This is another part of a series of articles on what automation engineers need to know about cybersecurity. This article focuses on simple steps you can take today on cybersecurity.
You and I have heard plenty over the last 18 months or so about manufacturing security. I’ve seen the news reports from Deloitte and others that 40% of manufacturing companies have experienced a cyberattack. I’ve heard the whispers passed from colleagues around the country about different companies that got hit with WannaCry or GandCrab or a plain old ransomware attack.
Now a lot of folks are out there to sell you all sorts of complicated and expensive solutions. They’ll tell you about encryption and authentication and authorization and all the other big words used by cybersecurity experts. Truth is you should AND CAN do a lot to protect yourself long before you need to add cybersecurity appliances to your manufacturing floor. Here’s my simple and inexpensive list of things you can do today if not tomorrow:
#1 – Lock your doors
This is really simple. Make sure that you have physical security. Know who is on your factory floor at all times. There is no reason to have the back door or loading dock door open even if the fresh air feels nice in the summer heat. Verify everyone who is walking around the floor.
A further step that you might think about is to implement something called a captive portal. You’ll need a security appliance for that, but what it does is to make sure that the guy working on the welding system isn’t accessing your PLC, one of you ABB Drives or one of your Enterprise servers (possibly with some malware that he doesn’t even know he has on his laptop). Email me if the captive portal is something you’d like to consider.
#2 – Block all USB ports
Some people think of this as being paranoid, but USB drives were how the Iranian Reactors were targeted. It’s just a good practice to not have any servers or laptops inside your firewalls with active USB drives.
#3 – Keep everyone paranoid about phishing attacks
These are increasingly better and more sophisticated. You’ll get an email that appears to be from some “official” source that needs your credentials for something. If you succumb to that, they have the keys to the kingdom. You need to continually remind your staff about how benign these emails look and how deadly they really are. To learn about all the ways you might be subject to a phishing attack, read Abi Tunggal’s article What is Phishing.
#4 – Turn off unused switch and router ports
There isn’t any need to make it easy for anyone to just plug into your manufacturing network. Disable every unused switch and router port. And don’t forget about the last RJ45 port at the end of a linear network. That one is probably not designed to be disabled so you might look at some of the products for physically locking RJ45 ports.
Of course, you’ll need access for engineers and technicians who are troubleshooting the PLC or network issues. One way to do that is to keep that access locked in a cabinet. Only people with the key should get access to the network port. Or, if you want it out at the machine, again secure it with a small locked enclosure designed for that purpose or one of the RJ45 locking solutions that require someone to have the tool.
#5 –Validate any changes to your managed switches
One of the biggest cybersecurity attacks was conducted against a company with an open firewall port. Someone made a mistake configuring the firewall, and the company lost millions. Anytime there is a change to a VLAN, a firewall or a NAT table, make it a practice to document the change and have it approved by someone on your cybersecurity team or some other knowledgeable person.
#6 –Use complex and ever-changing passwords
Yes, it’s a pain to keep changing passwords, but it’s important. It’s a simple step that really pays off. One of the more common passwords is “123456”. If you are using that password, you are inviting your machine to be hacked.
#7 –Disable Remote Desktop on servers inside your firewall
Don’t use Remote Desktop. It has been proven to be an invitation to hackers to get access to a machine. There are many, many articles about how attackers get access using RDP – Remote Desktop Protocol. It’s insecure, so get rid of it.
Normally I deal with particulars of EtherNet/IP, PROFINET IO, BACnet, and the rest. But today all of us are now more concerned with cybersecurity than ever and hearing more and more about it. The practices I outlined above will go a long way to securing your manufacturing plant floor at nearly no cost. If you want to move to the next step and implement a captive portal, a more secure connection than VPN or a more cyber secure firewall designed for manufacturing, contact me directly through the contact form.