Making Time for Security

Monday, April 10, 2017 @ 10:04 AM gHale


By Gregory Hale
Not too long ago, a young Polish boy found a hole in the network of a European tram system. He was able to get into the system, navigate his way around and then, using a television remote, he was able to switch tracks using the infrared device on the remote. The end result was four trains ended up derailed and 12 people suffered injuries.

All of that with a television remote control.

Using a simple device, the attacker was able to penetrate a network and cause damage. In today’s hectic industrial environment, manufacturers for the most part cannot rely on themselves for protection. They need to focus on making product. That is where a solid security plan where workers are educated and know what, or what not, to do, or partner with a quality provider that can keep systems up and running.

RELATED STORIES
Industrial Cybersecurity Services

Cybersecurity in the connected enterprise – How the new generation of IIoT-ready controllers delivers the benefits of open computing while minimizing the risk of cyber intrusion

Lesson Learned: IT-OT Convergence

Marathon of Security – Securing Device-by-Device Will Elevate Cyber Profile

Learn more about how these new PLC devices can control (and thereby enhance) profitability

Manufacturers need to keep the process going. Security, company leaders will say, is this “new-fangled” thing that costs money and slows down production. They really don’t see it as a business enabler that can help keep systems up and running.

“In operations management there is very little time for security,” said Andrew Kling, Director of Cybersecurity and Architecture at Schneider Electric. “But as you go higher into the organization, you’ll find they increasingly have more time. The stories tilt away from fear and toward what is the risk to my corporate reputation and what is the risk to my ability to produce my widget and make a profit. That is where they do have time to think about cybersecurity. They are thinking about plant risk and risk management.”

FUD Fading Away
Fear, uncertainty and doubt (FUD) was all the rage 10 years ago when cybersecurity first came to light. But the chicken little, sky is falling fear mongering is going away with an intelligent approach to understanding the issue and methodically addressing it is coming to the fore.

Instead, cyberattacks, internal and external, are continuing to grow. Just take a look at a Ponemon Institute cybersecurity research study where 53 percent of respondents said they suffered at least one data breach in the past two years, while 68 percent don’t believe their organizations have the ability to remain resilient in the wake of a cyberattack. And 66 percent aren’t confident in their organization’s ability to effectively recover from an attack.

“Once senior managers are educated, they begin to look at cybersecurity, they see what is in the media, they see the risks and threats,” said Gary Williams, Schneider Electric Senior Director of Technology, Cyber Security and Communications. “They do an analysis as to whether they would be able to withstand a threat. And once they realize they don’t have a necessary skill set or the necessary hardware features to prevent an attack, they consider additional services. Because the alternative, of course, is to just disconnect.”

Case in Point
Of course disconnecting is not an answer, especially as advances in technology allow for manufacturers to achieve greater benefits through connectivity. Take 3D manufacturing for instance where a growing industry area suffered a damaging blow.

A 3D additive manufacturing (AM) system fell to a cyber assault, showing how an attack and a malicious manipulation of blueprints can fatally damage production of a device or machine.

It is possible to sabotage the quality of a 3D-printed functional part, which leads to the destruction of a device, said researchers from Ben-Gurion University of the Negev (BGU), the University of South Alabama and Singapore University of Technology and Design in a paper entitled “Dr0wned.”

Researchers were able to destroy a $1,000 quadcopter UAV drone by hacking into the computer used to control the 3D printing of replacement propellers.

Once they penetrated the computer, the researchers found the propeller blueprint file and inserted defects. During flight tests, the sabotaged propeller broke apart during ascent, causing the drone to smash to the ground.

More than 100 industries, including aerospace, automotive and defense, employ additive printing processes. The AM industry accounted for $5.165 billion of revenue in 2015. On top of that, 32.5 percent of all AM-generated objects end up used as functional parts, according to a Wohlers Report.

Such an attack could cost lives, cause economic loss, disrupt industry, and threaten a country’s national security.

Security a Business Enabler
“People tend to look at safety and security from a liability perspective,” said John Boville, Market Segment Manager at Schneider Electric. “But they are missing a great deal in terms of how many days or hours of downtime follow a cyberattack and related safety incidents. You also have to look at cost of the investigation, which in some places will close lines down until a root cause is found. All of that is lost productivity, and it can add up pretty quickly.”

“It is possible to use real time accounting methods to quantify the financial impact of these incidents,” he said. “We can help organizations develop cultures and implement measures to help improve safety and cybersecurity of their operations.”

That means manufacturers can focus on making product, while a third party can come in and protect the system and also help improve performance.

“It is inevitable. We are seeing people moving toward a service where a third party is monitoring your system, where they can do predictive maintenance and where they can tell you when someone is logging on to your system at two in the morning, which is unusual,” Williams said. “IT will pick it up on behavioral analysis. If someone is logged onto the control room and at a site a mile away at the same time, the service will pick that up and flag it. These tools are available and they are very good for an IT environment. For OT, I don’t think it will have the necessary skill set to keep up with the constant change in risk and threat. The industry is moving more toward services because it is only companies offering these services that have the resources and skill sets.”

Whether it is through a simple television remote control, or a highly sophisticated assault, attacks are growing and becoming more prevalent. That means manufacturers have to make the time for security.



Leave a Reply

You must be logged in to post a comment.