising cyber trend that manufacturers should know about is password stuffing.
The login pages for a website, email account, management or control system for operational technology are all at risk from this method.
Cyber criminals can acquire lists of previously compromised email address and password pairings. They run a program to populate login pages with millions of combinations.
“There are about 3bn passwords and usernames on these lists that have been compromised, where numerous security researchers have found these databases on the dark web,” says Graham. “They point the program at the login page, press go, and the combinations auto-populate until there’s a match.”
While the method relies on complete chance, it’s possible to gain unauthorised access using email addresses and passwords that were compromised years ago and are totally unrelated to the current business, where an employee used an identical or commonly-used password. The solution: use two-factor authentication for remote access to important systems, or at the very least enforce long random passwords.
Improve your cyber security
Appoint somebody with sole responsibility for cyber security for the organisation. Provide them with a framework and reporting structure. For SMEs, this may mean combining the job with another role like IT director.
Make security part of the organisation’s culture, not just an IT issue. “Being cyber secure covers employees’ behaviours, training, and deploying cyber safe processes. Staff need training and better awareness of the risks,” Graham says.
Become familiar with the different security standards. Several documents can tell you how to apply good IT security: many are free like NIST and CIS, some like ISO27001 are paid-for. Most are very lengthy, and will need a lawyer to translate appropriately for the business.
For more information on manufacturing topics - please take a look at the latest edition of Manufacturing Global.