Feature Story

Securing the Shop Floor

Nasrin Rezai, CISO, GE, Nick Ritter, GE’s vice president of product cyber security

How CIOs and CISOs at companies like GE confront new tech threats to business operations.

In late 2017, hackers exploited a flaw in technology from manufacturer Schneider Electric that halted operations at an undisclosed industrial facility.

The attackers invaded one of Schneider’s Triconex safety systems, which are used in nuclear facilities, oil and gas plants, water treatment facilities, and other industrial plants to safely shut down processes when hazardous conditions are detected. It was the first reported cyber attack on this type of system, according to a Reuters report.

The incident provides an example of the potential security vulnerabilities of manufacturing operations and shop floor equipment. With the ongoing growth of the Industrial Internet of Things (IIoT), the shop floor is becoming ever-more instrumented and connected.

This increased connectivity and data-centric approach to production presents another potential attack vector, either for malware or for data poisoning. And it might be even more of a target for shop floors that are becoming more real-time responsive to demand data coming in from partners.

Nasrin Rezai, CISO, GE Nasrin Rezai, CISO, GE

“The speed of digital transformation across all industries—and the convergence of IT and OT [operational technology]—create urgency for all business and technology leaders to redefine boundaries of cyber resiliency beyond just enterprise IT,” said Nasrin Rezai, CISO at manufacturing conglomerate GE.

“Cyber security needs to be managed as a top business strategy and risk management practice, with clearly defined disciplines embedded in business processes, product management. and operations,” Rezai said.

Risks at the intersection of IT and OT

Manufacturers are certainly aware of security risks and the need to defend themselves. Discrete manufacturing is one of the three industries that will spend the most on security technologies in 2018 — along with banking and federal/central government, according to a March 2018 report by International Data Corp. (IDC).

Those three industries will spend more than $27 billion worldwide on security this year, IDC said. Manufacturers are spending on security initiatives to avoid large scale cyber attacks and adhere to regulatory compliance, the report said.

“Manufacturers are adding connectivity and collecting data about production processes more than ever before,” said Robert Westervelt, research director at IDC. “Most of the focus is on asset and production management. Part of the activity is about reducing operational costs and [improving] overall efficiencies. But the increased connectivity is also increasing the attack surface, and manufacturers must be mindful about potential attack activity or configuration issues that could disrupt production.”

Manufacturing operations and shop floor equipment have been vulnerable to attack for many years, but increased connectivity is exposing weaknesses to attackers of a wide variety of skill levels, Westervelt said.

“Some attacks are low-level and designed to probe and disrupt when possible,” Westervelt said. “We’ve seen reports of some manufacturers getting regularly probed by Chinese threat actors, presumably to steal intellectual property. Manufacturers should conduct their own threat profiling activity to understand the kinds of attackers that they must defend against.”

"Attackers have become more sophisticated and can conduct reconnaissance and attack both IT and OT environments."

Some manufacturers might be subject to industrial espionage, while others might have to defend against threat actors intent on sabotaging specific products or simply disrupting processes to delay productivity, Westervelt said.

“Financially motivated attackers will use ransomware and other means to make money off of manufacturers,” Westervelt said. “These attackers have become more sophisticated and can probe, conduct reconnaissance and attack both IT and OT (operational technology) environments.

“We’ve seen some manufacturers have successful attacks spread from IT to operations/shop floor environments — either by the poor maintenance and controls of laptops and mobile devices, or employee use of USB sticks to transfer documents and data to systems that they monitor on a daily basis.”

Indeed, the biggest cyber security challenge is the collision of OT and IT, said Nick Ritter, GE’s vice president of product cyber security, who is responsible for the security of all GE’s commercial products and services and also oversees the security of GE’s global manufacturing facilities.

Nick Ritter, GE’s vice president of product cyber security

“They are in ‘particle-accelerator-type’ collisions, with an ever-increasing number of connected devices,” Ritter said. “These are legacy devices, which were designed and installed long before there were CISOs, security frameworks, and increasing requirements for remote connectivity.”

This extends the attack surface, Ritter said. “Contrast this with the lack of trained security professionals who understand OT, control systems, SCADA environments and the like,” he said.

The vulnerability of any one piece of shop floor equipment or facility is highly individualized and dependent on architecture, connectivity, and functioning security controls, Ritter said. Because of that the types of attacks can vary, he said. But they are typically a reflection of the sorts of attacks commonly seen in the enterprise, where weak remote access controls are thwarted to gain remote access and ultimately laterally move into the enterprise network.

Attacks against manufacturing assets can also include the installation of ransomware or bitcoin-mining malware, or assaults on the OT environment to cause instability or equipment failure. “The list of significant risks is only limited by the imagination,” Ritter said.

The more connected devices that exist, the larger the potential for attacks. “The benefit of connected, instrumented and analytics-enabled OT is undeniable,” Ritter said. “That said, there are legitimate security concerns.”

All hands on deck

For threat detection, manufacturers should be monitoring and baselining endpoint device activity and alerting when system behavior deviates from the norm, Westervelt said. “The monitoring and analysis of systems should be protected and possibly segregated,” he said. “This proactive approach, along with traditional endpoint security software installed where possible, should assist in identifying potential problems like ransomware before it results in production issues.”

They can also deploy intrusion detection and prevention systems, Westervelt said, “but the rule of thumb is to implement them in passive mode with rules to identify threats. In industrial control system environments, proactively monitoring logs and events can boost safety, privacy and resiliency.”

Machine learning is likely to take on a key role here, helping identify evolving attack or behavior patterns that escape existing rules.

For proactive defense, companies need to put in place platforms and processes to help identify vulnerabilities and configuration issues, or order to safeguard the integrity of firmware and applications. “File integrity monitoring products can help identify abnormal changes,” Westervelt said.

Some manufacturers should consider gaining information about the Common Industrial Protocol (CIP) Security, a set of security-related requirements and capabilities for CIP devices maintained by the standards development organization Open DeviceNet Vendor Association. “Using the documents provided by organizations [such as] ODVA will help ensure standards are maintained within the production facility, and the manufacturer can plan for incorporating risk mitigation into future improvements,” Westervelt said.

Another good practice is to conduct a data audit seeking all records and files that contain sensitive information based on patterns and key words, Westervelt said. “Work with data application inventory teams and determine the location and affiliation of sensitive data with users and applications,” he said. “Data leakage protection solutions can be used to search for any hidden data repositories and unauthorized SaaS [software-as-a-service offerings] where some data may already reside.”

It’s important for security teams at manufacturing companies to have continuous open lines of communication with all of the stakeholders, Ritter said. “The IT experts, the control systems experts, the shop floor/plant manager, the security professionals, all need to openly and frankly discuss requirements, constraints, risks, impacts, costs—and ultimately look to enable each other,” he said. “To fully protect this space, we need all hands on deck, working to make each other successful.”