Smart Machines & Factories
Tackling cyber security
Published:  02 February, 2017

With a number of high profile hacks to manufacturing and processing businesses, and with widely reported vulnerabilities discovered in known-brand industrial controllers, it has become increasingly clear that the fully networked production environments and connected machinery that will be a dominant feature of the smart factory of the future are all too vulnerable to cyber-attack, and therefore attractive to hackers. Smart Machines & Factories reports.

The road map from the isolated control systems of the past to the interconnectivity and integrated processes that will define the smart factory and Industry 4.0 systems of the future opens up a host of opportunities for improved productivity, greater flexibility and ultimately increased profitability. But at the same time the growing reliance on networked technologies, cloud-based data storage and remote systems access open up businesses to whole new levels of security threats.

With standalone, isolated control architectures, points of access were finite and the risk of outside attack minimal. That’s not to say operational technology (OT) was a no-risk environment, but certainly it was a low-risk environment, with an ‘attack’ on the control system much more likely to be a well-intentioned technician trying to tweak some control software and making a critical error.

Today we are moving towards control systems where the operational technology is directly connected to the IT environment, with increased data flow – and access to that data – throughout an enterprise hierarchy and beyond into the outside world. And as we march towards the paradigm of Industry 4.0, and architecture complexity increases exponentially, there is the potential for every point on the network to be vulnerable to attack.

We can see, then, that as the complexity of smart factory architecture increases, so the importance of security policy grows. And yet while the compound annual growth rate of detected security incidents has increased 66% year on year since 2009, annual business spend on cyber security is increasing at just 5-10% per year.

Recent well-publicised attacks on the likes of Yahoo (affecting over 500 million accounts), MySpace (affecting 360 million people), LinkedIn (117 million people) and many others have certainly brought cyber security to the fore as an issue, the potential for attacks on industrial control systems take cyber threats to a whole new level. There is the very real risk not just of financial loss or reputation damage, but also of the added potential to destroy equipment, threaten national security, and even endanger human life.

IT and OT interconnectivity

Problems begin within the IT space, and threaten control systems because of the interconnectivity between IT and OT systems. Actually, the IT environment itself within a business may be reasonably well protected, but that protection often does little to prevent threat transition along the conduit of the IT system and into the OT environment - as might be experienced in a cyber attack-prone smart factory operation. And the risk certainly isn’t helped by the fact that IT and OT are frequently still separate departments within a business, often with very little cooperation or useful interaction from a cyber security point of view.

So while there is a significant focus on IT network security measures, end-point security (at machine control level) is a growing requirement in the industrial space. As the market grows, and as industrial systems interconnectivity and remote connectivity increases, so the risk is growing. Indeed, the numbers of connected nodes are growing far faster than the security measures are keeping up.

But while the attack surface is ever-increasing, security issues are still not being given the priority they deserve. Even in the most modern plants there can be continued use of legacy hardware and software that was installed before cyber security had even been defined as a topic, let alone as a risk. Further, many of today’s commonly used industrial protocols were not designed with cyber security in mind and fail to offer any sort of robust defence against potential intrusions. The march towards IP-based integration and access has really exposed the vulnerability of operational networks to cyber-attacks.

Cyber security standards

Part of the problem in tackling cyber security is that there is no over-arching standard holding out the promise of security through compliance. Perhaps the closest thing we have to such a standard is ICS 62443. Building on ISA-99, it doesn’t provide a standard where automation component vendors can stamp the word ‘compliant’ on their products, but it does at least offer guidelines and best-practice approaches to implementing the secure industrial automation and control systems that will be necessary if we are to gain all the benefits of Industry 4.0 and the smart factory.

IEC 62443 standards are specific to industrial automation OT systems. By hardening OT environments, risks such as unauthorised access to control systems, false commands to operating equipment, and read/write of proprietary device data can be minimised. The various documents within the standard offer a framework for the design, planning, integration and management of secure industrial control systems, but really only provide information on what to do, rather than on how to do it. Businesses will still need to work out for themselves exactly how they will define and implement their security defences.

The basic strategy outlined in the standard is to segment the network into a number of functional ‘zones’ and then to clearly define the ‘conduits’ as all essential data and applications allowed to cross from one zone to another. Each zone is then assigned a security level from 0 to 5, with 0 representing the highest level of security and 5 the lowest. Strict access controls can then be imposed limiting access to each zone and conduit based on the authenticated identity of the user or device.

In this way, the approach to cyber security is not conceptually dissimilar from the approach that businesses will be well used to taking with machinery safety, and it would be no surprise to see industry skipping over the step to compliance-based assessments and moving straight to an environment of risk-based assessments. Already we are seeing discussions about the implementation of Security Assessment Levels (SALs) to describe the protection factor needed to ensure the security of a system.

Defence in design

So what steps at the OT level can businesses that aspire to the Industry 4.0 model take today to protect themselves from cyber intrusion? While adoption of a ‘defence in depth’ approach is often cited as being the essential approach, it can be argued that there needs to be a much greater emphasis on ‘defence in design’, with individual components and devices offering inherent, built-in cyber security. Certainly this is the emphasis for Omron in the development of its control components.

Barry Graham, automation product marketing manager at Omron explains that the company has taken a number of steps to ensure that its controllers are protected from attack, but also to ensure that they are not transparent to attack and so prevent hackers from going through the PLC to gain access to the wider automation network. Features of the communication between an Omron NJ controller and the Sysmac Studio programming software include digest access authentication to verify a user’s identify. Further connection between the NJ PLC and Sysmac Studio can only be made on port 80, and this is a protected port that will reject all other communications to prevent messages getting out on the wider network.

Sysmac Studio itself is user ID and password protected, while the machine controllers in the Sysmac range also offer local user authentication to prevent unauthorised users from moving around the control system – and indeed around the plant. This might not necessarily be an intentional cyber breach. Indeed, it is arguably more likely to be our well-intentioned engineer again, trying to sort out a programming or production problem. That is where the risk of accidents really increases.

While this end-point protection will become an increasing focus for cyber security, industrial networks certainly can’t be ignored. A potential development is the security architecture being built into OPC UA. This next generation open protocol is being hailed as a major step forward in industrial communications, and it provides a secure solution in the transport layer by using signatures to authorise and authenticate communication between client and server via encrypted communication.

Omron is currently beta testing OPC UA implementations for the NJ series controllers. While this doesn’t provide a guarantee that a controller is protected, it could provide a further level of assurance in a ‘defence in design’ strategy, and suits the adoption of a risk-based approach to cyber security. OPC UA won’t equate to a ‘security guaranteed’ sticker on the front of a product, but such certifications may well begin to impact on the selection criteria for industrial automation components.

Graham commented: “We can see, then, that cyber security risks are evolving quickly, and the threats and problems will be exacerbated by the march towards the increasingly interconnected systems of the smart factory. Businesses in the discrete manufacturing and processing environments – across all sectors of industry – need to take steps now to protect automation architectures from attack and eliminate vulnerabilities.”

For further information please visit: