PeerReview2_ProtectingManufacturingSystemsfromCyberAttacks0521.pdf

Protecting Manufacturing Systems
from Cyber Attacks

by James G. Barr
Copyright May, 2021 Faulk ner Information Services. All rights reserved.

Inside this report …

Introduction
Threat Landscape
Recommendations
Resource File

Introduction

[return to top of report]

While financial firms and other organizations that participate in our digital economy are all too familiar with
Internet-based threats, such as ransomware, APTs, and phishing, owing to the increased integration of operational
technology (OT) with information technology (IT), the manufacturing sector is being subjected, as never before, to
cyber exploits – attacks that not only threaten data but people, equipment, and other tangible assets.

NIST Manufacturing Profile

The US National Institute of Standards and Technology (NIST) was sufficiently concerned about the vulnerability of
manufacturing systems that they added a “Manufacturing Profile” to their “Cybersecurity Framework.” According

to NIST, the Profile “can be used as a roadmap for reducing cybersecurity risk for manufacturers.”1

Of specific concern for manufacturers are so-called Industrial Control Systems (ICS), a category that includes:

Supervisory Control and Data Acquisitions (SCADA) systems
Distributed Control Systems (DCS)
Programmable Logic Controller (PLC) systems

“An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, and pneumatic)

that act together to achieve an industrial objective [(e.g.,manufacturing)].”2

Beware Industry 4.0

Traditionally, manufacturing systems, including industrial control systems, were “closed”, i.e., not connected to
the Internet. While viruses swarmed over other elements of the enterprise information infrastructure, manufacturing
systems were safe. In recent years, however, the business pressure to “hook up” manufacturing systems – to
improve reporting, exert greater control, enable remote support, and even introduce artificial intelligence – has
produced a virtual merger of operational technology (manufacturing systems) with information technology
(information systems).

As described by IBM, in this new era, dubbed “Industry 4.0, “Manufacturers are integrating enabling technologies,
including [the] Internet of Things (IoT), cloud computing and analytics, and AI and machine learning into their

production facilities and throughout their operations.”3

Unfortunately, these new capabilities come with a cost as manufacturing systems increasingly fall prey to cyber
attacks.

Ransomware and Phishing

Of particular cyber concern are ransomware and phishing.

Analyst David Bisson reports that “The number of ransomware incidents involving the manufacturing sector
increased 156 percent between the first quarters of 2019 and 2020. Later in 2020, ransomware actors demanded
$17 million from a laptop maker and $34 million from a Taiwanese electronics contract company.

In addition to ransomware, phishing is a prominent threat. “One campaign that targeted manufacturers, among
others, was part of a larger effort to target the COVID-19 vaccine cold chain.” In addition to disrupting
manufacturing operations, phishing, in particular, is aimed at stealing identities and, ultimately, confidential or

proprietary data.4

The Overall Threat

The Department of Homeland Security (DHS) has declared that, based on the number of reported cyber attacks,
manufacturing is the second most targeted industry in the US. Worse still, as reported by VirtualArmour, “Smaller
manufacturers are more likely to be targeted than their larger counterparts because cyber criminals often view

them as easy entry points into larger manufacturing chains.”5

Complicating the sector’s response, analyst Megan Ray Nichols states that “Since manufacturing employees
aren’t used to seeing these threats, they may not know how to identify them. Without a company culture of

security, manufacturers may not know how to avoid these attacks.”6

Threat Landscape

[return to top of report]

While conventional cyber attacks normally threaten the loss or theft of sensitive data – such as employee or
customer personally identifiable information (PII) or proprietary product or marketing information – the
consequences of a successful cyber attack on a manufacturing facility can be considerably more dire, even
deadly.

As reported by NIST, the manufacturing chief security officer (CSO) and her staff are responsible for:

“[Maintaining] Environmental Safety – [Managing] cybersecurity risks that could adversely affect the
environment, including both accidental and deliberate damage. Cybersecurity risk on the manufacturing
system could potentially adversely affect environmental safety. Personnel should understand cybersecurity
and environmental safety inter-dependencies.
“[Maintaining] Human Safety – [Managing] cybersecurity risks that could potentially impact human
safety. Cybersecurity risk on the manufacturing system could potentially adversely affect human safety.
Personnel should understand cybersecurity and safety inter-dependencies.
“[Maintaining] Production Goals – [Managing] cybersecurity risks that could adversely affect production
goals. Cybersecurity risk on the manufacturing system, including asset damage, could potentially
adversely affect production goals. Personnel should understand cybersecurity and production goal inter-
dependencies.
“[Maintaining Product] Quality – [Managing] cybersecurity risks that could adversely affect the quality of

product. Protect against compromise of integrity of the manufacturing process and associated data.”7

These added elements – especially the potential impact of cyber attacks on environmental and human safety –
place a premium on erecting robust and reliable cyber defenses.

The State Actors

Further complicating the CSO’s mission is the threat posed by state actors. Perhaps the most famous example is
Stuxnet. Discovered in 2010, Stuxnet is a computer worm designed to covertly reprogram industrial control
systems. Stuxnet is believed to have contaminated centrifuge-controlling computers at one or more of Iran’s
nuclear enrichment sites, leading to speculation that Israel and/or the US may have been responsible for its
development and deployment.

With cyber warfare barriers, if any, removed, manufacturers must be on the alert for exploits originating in Iran,
Russia, China, North Korea, and other unfriendly nation-state sources.

Manufacturing Cybersecurity Objectives

To properly protect manufacturing systems from cyber attacks, NIST recommends organizing cybersecurity
initiatives around the following eight objectives.

PR.DS-1: “Protect manufacturing system information determined to be critical while at rest.

PR.DS-2: “Protect manufacturing system information determined to be critical when in transit. Implement
cryptographic mechanisms where determined necessary to prevent unauthorized access, distortion, or
modification of system data and audit records.

PR.DS-3: “Implement automated mechanisms where safe and feasible to maintain an up-to-date,
complete, accurate, and readily available inventory of manufacturing system components. Ensure that
disposal actions are approved, tracked, documented, and verified.

PR-DS-4: “Protect the manufacturing system against, or limit the effects of, denial of service attacks.

PR-DS-5: “Regulate the information flow within the manufacturing system and to outside systems.
Enforce controls restricting connections to only authorized interfaces. Heighten system monitoring activity
whenever there is an indication of increased risk to manufacturing operations and assets. Protect the system from
information leakage due to electromagnetic signals emanations.

PR-DS-6: “Implement automated tools where feasible to provide notification upon discovering
discrepancies during integrity verification. Implement automatic response capability with predefined security
safeguards when integrity violations are discovered.

PR-DS-7: “Implement an off-line development and testing system for implementing and testing changes
to the manufacturing system.

PR-DS-8: “Implement hardware integrity checks to detect unauthorized tampering (e.g. tamper evident
tape or labels, computer port protection, power-on self-tests, etc.) to manufacturing system hardware
determined to be critical. Incorporate the detection of unauthorized tampering to the manufacturing system

hardware into the organization incident response capability.”8

Recommendations

[return to top of report]

As the crucial first steps in protecting manufacturing systems from cyber attacks:

Integrate and Harmonize OT and IT Security

As operational technology and information technology converge, it’s vital to establish a single, consistent security
strategy, entrusted to the leadership of one individual, the CSO.

Where OT and IT security practices diverge, such as the frequency of applying security patches, best practices
should be identified and universally implemented. This will not only improve security, including cybersecurity, but
security administration.

Separate the OT and IT (Corporate) Networks

Analyst David Bisson advises manufacturers to “Segment your network in a way that cuts down on risk – to
legacy systems most of all – but still allows IT and OT to work together. These segments then give teams smaller
sections within which they can implement network access controls along with network monitoring in order to

defend against ransomware, phishing and other digital threats.”9

NIST concurs, adding “When designing a network architecture for an ICS deployment, it is usually recommended
to separate the ICS network from the corporate network. If ICS network traffic is carried on the corporate network,
it could be intercepted or be subjected to [Distributed Denial of Service (DDoS)] or Man-in-the-Middle attacks.”

As a bonus, “By having separate networks, security and performance problems on the corporate network should

not be able to affect the ICS network.”10

In those cases – perhaps the growing majority – where OT and IT are already intertwined, the CSO should prepare
and execute a plan to untangle them, being careful not to disrupt critical business functions in the process.

Conduct Comprehensive OT and IT Penetration Tests

While there is no guarantee that an OT/IT system is immune to cyber attacks, the viability of a manufacturer’s
cyber defenses can – and should – be tested through sanctioned hacking attempts, a process called “penetration

testing” or “pen testing.”11

Penetration testing is the practice of deliberately attempting to circumvent a company’s security and invade its
systems and networks. The goal is to discover any flaws or vulnerabilities in that security and, if necessary, fix
them. Testing is typically performed by outside security companies who then present a comprehensive report
detailing whether intrusion was possible and how any intrusion was accomplished, along with recommendations
on correcting problems.

The people conducting the intrusion tests are known as ethical hackers, or white hats. They use the techniques
and tools of the criminal hacker, or black hat, to break into customers’ networks and then help the customer

devise defenses against those intrusions.12

Expand IT Incident Response to Encompass OT

Protecting manufacturing systems from cyber attacks involves not only augmenting cyber defenses – especially
Internet of Things (IoT) defenses – but also the cybersecurity ecosystem. This larger mission includes updating the
enterprise:

Incident Response Plan – to account for a potentially disabled industrial control system, and the impact of
a downed ICS on manufacturing operations and customers;
Continuity Plan – to provide for the rapid recovery of manufacturing operations in the wake of an
ICS failure; and
Cybersecurity Plan – to better detect and deter future cyber attacks.

Resource File

[return to top of report]

ASIS International: http://www.asisonline.org/
Continuity Central: http://www.continuitycentral.com/

http://www.asisonline.org/

http://www.continuitycentral.com/

International Organization for Standardization: http://www.iso.org/
SANS Institute: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/

References

1 Keith Stouffer, Timothy Zimmerman, CheeYee Tang, Michael Pease, Joshua Lubell, Jeffrey Cichonski, and John
McCarthy. NISTIR 8183: “Cybersecurity Framework Version 1.1 Manufacturing Profile.” Revision 1. National
Institute of Standards and Technology. October 2020:v.

2 Ibid. p. 3.

3 “What Is Industry 4.0?” IBM. 2021.

4 David Bisson. “Manufacturing Cybersecurity Threats and How To Face Them.” IBM. February 19, 2021.

5 “Cybersecurity for the Manufacturing Industry, What You Need to Know Now.” VirtualArmour. April 6, 2020.

6 Megan Ray Nichols. “Five Reasons Modern Manufacturing Needs Cybersecurity.” EuroScience. August 31,
2020.

7 Keith Stouffer, Timothy Zimmerman, CheeYee Tang, Michael Pease, Joshua Lubell, Jeffrey Cichonski, and John
McCarthy. NISTIR 8183: “Cybersecurity Framework Version 1.1 Manufacturing Profile.” Revision 1. National
Institute of Standards and Technology. October 2020:8.

8 Ibid. pp. 28-30.

9 David Bisson. “Manufacturing Cybersecurity Threats and How To Face Them.” IBM. February 19, 2021.

10 Keith Stouffer, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn. NIST SP 800-82,
Revision 2: “Guide to Industrial Control Systems (ICS) Security.” National Institute of Standards and Technology.
May 2015:5-1.

11 “Cybersecurity for the Manufacturing Industry, What You Need to Know Now.” VirtualArmour. April 6, 2020.

12 “Penetration Testing and Ethical Hacking.” Faulkner Information Services. October 2019.

About the Author

[return to top of report]

James G. Barr is a leading business continuity analyst and business writer with more than 30 years’ IT
experience. A member of “Who’s Who in and Industry,” Mr. Barr has designed, developed, documented,
and deployed business continuity plans for a number of Fortune 500 firms. He is the author of several books,
including How to Succeed in BY Really Trying, a member of Faulkner’s Advisory Panel, and a senior
editor for Faulkner’s Security Management Practices. Mr. Barr can be reached via e-mail at
[email protected].

Site content copyright 2021, Faulkner Information Services. All rights reserved.
Return to Security Management Practices Home

http://www.iso.org/

http://www.sans.org/

http://www.nist.gov/

mailto:[email protected]

http://www.faulkner.com/

http://www.faulkner.com/products/securitymgt/default.asp