Cybersecurity pitfalls!

09/03/2017

Jonathan Wilkins, marketing director of obsolete industrial parts supplier, EU Automation discusses three cyber security pitfalls that industry should prepare for – the weaponisation of everyday devices, older attacks, such as Heartbleed and Shellshock and vulnerabilities in industrial control systems.

IBM X-Force® Research
2016 Cyber Security Intelligence Index

In 2016, IBM reported that manufacturing was the second most cyber-attacked industry. With new strains of ransomware and other vulnerabilities created every week, what should manufacturers look out for in new year?

‘Weaponisation’ of everyday devices
The advantages of accessing data from smart devices include condition monitoring, predictive analytics and predictive maintenance, all of which can save manufacturers money.

However, recent attacks proved that these connected devices can quickly become weapons, programmed to attack the heart of any business and shut down facilities. In a recent distributed denial of service (DDOS) attack, everyday devices were used to bring down some of the most visited websites in the world, including Twitter, Reddit and AirBNB.

Such incidents raise a clear alarm signal that manufacturers should run their production line on a separate, highly secure network. For manufacturers that use connected devices, cyber security is even more important, so they should conduct regular cyber security audits and ensure security protocols are in place and up-to-date.

Don’t forget the oldies
According to the 2016 Manufacturing Report, manufacturers are more susceptible to older attacks, such as Heartbleed and Shellshock. These are serious vulnerabilities found in the OpenSSL cryptographic that allows attackers to eavesdrop on communications and steal data directly from users.

Industrial computer systems generally aren’t updated or replaced as often as consumer technology, which means that some still have the original OpenSSL software installed. A fixed version of the programme has since been released, meaning that manufacturers can avoid this type of attack by simply updating their system.

Keeping industrial control
Manufacturers understand the need to protect their networks and corporate systems from attacks, but their industrial control systems also pose a risk. If an attacker deploys ransomware to lock down manufacturing computers, it could cause long periods of downtime, loss of production and scrap of products that are being made when the attack happens.

This is particularly true in the era of Industry 4.0, where devices are connected and processes are automated. One of the most effective means of safeguarding automated production systems is cell protection. This form of defence is especially effective against man-in-the-middle attacks, whereby the attacker has the ability to monitor, alter and inject messages in a communications system.

In its report, IBM also stated that cyber security awareness in the manufacturing industry is lower than other sectors. The truth is that any company can be the target of a cyber attack. The only way to avoid a cyber security breach is by planning ahead and preparing for the unexpected.

#PAuto @StoneJunctionPR @IBMSecurity

Cybersecurity at the heart of the Fourth Industrial Revolution.

08/02/2017
Ray Dooley, Product Manager Industrial Control at Schneider Electric Ireland examines the importance of maintaining security as we progress through Industry 4.o.
Ray Dooley, Schneider Electric Ireland

Ray Dooley, Schneider Electric Ireland

A technical evolution has taken place, which has made cyber threats more potent than at any other time in our history. As businesses seek to embrace Industry 4.0, cybersecurity protection must be a top priority for Industrial Control Systems (ICS). These attacks are financially crippling, reduce production and business innovation, and cost lives.

In years gone by, legacy ICS were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cyber security was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.

This exposes vulnerabilities previously thought to affect only office and business computers, so cyber attacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyber attack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain.

The proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.

Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.

Assess the risks
A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.

Develop a security plan
Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight is essential to securing modern automation systems and networks. As the cybersecurity landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyber attacks on critical manufacturers in the US alone have increased by 20 per cent, so it’s imperative that security plans are up to date.

Upskilling the workforce
There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce moves into retirement. So the Fourth Industrial Revolution presents a golden opportunity for manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cybersecurity know-how to cope with modern threats.

In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.

Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago. Improvements in efficiency and profitability, increased innovation, and better management of safety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cybersecurity programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.

@SchneiderElec #Pauto #Industrie40


Three in four across 10 countries fearful Cyber Attacks could damage their country’s economy.

16/11/2014

Three quarters of surveyed adults (75 percent) across 10 countries say they are fearful that cyber hackers are carrying out attacks on major industries and sectors of the economy in their countries, according to the results of a study announced recently by Honeywell Process Solutions.

cyberbugMany survey respondents (36 percent) indicate they do not believe that it is possible to stop all the cyber attacks. A similar proportion (36 percent globally) report they don’t have faith in their country’s ability to keep up with cyber attacks because they feel that governments and organizations are not taking these threats seriously enough, particularly those respondents in India (61 percent), China (48 percent), and Mexico (47 percent).

“Cyber attacks are a clear and present threat to every industry, in every country throughout the world,” said Michael Chertoff, co-founder and executive chairman of the Chertoff Group, and former head of the U.S. Department of Homeland Security. “This threat is real and industries need a proactive and coordinated approach to protect their assets as well as their intellectual property. We have seen a number of attacks to critical industries in areas like the Middle East and the U.S. and these have had major impacts on their operations.”

The British government estimates that cyber security breaches at British energy companies alone cost those companies about 400 million pounds ($664 million) every year. In the United States, the Department of Homeland Security said that more than 40 percent of industrial cyber attacks targeted the energy industry in 2012, the last full year reported.

Methodology
These are findings of a poll conducted by Ipsos Public Affairs Research, September 2- 16, 2014. For the survey, a sample of 5,065 adults across 10 countries was interviewed online. This included approximately 500 interviews in each of Australia, Mexico, Russia, Brazil, China, India, Japan, the United Arab Emirates, Great Britain and the United States. Results are weighted to the general adult population ages 16–64 in each country (or in the U.S. 18–64). A survey with an unweighted probability sample of 5,065 adults and a 100% response rate would have an estimated margin of error of +/- 1.4 percentage point, 19 times out of 20 of what the results would have been had the entire population of adults in the participating countries been polled. Each individual country would have an estimated margin of error of 4.4 percentage points. All sample surveys and polls may be subject to other sources of error, including, but not limited to coverage error, and measurement error.

“These survey results are not surprising in light of the recent cyber attacks that have made headlines in several areas around the world,” said Jeff Zindel, leader of HPS’ Industrial Cyber Security business. “The impacts of these attacks, as well as others that have not been publicly reported, have cost companies and governments billions of dollars through operational issues and loss of intellectual property.”

For more than a decade, HPS has developed and delivered cyber security technology and solutions to industrial customers around the world through its Honeywell Industrial Cyber Security organization. This team has delivered more than 500 industrial cyber security projects integrated with its process automation solutions which are used at sites such as refineries, chemical plants, gas processing units, power plants, mines and mills.

In December 2014, HPS will establish the Honeywell Industrial Cyber Security Lab near Atlanta (GA USA). The lab will expand the company’s research capabilities and will feature a model of a complete process control network which Honeywell cyber security experts will leverage to develop, test and certify industrial cyber security solutions. This lab will help accelerate proprietary research and development of new cyber technologies and solutions to help defend industrial facilities, operations and people.

Among other findings of the survey:

• Four in ten (40 percent) survey respondents are not sure about how well their government or private industrial sectors are able to defend against cyber hackers, including 10 percent who are not at all confident.
• When asked about the vulnerability of nine critical industry sectors (which have varying degrees of computer and internet security systems in place to guard against cyber hackers), majorities of respondents globally see all sectors as being vulnerable to cyber attacks. Industrial sectors likely to be perceived as vulnerable to such attacks include oil and gas production (64 percent), medical/health care/pharmaceuticals (64 percent), power grid (63 percent), chemicals (61 percent) and aerospace/defense (59 percent).
• Those in India (92%) and Japan (89%) are most worried about cyber attacks, whereas Russian adults (53%) express the lowest level of overall concern.
• Among those who are relatively unconcerned about cyber hackers (“not very fearful” or “not at all fearful”), no single factor stands out as a primary justification. Many (31 percent) say that this is because they believe the risk of something major actually happening is really quite low, particularly in Australia (52 percent).

Other reasons for lower levels of concern include:

• Cyber hackers would have already done something big if they actually had these capabilities (25%),
• Computer and Internet security has been able to counter or block almost all of the threats (24%); or,
• Governments and its intelligence and armed forces will not let this happen (24%).


Cybersecurity cert programme launched!

19/12/2013
Programme based on its ISA99/IEC 62443 series of industrial automation and control systems security standards

Drawing on its internationally recognised leadership and expertise in industrial automation and control systems security, the International Society of Automation (ISA) has developed a knowledge-based industrial cybersecurity certificate program.

Through the work of its Committee on Security for Industrial Automation & Control Systems (ISA99), the Society has developed the ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA99/IEC 62443).

ACFF741This new certificate program, the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, is designed to help professionals involved in IT and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.

Developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia, the series of ISA99/IEC 62443 standards apply to all key industry sectors and critical infrastructure, providing the flexibility to address and mitigate current and future vulnerabilities in industrial automation and control systems.

The ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate will be awarded to those who successfully complete a designated, two-day ISA classroom training course, Using the ANSI/ISA99 (IEC 62443) Standards to Secure Your Industrial Control System (IC32), and pass a 75-question, multiple-choice exam.

While there are no required prerequisites to register for the certificate program and an application is not required to take the exam, it is helpful if interested professionals possess at least three to five years of experience in the IT cybersecurity field, with at least two of those years in a process control engineering environment in an industrial setting.

“Our new cybersecurity certificate program is another step forward in ISA’s development as a global leader in industrial cybersecurity standards, training and education, and in building on our commitment to meeting the needs of industrial control systems professionals throughout the world,” says Dalton Wilson, ISA’s Manager of Education Services.

Throughout 2013, both ISA and its sister organisation, the Automation Federation, have played prominent roles in helping the US government develop a national Cybersecurity Framework designed to thwart a potentially devastating cyberattack on critical infrastructure, such as a power plants, water treatment facilities and transportation grids.

The exam
The paper/pencil-formatted version of the ISA99/IEC 62443 Cybersecurity Fundamentals Certificate Program exam is available now. The electronic version will be available through the Prometric global network of testing centers during the first quarter of 2014.

In order to sit for the exam, applicants must register for both the aforementioned ISA course (IC32) and exam, and successfully complete the course.

The exam will cover the following areas:

  • Understanding the Current Industrial Security Environment
  • How Cyber Attacks Happen
  • Creating a Security Program
  • Risk Analysis
  • Addressing Risk with Security Policy, Organization, and Awareness
  • Addressing Risk with Selected Security Counter Measures
  • Addressing Risk with Implementation Measures
  • Monitoring and Improving the CSMS
  • Designing/Validating Secure Systems

Certificate renewal requirements
Because the ISA99/IEC 62443 Cybersecurity Fundamentals Certificate Program is a certificate and not a certification, certificate holders are not required to renew the ISA99/IEC 62443 Certificate.

However, once obtained, the certificate will only be considered current for three years. After the three-year expiration date, a certificate holder will no longer be able to claim that he or she holds a current/active ISA99/IEC 62443 certificate. In order to extend the current status of an expired certificate, a certificate holder must register for and take the related ISA99/IEC 62443 Certificate Knowledge Review. A score of 70% or higher is required to extend the current status of a certificate.