In the last couple of years, several major incidents highlight the potential damage. Norsk Hydro, one of the world’s largest producers of light-weight metals, was a victim of a cyber-attack in March 2019 that paralysed its computer networks. The LockerGoga ransomware encrypted computer files and demanded payment to unlock them. Refusing to pay, Norsk Hydro was forced to halt some production and switch other units to manual operation resulting in costs of $52 million.
In 2018, TSMC, one of the largest manufacturers in Taiwan was hit by a cyber-attack that forced production to be halted in three plant locations for up to three days, causing a two percent revenue shortfall for the currency quarter. Losses were estimated to have totalled up to NT$5.2 billion, making the attack the largest information security incident in Taiwanese history.
Both incidents highlight the massive financial impact that cyber-attacks can have on manufacturers.
However, manufacturing and specifically operational technology (OT), still lags behind other sectors in terms of adoption of cyber security. This is in part due to the specialist nature of the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) platforms within this sector.
Furthermore, According to IDC, managed security services will be the largest technology category in 2019 with firms spending more than $21 billion for around-the-clock monitoring and management of security operations centres but fewer MSSPs focusing on these highly complex OT areas. However, this gap between demand and availability offers a massive opportunity for progressive MSSPs keen to break into the market and win new customers across Europe.
The main security challenge is that ICS/SCADA systems which include computers, networked data communications and user interfaces for high-level process supervisory management are significantly distinct from traditional enterprise IT systems. The technology is present across a wide range of industries including manufacturing, water treatment, mining, oil refining, transportation and power distribution, among many others.
ICS/SCADA networks are built up of multiple discreet elements. The ‘brains’ of the system are supervisory computers that gather data on processes and send control commands to the field connected devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). RTUs are akin to fingers and hands, offering sensors and actuators to carry out remote functions such as reporting on temperature, current or flow, with the ability to open and shut circuits and valves as needed. In some instances, PLCs with their embedded software can act as a combination of all three functions, offering a more economical and autonomous option.
Underpinning all three is the communication infrastructure that connects the supervisory computer to the RTUs and PLCs, which is normally built with a high degree of resiliency to allow multiple pathways between critical systems.Every SCADA system also has a human to machine interface (HMI) that allows for operators to issue commands, examine alerts and generate reports.
Unlike information technology systems used in corporate environments, most SCADA networks rely on highly specialist and often vendor-specific propriety protocols for flows of data and commands.
The MSSP option
These specialist networks are not well suited to off the shelf anti-malware, Intrusion Detection Systems or Network Access Control (NAC) designed for enterprise networks. Cyber attackers are instead creating bespoke attacks that target the specialist systems used by manufacturers.Although larger manufacturers often create internal information security (infosec) teams with skills across a range of security disciplines, there is still a major staffing shortage, especially for people with both infosec and manufacturing industry skills. In this arena, several managed security service providers are emerging that aim to solve the security, staffing and rapidly changing threat profile.
Managed security services designed for manufacturing tend to have three elements. The first part is a data collection and monitoring layer that feeds real-time information used for threat detection and remediation into the second part, a security operation centre (SoC). The SoC will maintain software systems and specialist operators with infosec and ICS / SCADA expertise to evaluate the flow of data, generate alerts and potentially respond to attacks. The last part is the ongoing service to proactively look for weaknesses within systems and to monitor threat intelligence feeds for new vulnerabilities and exploits that impact the specific customer assets.
A typical MSSP for manufacturing deployment will have several passive probes at each manufacturing site that examine traffic between manufacturing systems. These probes can decode the priority command and control signals with key metrics sent via encrypted channels to the SoC. The SoC will offer integration with SIEM tools using syslog with ICS/SCADA industrial protocols for parallel monitoring by the SoC and the customer operational control centre to allow fluent discussions between internal staff and SoC teams analysing any security event. To prioritise the processing of events the service will typically have integration with intelligence feeds for up-to-date info on exploits along with real-time exploitability scoring combining the impact on the customer business operation.
The MSSP normally deploys monthly updates to its traffic signature and CVE databases to allow it to detect newly emerged threats and issue emergency updates in the event of the discovery of a vulnerability or software change to a key SCADA technology supplier’s product. With the MSSP model such updates are done centrally at the managed SoC and not at each customer site.
It is important to note, that this continual service led approach to security is vital as the threat landscape is constantly evolving. Even stable, production systems that may have been deployed for a decade or more can have new vulnerabilities uncovered that can be exploited by a skilled attacker. For example, OpenSSL, a general-purpose cryptography library with a 20-year history was found to have serious vulnerabilities in it in 2014 that opened potential vulnerabilities in nearly a sixth of the web servers connected to the internet.
Benefits and challenges
The MSSP model has several significant benefits for manufacturers including the ability to outsource IT security to an external expert that monitors multiple similar customers. However, the architecture also allows the end-customer to gain a simultaneous view of the current security state to provide assurance and accountability that security best practice is being implemented as expected. The deep integration with ICS/SCADA systems for correlation to the operational processes ensures that security posture always matches the current environmental state and evolves in line with the needs of the client in real time. In the same way that many large enterprises have adopted this approach, MSSP for the manufacturing sector reduces the cost and complexity of internal staffing and provides an expert team on hand for incident response.
However, one of the most critical issues for manufacturers, who often don’t have the luxury of being able to stop production lines to apply large scale patches, is the ability to apply industry specific threat analysis. These systems allow an organisation to better understand which risks are critical and need to be immediately patched – and in some cases, where potential threats are mitigated by other security controls.
MSSPs, especially providers that have aggregated knowledge from hundreds, and potentially thousands, of discrete manufacturing sites, can help manufacturers to design a remediation plan that can be enacted without production downtime.
The MSSP model for manufacturing security is still relatively new and one of the biggest hurdles is overcoming the conservative nature of the sector. This is changing as manufacturers start to adopt industry 4.0 technologies where computers are connected and communicate with one another to ultimately make decisions without human involvement. This shift towards digitisation is both a blessing in term of efficiency but also a potential issue as more systems become exposed to potential cyber-attack – this makes the adoption of an MSSP a more compelling proposition.