It is impossible to ignore the fact that – for all the benefits it brings – increased connectivity also means higher levels of vulnerability to cyber-attack. This is a fact starkly highlighted in ‘Cyber Security for Manufacturing’, a report published this year by the manufacturers’ organisation the EEF in conjunction with the Royal United Services Institute (RUSI) and insurer AIG.
Some figures in this report make for alarming reading. One is that 48% of manufacturers report having been subject to cyber-attack, of whom at least 24% sustained financial or business losses as a consequence.
Equally, while 91% of businesses surveyed said they are investing in digital technologies in readiness for Industry 4.0, 35% believe that cyber-vulnerability is inhibiting them from doing so fully.
In addition, readiness to deal with potential threats is not at a particularly high level. According to the report, 41% of manufacturers do not believe they have access to sufficient information to confidently assess their specific risk, while 45% are not confident they are prepared with the right tools for the job. More alarming still, 12% of the manufacturers surveyed have no process measures in place at all to mitigate against the threat.
But the need for such measures to be in place is rising quickly as the need to have demonstrable cyber-security safeguards in place is becoming ever more necessary to operate in the business environment. 59% of manufacturers report that they have already been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain. For the 37% of manufacturers who report that they could not do this if asked to today, business will become increasingly challenging.
This should come as no surprise when one considers the potential risks and the real-world examples. In August 2017, for instance, a petrochemical manufacturer in Saudi Arabia was infected with malware that investigators believe was not simply designed to steal data or shut down operations but potentially tocause a catastrophic explosion. Significantly, it targeted operational technology in the form of industrial control systems rather than the more traditional focus on information technology.
Another example came with a recent attack on a German steel mill. Here, the attacker used sophisticated social engineering and spear-phishing tactics to hack into the steel mill’s office computer network. Crucial controls were tampered with, making it impossible to turn off the blast furnace. The result was massive damage to the foundry.
These are the most extreme examples, of course, but they make clear the extent of the risks facing industry. Mike Wilson, business development manager at ABB Robotics, is not surprised by the levels of readiness among UK manufacturers, saying: “I don’t think people have got that far. The bigger businesses have, of course. The Jaguar Land Rovers of this world are thinking about this very carefully, but the average SME that has minimal levels of automation probably isn’t.”
Mike Loughran, chief technology officer UK and Ireland for Rockwell Automation, on the other hand, identifies a different problem. “If you ask companies how aware they are of the need for cyber security,” he says, “they would mostly consider themselves fully aware of it. Where the issue lies is that responsibility for it tends to rest with the IT departments of those companies rather than with the engineering sections. The number of networks in engineering and manufacturing spaces has risen exponentially. If there’s no understanding of how those networks work and that they have to be considered within the overall IT security policy.”
This divergence between engineering and IT is a problem with which ABB’s Wilson identifies. “This is one of the things we do have to address. We have this thing called Connected Services, which is our remote service support. It’s often the IT department who we have to convince. The engineers may think it’s a great idea, but the IT people will say ‘You can’t do that’. And then we have to convince them that our system is secure and isn’t going to open them up to various threats.”
One of the major problems facing industry is the sheer multiplicity of threats it faces from a cyber security point of view. Says Loughran: “Do people realise what their connectivity looks like at the moment? Do they have a flat network? Do they have full connectivity across all their sites? Do they even know?”
He continues: “We do also see a lot of legacy equipment in the manufacturing sector. It may be fine and been upgraded over the years. Because of the rise of the smart factory, the equipment put in 15 years ago was never put in with that in mind. So, it may be a potential threat.”
The need to consider the entire supply chain as a potential threat to security is another factor that needs to be addressed. “The message on the supply chain and the need to be aware of cybersecurity concerns within it is getting across, but not as quickly as I might like,” says Loughran. “Machine builders are part of the supply chain. Designers are part of the supply chain. When people come in and bring their own device into your plant? Or their phones? These could all be a threat.”
His solution is for companies to institute meaningful policies that provide proper assessments of the setup of any engineering site and the potential for risk contained therein. He says: “People don’t have the time or the budgets, but what they can do is assess. They can step back and just ask ‘How ready are we at the moment?’ Just have a quick readiness survey and just highlight areas of potential risk and put a plan in place to minimise them. As you move forward with timescales, you can address other areas where there may or may not be risk.”
Such an assessment may simply consist of things like mapping out what the connectivity in a site’s equipment actually looks like. There may be areas in your organisation that people may not have realised are connected. There can be legacy systems in place that offer a potential way in.
However, Loughran is keen to emphasise that this should not be seen as a straitjacket on productivity. “That’s the key bit. It’s not about locking things down, it’s about having a policy that people can review and act upon. If there is not a policy? Guess what? It’s open season.”
Naturally, companies such as Rockwell and ABB have a major role to play in helping customers to achieve greater security. Mike Wilson says: “If you’re heading down the Industry 4.0 journey, yes you’re getting more connected and yes cyber security absolutely has to be a significant part of that plan. The answer to that is to utilise the people – like ABB – who have the knowledge to provide the solutions.”
Loughran concurs, saying: “What we recognised probably five years ago was that our customers were looking for support. When we were talking about smart manufacturing, they didn’t quite appreciate the requirements of a 24/7 engineering base. So, it requires a much more robust, ‘always on’ architecture. Our network security and services division has the skill set around the IT and the engineering and operations areas. We can do a survey and identify areas that need attention, work that needs to be brought up to speed and perform a general risk assessment.”
Much new equipment is already being designed with cyber security in mind. A lot of new equipment that has appeared in the last five years has actually removed many of the issues from that legacy equipment. For instance, no passwords within your controller that have an override or a default. Equally, there are no backdoors, which used to be quite common in older control systems.
Loughran sounds a note of caution, however. “There are a lot more standards and guides and the equipment has been developed with those in mind. So, just as with phones, you now have fingerprint recognition or facial recognition, which all form part of a good, secure system. Even so, it’s crucial to bear in mind whether everything you’ve got will fit into your future roadmap for security,” he says.
Increasingly, Loughran believes, cyber security will be seen in much the same way as safety is on equipment and will simply become an intrinsic part of its design. He says: “What’s happening increasingly is that security is being likened to safety – and the two roles are being combined. Just as we now automatically think machines have guards and cut-off systems and these evolved to light curtains, we will incorporate security. Safety is now designed in at the start and is part of the fundamental design. This will increasingly be the case with security. It will become intrinsic.”
This integration is also increasingly becoming a part of the specification process – although this process is far from complete. In areas identified as critical to national infrastructure, organisations will tend to have a guidance document for their suppliers that means that if new plant is being specified by the organisation, if it doesn’t come in with certain things pre-designed and pre-built into it, it won’t be acceptable.
Unfortunately, that isn’t the case everywhere, says Loughran. “Specification documents will say things like ‘we need it designed to x, y and z’, but it won’t say things like ‘please bear in mind and provide to us recommendations as to how you can fit in with our security policy.
“So, there can be a tendency where people are expected to do things they haven’t been asked to do with regard to security. It is absolutely a team game both from a supply point of view and internally.”
There is no ‘silver bullet’ to provide cyber security, however. All that can be done is a minimisation of risk. “With the best will in the world,” says Loughran, “if you’re talking about something like a ‘zero-day attack’ that’s targeted, it’s always going to be difficult to guard against that. However, what you find is that many of the threats aren’t targeted at industry, but because industry has adopted many of the same systems as big business, they get some of the fallout. Wannacry, for instance, wasn’t targeting industry, but it hit anyone who had flat networks. In most cases, the problem came from one person in an office with a flat network and it spread from there.”
Prevention is better than cure of course and, in this case, prevention comes in the form of understanding your system and its vulnerabilities. Loughran says: “Do you have segmented networks? Are you segmenting your networks based on availability or priority? Are you making sure that you can open up a gap between your OT and IT? Can you create an industrial demilitarised zone, in effect?
“Really it’s about putting in the infrastructure that limits the damage should it be attacked. That’s what it’s about: damage limitation. Because realistically, if people are determined to go after it, it’s really quite hard to stop.”
This realistic view of the threat and the ability to defend against it is crucial, believes Loughran. “There’s a quote from one of the major IT vendors out there,” he says, “‘It’s not about if, it’s when’. One of these things will go through – it’s just about how it’s handled. If, for instance, you can keep manufacturing while there’s an issue in the office, that’s a good day.”