Locking Down the Factory Floor
New cybersecurity tools and techniques for cloud-based manufacturing software show promise in the fight to secure critical factory-floor data and machinery
Cybersecurity casts a long shadow over networks of all kinds, from banking and retail businesses to government, energy, healthcare, utilities, and large-scale industrial manufacturing operations. Hardly a day passes without dire headlines warning of the latest consumer, commercial or government data breaches over the Web, as clever hackers employ myriad phishing schemes, viruses and malware that exploit corporate network vulnerabilities and, quite often, the gullibility of users unaware of cybersecurity dangers. With more factory assets getting connected to the Web, particularly with the coming explosion of
Hack attacks on industrial manufacturing networks have been more rare, with the highest-profile case being the Stuxnet worm that infected the industrial equipment controlling Iranian nuclear centrifuges about five years ago. Since the attack, it has been widely speculated that it was the result of work by the US and
More recently, a German steel manufacturing plant's operation was severely hampered last year and shut down after cyber thieves breached its security defenses. The German steel mill's blast furnace was compromised by malicious code that entered the network through the company's business systems, causing an eventual plant shutdown.
Connected Factories' Vulnerability
As manufacturers move toward more-connected factory systems, there's even greater demand for highly secure systems to keep hackers away from manufacturing networks' wealth of IP data and mission-critical plant-floor equipment. "In the lifecycle of product development, there is a wide range of systems, and a lot of the elements along that chain were not designed for security," said
Securing industrial networks is exacerbated by the sheer volume of newly connected machines, as machine tool builders and machine control suppliers have embraced newer technologies like the open-architecture MTConnect XML-based standard for machine tool data exchange on the shop floor, connecting and gathering much greater volumes of manufacturing data to leverage the goldmine of manufacturing process metrics coming off the shop floor (see "Why Manufacturing Needs Data Collection" in the
Industrial cyber attacks have largely flown under the radar, without garnering the widespread reporting required for those on financial, government and other targets. "Most manufacturing companies are not required to publish information about cyber attacks. However, the
"Aside from technological gaps, an important issue in industrial control systems [ICS] cybersecurity is the general lack of awareness," Sivaraman said. "A lack of awareness of potential attack can lead to reduced investment on early detection and protection. This results in limited information about whether or not an attack actually occurred and the resulting impact."
Leveraging Cloud Advantages
In many cases, going to cloud-based solutions offer organizations an edge in factors including lowered costs, speed of deployment and software design. Cloud software also can offer benefits in the cybersecurity realm, especially in costs and cloud optimization.
"Cloud-based software and related network technology enable more secure transmission of design data and status information," Sivaraman said. "The likelihood of successful attacks that have the goal of stealing IP [intellectual property] can be reduced if the data is encrypted. Attacks that aim to disrupt operations, for instance by injecting false data or instructions, similarly can be reduced with encryption and other protection. With cloud-based software and good security controls, the confidentiality and integrity of design and production data can be improved.
"In general, Industrial Security solutions require a holistic approach based on different protection layers," Sivaraman said. "These involve plant security, network security, and maintaining system integrity." Plant security includes physical access to plant and industrial controls equipment, security policies and processes, and security awareness, he added. "Network security deals with the protection of automation components based on segmented production networks, secure separation of production and office networks, and the use of security cells/zones concepts."
Costs are a major factor in cloud systems' favor, particularly for any smaller to medium-sized manufacturing operation looking for securing systems in the cloud.
"I do think cloud computing can help," said DM Dll's Barkley. "A lot of people have misgivings about cloud, but by and large I think the cloud industry is taking care of that. The cool thing about the cloud is it allows for virtualization of a lot of services. That's the elastic sort of element to it, and it gives us new ways to disrupt hackers."
The flexibility of the cloud gives users a real advantage, Barkley added, in dealing with the "advanced persistent threats" that can occur in cybersecurity breach attempts. "If you can rapidly switch IP addresses or networks, you disrupt that cycle," Barkley said.
Lower costs of the cloud systems play a huge role, especially with a lot of the small to medium-sized mom-andpop shops, he added. "They typically don't have the capital to afford the top-end enterprise software suites, which can be pretty expensive, when you add in the costs of service, which often account for a larger share of the total cost of ownership of the lifecycle of use than the initial purchase price of the software."
Open-Source Solutions
To counter the cost barrier, DMDII has an open project call-the DMDII-15-13 Cyber Security for Intelligent Machines-offering up to
"We want to provide affordable tools," Barkley said. "Many may be more of a SaaS [Software-as-a-Service] type-low cost, one-time pass, mostly automated." The open-source software will aim to provide more of an "a la carte" type of approach to cybersecurity, to remove the cost burden from shops that typically can't afford enterprise-scale software projects.
Affordable solutions for cloud computing are critical for smaller manufacturers looking to secure their networks.
Manufacturers like Lockheed or
"The small manufacturers really don't have the ability to employ large systems," said
CTC is helping small manufacturers with assessment tools for determining the best cybersecurity systems to fit their needs, he added, using the NIST Cybersecurity Framework as a model. "I really think that's a question that every manufacturer needs to answer," Glavach said. "Number one, you have to figure out what are your most important assets."
Cloaking Your Cloud Assets
Among the more promising new applications is an opensource cloud version of the Software Defined Perimeter (SDP), a "Black Cloud" system that hides data from hackers, developed by cyber and digital risk management consultant
While not quite a Star Trek Romulan cloaking device,
"If you look at the grand security practices that have come out from NIST and other agencies, they require patching, updating and monitoring systems at the infrastructure layer," said
"Ultimately the security has to be implemented at all layers of the network stack, all the way from your wires to the user interface in the application," Koilpillai said, "and that's what the Software Defined Perimeter is all about. It's actually a very new approach to protecting network applications. The model is set up so that only TCP [Transmission Control Protocol] connections from authorized connections are allowed, and the perimeter also issues the user-level access at the port and protocol level after user authentication, and that way connections cannot be recast or hijacked."
The layer that validates and authenticates users and devices is hidden from potential network intruders, she noted. "It's able to bring all that together to communicate with a server that's literally hidden behind a firewall, and the firewall is only open when the user requests access. There's a pinhole punched through the firewall, the communication's performed, and then shut down. So the server is completely hidden from all network scanning and the common kind of efforts that are done by hackers initially to start looking for what they can hack."
For most manufacturing operations, handling these cybersecurity tasks is difficult and time-consuming. "You have to make a lot of smart decisions based on your application," Koilpillai said. "We feel that there's a need for this."
The company is collaborating on the open-source version with the
Securing, Testing the Cloud
As cloud-based enterprise software has proliferated and become more popular for cost savings and other reasons, questions arose whether those cloud-secured assets are as secure as the on-premises versions of enterprise software. But many experts believe cloud software has many distinct advantages over on-premises software, including security.
"It's pretty clear that attacks happen regularly," said
Securing cloud applications is a top priority, Hurley said, and Keyedln employs high-end security from third-party supplier Dimension Data to lock down its ERP customers' data. "You walk into some installations and it's almost like a prison-some of these facilities use biometrics to enter," Hurley said.
Cloud applications, properly executed, can offer users more effective security than some on-premises installations. "In some cases in an on-premises facility, people are busy doing other things-maybe security's not the main priority, or they missed a security patch, maybe they're not doing a denial of service security, or the software's not the best from a security standpoint," Hurley said. "Some of these software systems can be 10, 15, 20 years old. Any of those factors could put your on-premises systems at risk."
With Keyedln Manufacturing, users get an ISO 2700 compliant SaaS application, and Keyedln makes sure its customers follow up on security policies, Hurley added. Customers' data also is segregated from other customer data, and even within the client companies themselves, added
"There's only a very small number of people here that can touch the data," Leghorn said. With Keyedln applications, customers also use two-step authentication, which bolsters security levels. "Typically we don't re-authenticate within the session," Leghorn added. "Your client administra-tors are in charge of that. They can have the confidence that no one can break in, because it's your weakest point in your chain."
For cloud-based PLM software developer Arena Solutions (
In addition to multiple firewalls, Arena offers users dynamic access control, allowing administrators to have a very limited number of people who can access information, Ma said. "From the beginning, we do multiple firewalls. It's a combination of hardware and software," he said.
Arena PLM's security model features Secure Sockets Layer (SSL) encryption, and username and password verification is provided by a hardened authentication service maintained separately from the main application service. Arena offers customers IP-based access restriction as an option, as well as a two-step authentication option, and data management security is the strongest available currently supported by browsers, using a 2048-bit RSA public key and up to 256-bit encryption.
Vigilance Required
Keeping hackers at bay requires not only innovation in cloud-based designs, but also vigilance by cloud users. Performing penetration tests on cloud network security is a must in today's world, and these tests are best done by a third party, Ma said, "We go through a penetration test with a third party, which involves an application test and a network test," Ma said. "The third party actually sets it up, but we pre-write it and then nobody knows when it will happen." The company usually does the network tests at least once a year.
"We do our pen testing with a third-party IT security consultancy," said Keyedln's Leghorn. "They test the code, the system and the SQL database, and the firewall itself. What ports are open? What they can discover about your system is important, because for hackers, this is their day job-understanding what people can do. It provides useful information and you have to do this on a regular basis, at least annually."
With its pen tests, Keyedln's policy is to share that information under non-disclosure agreements with clients, Leghorn added. "You don't want to give anything away. As a policy, we don't allow the clients to do the pen testing, for the protection and stability of the entire service." O
"euroven on the modern controllers, security is not adequate."
"The likelihood of successful attacks that hove the goal of stealing IP [intellectual property] con be reduced If the data is encrypted."
"That's the elastic sort of element to it, and it gives us new ways to disrupt hackers."
Arena Solutions
650-513-3500 / arenasolutions.com
800-CTC-4392 / ctc.com
DMDII/UILABS
312-281 -6839 / http://dmdii.uilabs.org/
888-960-5470 / keyedin.com
800-SIEMENS (800-743-6367) / http://www.siemens.com/businesses/us/ en/digital-factory.htm
800-401 -5180/ waverleylabs.com
Senior Editor
Long-term care proposals to address quality of life for seniors
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News