I have relatives, friends, and some RTA team members who’ve had their identities stolen. It’s a miserable experience. There’s no good way to prove who you are to some insurance company, hospital or bank located in some other part of the country. It costs time and money. It’s worse if you’re a business and your servers are held hostage, your manufacturing line is down or you’re unknowingly making an inferior or unsafe product. That’s often a nightmare.
We’ve done a lot over the years to protect our businesses from external threats. We’ve always had guard houses, employee ID badges and heavy fencing around our buildings. It’s only been until recently that we’ve started to think hard about protecting our digital assets from outsiders. IT has focused on security for many years, but in OT, on our side of the fence, there hasn’t been that much of an effort.
There are many reasons for that. One is that we’re usually pretty short staffed. It isn’t unusual these days to have a single control engineer responsible for one machine or one line. If someone takes a vacation or sick day, the control engineer on the next line has to take over. Extra people are a luxury that many manufacturing businesses can no longer afford. In some plants, a single control engineer is responsible for the entire plant. They need to solve problems on any machine wherever it is in the plant. With those kinds of responsibilities and time constraints, it’s very difficult for the control engineer at a lot of smaller facilities to have time to think about securing their machines.
Another reason is the lack of budgets to address security. Most people are more reactive than proactive – we don’t address a problem until it’s on our doorstep. That’s why the fire alarm people swarm over a neighborhood after a fire because an upgraded fire alarm system is now a bigger priority than it was last week. Most companies believe that they won’t get targeted so securing their control systems remains a low priority task. Fortunately, many of us have an entirely different attitude about physical security. If the lock on the back door of the plant is broken, we get it fixed immediately even though the probability of someone finding a broken entry lock and entering during the night is pretty low.
And the third big reason why we don’t pay all that much attention to cybersecurity is that it’s just too damned hard. A lot of us have some old Modbus systems over there, some TI PLCs over here (yes, a hundred years old), Siemens S5s and S7s over there plus DH+, DeviceNet, EtherNet/IP and all sorts of old controllers. It’s a mess.
There no one to blame. Every time an upgrade was done, the latest and greatest manufacturing products were installed. The newest and the best – promising the most up-to-date, efficient, high-quality control system we could get. Now – ten, twenty or more years later – those systems are all highly vulnerable in one way or another.
And it’s not just cyber attacks that we have to worry about. Many attacks come from disgruntled employees, contractors and even cleaning people. The knowledge to alter a PLC program is not all that hard to obtain. All of us can think of ways to put a time bomb in somebody’s plc program.
There are lots of ways that you are vulnerable, but unfortunately, designing a coherent strategy to protect your manufacturing assets is a very tough and difficult job in these environments. But it has to be done.
There are a few OT security tasks you should start right now:
- You need to educate your staff on the problem and what they can do to prevent the simplest attacks. Making sure they understand the danger of unknown USB Flash drives, simple passwords and the like is a good first step.
- Another is to simply lock the door. Use the security features that are built into the controllers that you already have. Siemens and Rockwell’s processors have security options. Use them.
- Identify what your most critical asset is and work on protecting it first. What might an external (or internal) intruder do that would disrupt your business? Play the ‘what if’ game and take action to stop those threats.
I’ll have more to say about all this in the coming days, especially about the new EtherNet/IP security that is deployed in Rockwell ControlLogix controllers.
P.S. Check out my other blogs on EtherNet/IP Security: