Cybersecurity has become an issue that must be addressed by every industrial plant. Gone are the days when the plant was air-gapped and safe from cyber intruders. Even an air-gapped site isn’t safe, as Stuxnet proved. That virus arrived in a compromised flash drive that devastated a system that wasn’t connected to the outside world.
|New strategies are getting developed to help plants secure their older equipment against cyberattacks. (Image source: Tripwire)|
Most plant networks are connected these days. Even if the plant doesn’t deploy IIoT connectivity, its network probably sends data to the organization’s IT system so managers can share production information with the office, customers, and suppliers. Newer plant equipment comes equipped with cyber protection technology, but what about legacy plant equipment? Protecting decades-old equipment is critical in a world where the usefulness of industrial equipment is counted in decades.
Protecting Older Plant Networks
Security companies are developing strategies for enabling cybersecurity on networks that include older plant equipment. Strategies include bringing everything on the plant network up to security standards. “We’re not just looking at the network layer. We’re looking into level one and level two, including the devices directly in line with the production equipment in manufacturing facilities,” Gabe Authier, senior product manager for industrial cyber security at Tripwire, told Design News. “One approach is to use the IEC 62243 standard to make adjustments on the floor, including adjustments to the firmware of devices because they’re so old. Then you start looking at upgrading hardware on the plant floor to adhere to shop floor policies.”
ISA/IEC-62443 is a series of standards, technical reports, and related information that defines procedures for implementing electronically secure industrial control systems (ICS). The standards are for system integrators, security practitioners, and control system manufacturers responsible for managing industrial automation and control systems.
Older plant equipment is vulnerable simply because it was built prior to internet connectivity. “In general, the overall weakness when it comes to cybersecurity in industrial control systems is that the devices were developed 20 or 30 years ago, when security was not on anybody’s mind,” said Authier. “A lot of these devices are talking through serial protocols. There was no thought of making them secure back in the '70s and '80s. It’s these older devices we need to concern ourselves with. They’re a big weakness.”
Cyber Attacks Are Changing
Older plants face two formidable cybersecurity challenges: The equipment isn’t built for cybersecurity and the cyberattacks themselves are becoming more difficult to detect. “The types of attacks are changing. They’re becoming much more sophisticated. The worms get in and they can sit dormant for a number of weeks, days, even months, until they see a chance to do malicious harm,” said Authier. “The attackers are becoming more sophisticated, more aware of the weakness of the devices and how they can be exploited.”
Attackers seek the weakest points in the industrial network. Often, that includes the computers on the system. “The majority of the attackers focus on Windows systems, where there are a lot of vulnerabilities,” said Authier. “The attackers are finding their way into the ICS, and they’re exploiting the network in ways we haven’t seen before.”
Warding off attacks that enter through Windows is typically guarded through patch updates. Yet patches require a reboot that typically results in equipment downtime. “Since Windows systems get attacked, patches are important. The more sophisticated managers are planning their downtime for patches,” said Authier. “Someone at a large company found their vulnerability comes from IT. Yet when IT finds a device on the OT network that is vulnerable, a ticker is created, and the plant has five days to fix it or the line gets brought down no matter what.”
Organizations are beginning to take security seriously, with mandates coming from the top down. That means the plant has to comply unequivocally with cybersecurity measures. “There is a lot of pressure for security coming down on the plant,” said Authier. “That pressure starts at the board level, where there is new interest in securing all networks. It’s coming from those in the c-suite who realize that vulnerabilities can hurt the organization.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.