Plant manager Chuck Langela has been proud of how far his food processing company has come in recent years migrating to smart technologies. Management supported investments in sensors and machines that gather and share data with plants all over the United States via the cloud so his and other teams can access that information to make real-time decisions to maximize efficiency.
Unfortunately, while expanding into smart manufacturing, management neglected to update their network security defenses. The firm fell victim to a hacker who caused considerable downtime and intellectual property losses that also affect their customers.
For all the benefits smart manufacturing can offer, it also requires a more comprehensive approach to security. Seamless connectivity and smart devices are the catalysts to smart manufacturing — but they can also be a conduit for security threats.
The growing use of widely available technologies in industrial control systems and the growth of more connected, information-enabled enterprises inherently increases security risks, and with it the responsibilities of control system providers and users alike.
What Converging IT/OT Does
Historically, industrial control systems used proprietary technologies and were generally segregated from the information systems at most companies. The systems were largely incompatible and the commercial technologies that were used in office spaces simply didn’t fit the requirements of control systems.
As commercial technologies advanced in recent decades, they were adapted for use in control systems, improving costs, compatibility and ease of use. With these improvements, connectivity between systems became simpler and increasingly demanded by users.
Bringing together enterprise-level IT and plant-level operations technology (OT) into a common infrastructure creates more opportunities to improve operations, but without proper cybersecurity hygiene may also provide increased opportunities for cyber-attacks against industrial control system equipment.
Such attacks, if successful, can have severe impact on worker, environmental and product safety, intellectual property, reputation and productivity. And attacks on control systems have increased dramatically in recent years. Global cyber-attacks — like WannaCry and Petya — affected thousands of targets and networks around the world.
Leading industrial control system providers constantly test products and review applications to identify and remediate vulnerabilities in products. Disclosing remediated vulnerabilities through patch and version management helps protect against cyberattacks.
Mitigating Security Threats with Network Segmentation
An open and unsegmented network is a gift to cyberattackers. Once an attacker finds and exploits the most vulnerable point of entry, it could turn into a potential “kid-in-a-candy-shop” scenario. They may be able to pivot to more easily access a larger part of the network and potentially anything connected to it — from product designs or recipes, to machine controls, to company finances.
It’s not only external threats that pose a danger on an unsegmented network. Internal threats, whether it’s a disgruntled employee or human error such as an incorrect system change, also can wreak havoc when there are no network boundaries or access limitations.
This is why network segmentation should be part of every company’s industrial security strategy. Network segmentation separates your network into multiple smaller networks and allows you to establish zones of trust. This can help limit the access of outside security threats and contain any damage they cause. It can also help give employees and business partners access to only the data, assets or applications they need.
Virtual LANs (VLANs) are most commonly associated with network segmentation. These are broadcast domains that exist within a switched network. They allow you to segment your network logically — such as by function, application or organization — instead of physically.
VLANs can secure devices and data in two ways. First, you can block devices in certain VLANs from communicating with devices in other VLANs. Secondly, you can use a Layer-3 switch or router with security and filtering functionality to help to protect the communications of devices that do talk to each other across VLANs.
While VLANs are an important part of segmentation, they’re only one solution. You could also use other segmentation methods across different levels of your network architecture.
One example is the use of an industrial demilitarized zone (IDMZ). It creates a barrier between the enterprise and manufacturing or industrial zones. All traffic between the two zones terminates at this barrier while still allowing data to be securely shared.
Other segmentation methods to consider using include access control lists (ACLs), firewalls, virtual private networks (VPNs), one-way traffic restrictors and intrusion protection and detection services (IPS/IDS).
Cyber Hygiene for Food Manufacturers
Food manufacturers are reaping benefits from the convergence of operations and information technology — through increased yields and deeper, real-time insight into key performance indicators (KPIs).
However, providing access to information changes the threat landscape for food manufacturers. This territory is shaped by malicious hackers, as well as virtuous employees who are all too often unfamiliar with the impact of their seemingly everyday actions. The resulting dangers range from product contamination to loss of intellectual property.
The good news is that food and beverage companies are getting better at basic cyber hygiene. That approach starts with not just understanding what is connected on your plant floor, but understanding its attack surface. In other words, what are those assets’ vulnerabilities? Then use that knowledge to patch them.
Digital transformation provides an advanced network backbone, which minimizes security risks while supporting scalable execution, analytics and supply-chain connectivity. As such, an investment in Industrial Internet of Things (IIoT) technologies is compelling because it delivers insights that improve performance now, while also implementing a security architecture.
Consider the digital journey of our customer, Hamlet Protein, provides a great example of how a successful transformation occurs.
Hamlet Protein, Inc. is a mid-sized company in Denmark that develops and manufactures soy-based functional ingredients for use in animal feeds. The company has identified seven key steps crucial to the success of their digital transformation:
- Create and socialize a shared company vision among C-level stakeholders.
- Establish a steering committee.
- Partner with a technology provider who understands and supports your overall business objectives.
- Carefully and completely assess your company’s operations to develop an unvarnished picture of strengths, gaps and opportunities.
- Conduct a value workshop to secure buy-in and evaluate potential gains against the picture developed in step 4.
- Develop and socialize a comprehensive plan and schedule.
- Establish an infrastructure for change management and inter-company communication.
Share your thoughts and join the discussion in the LinkedIn Intelligent Manufacturing Institute group.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.
