Cybersecurity: Smart Defenses for Smart Production
| By: Ray Chalmers, Contributing Editor
Protecting your network means picking the right components, both hard and soft
It is very difficult to go through a business day without a notice of a cybersecurity breach. Reported on Feb. 21 of this year, hackers infiltrated Tesla's cloud environment and stole computer resources to mine cryptocurrency (dubbed “cryptojacking”), while some proprietary data related to mapping, telemetry, and vehicle servicing was also reportedly exposed.
The breach was swiftly rectified, according to a Tesla spokesperson, who added that there was "no indication" the breach impacted customer privacy or compromised the security of its vehicles.
Such attacks will not stop. Record spending and growth on automation and connected devices driven by globally expanding markets and industry applications, is seeing a concurrent rise in security thinking. Protecting production data means making choices on network infrastructures and protocols, point solutions (sensors, processors, motors, controllers) and how they all fit together and communicate.
Improving cybersecurity for the manufacturing supply chain is a particularly serious need. Facing constant pressure to improve production efficiencies, manufacturing supply chains are necessarily connected, integrated, and interdependent. Securing the entire supply chain is not a top-down mission. Rather, it depends on security decision-making at the local factory level. The diversity of manufacturers—from large, sophisticated corporations to small job shops—creates weakest-link vulnerabilities. 
Emerging public/private partnerships are one source of guidance. The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions are working together to address the most pressing cybersecurity challenges. Working with technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE and NIST are developing modular, easily adaptable examples of cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology.
For example, The NIST Engineering Laboratory (EL), in conjunction with the NCCoE, will produce a series of solutions demonstrating four cybersecurity capabilities for manufacturing organizations. Each example will highlight an individual security issue: Behavioral Anomaly Detection, ICS (Industrial Control system) Application Whitelisting, Malware Detection and Mitigation, and ICS Data Integrity.
For each of these, the NIST EL and the NCCoE are mapping security characteristics to the NIST Cybersecurity Framework (CSF), which will provide standards-based security controls for manufacturers. The CSF will cover two distinct but related lab settings: a robotics-based manufacturing enclave representing discrete manufacturing and a process control enclave that resembles what is being used by chemical manufacturing industries.
In NIST’s robotic assembly examples, network capture is available from a variety of points.
The five functions of NIST’s Cybersecurity Framework Core are:
Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Activities include understanding business context, the resources that support critical functions, and related cybersecurity risks.
Protect – Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services and to limit or contain the impact of a potential cybersecurity event. Outcomes within this function include: access control; increased awareness and training; and information protection processes and procedures.
Detect – Develop and implement appropriate activities to identify a cybersecurity event. Examples of outcome categories within this function include: anomalies and events; security continuous monitoring; and detection processes.
Respond – Develop and implement appropriate responses to detected cybersecurity event. Examples of outcome categories within this function include: response planning; communications; analysis; mitigation; and improvements.
Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any impaired capabilities or services due to a cybersecurity event. Examples of outcomes within this function include recovery planning, improvements, and communications.
Moreover, NCCoE is including various routable and non-routable industrial protocols throughout the testbed. Routable protocols include Internet Protocol (IP)-based protocols (e.g., Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)) as well as industrial application layer protocols (e.g., EtherNet/IP, Open Platform Communication (OPC), and Modbus/TCP).
Non-IP-routable protocols include legacy fieldbus protocols, such as DeviceNet. The use of non- routable protocols allows a deeper investigation of cybersecurity with fieldbus protocols and the controllers that make use of them; however, it was determined during a NIST Roadmapping Workshop on Industrial Control Systems Cybersecurity that non-routable protocols were of lower priority. This is because non-routable protocols were designed to be open conduits for data flow; not designed for secure communications. NCCoE callis it unlikely that these types of legacy protocols will be modified to include security protections such as authentication and encryption, possibly favoring perimeter-based security mechanisms.
The projected result of this ongoing testbed is a publicly available NIST Cybersecurity Practice Guide, detailing practical steps needed to implement the cybersecurity example solution. One of the ways to disrupt operations is to introduce anomalous data into a manufacturing process, whether deliberately or inadvertently. Although the example solution will focus on cybersecurity, it may also produce residual benefit to manufacturers in detecting anomalous conditions not related to security.
An Integrated Security Spectrum
In short, security does not exist in a vacuum. Automation suppliers are integrating security into an overall automation spectrum that includes data gathering, performance monitoring, and predictive maintenance. Sherman Joshua, Portfolio Manager for Connected Services at Rockwell Automation, described it this way, “Our people walk a customer’s facility, collect all its assets and profiles, and put them in a hierarchy. After that, we do ongoing evaluations with integrated tools that do passive monitoring to keep the inventory up to date.”
Cybersecurity at this “before” stage also involves the Rockwell Automation Qualified Patch Management service that publishes patches to a customer site and provides a list for customer and Rockwell Automation teams to develop and carry out an appropriate patching plan. These preparation services also include:
- Vulnerability and Risk Assessments
- Industrial Control System (ICS) Security Zone and Industrial Demilitarized Zone (DMZ) Segmentation, and
- Industrial Security Countermeasure Deployment, such as firewalls, application whitelisting for legacy devices, and protection software from Symantec, a Rockwell Automation partner.
“Besides simply monitoring switches and servers, we also evaluate asset health because device performance can also indicate an abnormal event may be happening,” said Joshua. “If a switch or other component is heating up unexpectedly, it could indicate an attack.”
In addition to monitoring and reporting on networks and hardware for customers, Joshua added they can also use Rockwell’s new FactoryTalk Network Manager software to monitor and troubleshoot their networks on their own, with little IT expertise required. “FactoryTalk Network Manager enables a blend of us and our user monitoring their networks,” explained Joshua. “It’s information technology (IT) horsepower at an operations technology (OT) skill set.”
SCADA or SQL?
Language can make a difference. Systems for collecting data traditionally have used supervisory control and data acquisition (SCADA) systems. But over the last 15 to 20 years, many manufacturers have standardized corporate databases, enterprise resource management, and manufacturing execution systems on structured query language (SQL). While it is possible to use middleware to integrate SCADA with SQL databases, this architecture is not an ideal datalogging solution for three reasons, experts say.
First, SCADA middleware is complicated to implement, maintain, and repair, even with assistance from in-house IT specialists or outside consultants. Second, because these middleware systems do not provide a direct database link, it consumes cycle time and reduces
production efficiency. Last, constant maintenance is required to ensure these operating systems and hardware remains operational, current, and not creating security vulnerabilities of their own.
Omron (Chicago, IL) offers the Sysmac NJ machine automation controller (MAC) with SQL client functionality to provide a simple, durable device that could save data logs directly into their SQL databases. “SCADA is really a complex solution to a simple requirement,” said John Altamirano, Strategic Account Manager for Omron Automation and Safety. “We developed the Sysmac NJ MAC with SQL because our customers wanted a simple way to log data. The NJ delivers that feature plus faster production and a seamless architecture.”
The NJ series MAC uses an industrially hardened processor and a solid-state drive to log data and simultaneously access up to three relational database systems. The processor can collect data over a wide array of industrial networks including Ethernet (socket service), EtherNet/IP, EtherCAT, PROFINET, and DeviceNet, and then send the data directly to a SQL server over Ethernet. More to the point, a 2012 NSS Labs Vulnerability Threat Report disclosed that 73 percent of known vulnerabilities were found in new SCADA systems. Additionally, security research suggests SCADA protocols and development software remain vulnerable. “Data logging is a top priority for most companies,” said Altamirano. “Using SQL is much easier for engineers and much more secure for their companies.”
Passive collection, dynamic modeling
Schneider Electric (Andover, MA) has a unique security approach it calls Dynamic Endpoint Modeling. It performs a passive collection of IP (Internet protocol) “metadata,” which includes IP addresses, ports, and other flags, from the network. Typically, network Dynamic Endpoint Modeling has sensors connected to a switch or a stack of switches. These switches are configured, depending on the vendor, with a port set to spanning or mirroring to provide data flows from switches to sensors.
Importantly, this is a one-way connection. Once the data is received by the sensor, it extracts the metadata and forwards it to modeling and subsequently to a dashboard for user analysis. To allow for these communications, one network port on the sensor is configured in “promiscuous” mode for collecting data, while the other port is configured for forwarding this data to a dashboard residing in the cloud.
The result: Dynamic Endpoint Modeling learns and models the behavior of all devices on the network, including how the device connects, to where, what, and to whom. Establishing a baseline behavioral model means any changes that divert from the baseline will alert that a possible compromise or malicious activity has occurred on the endpoint. Dynamic Endpoint Modeling does not depend on payloads or known signatures to determine anomalies. Therefore, it is not hampered by encryption, unlike traditional Intrusion Detections Prevention Systems (IDPS) and Next-Generation Firewalls, the company says.
Dynamic Endpoint Modeling uses the following five analysis dimensions when building its behavioral models:
- ROLE. Dynamic algorithms recognize device roles to analyze and detect activities that divert from the learned baseline.
- GROUP. Algorithms assess the devices for known learned behavior by comparing them to other like devices.
- CONSISTENCY. Algorithms detect when a device has changed from its known behavior, including traffic streams and access.
- RULES. Algorithms detect changes in known patterns by endpoints such as protocols, ports, and blacklisting communications.
- FORECAST. Algorithms forecast learned behavior from past behavior and analysis. An assessment is performed against the learned systems for predictive forecasting.
These security dimensions allow the Dynamic Endpoint Modeling system to know when a new device appears on the network or accesses the Internet for the first time. It also alerts if a device behaves outside the learned behavior patterns on the network.
Take the Holistic Approach
Experts call for more holistic thinking in industrial cybersecurity. This means addressing improvements to technologies, management practices, workforce training, and learning processes that span units and supply chains. Solving emerging security challenges will require commitment to continuous improvement, as well as investments in research and development (R&D), risk assessments, and threat-awareness.
In addition to keeping up to date on emerging cybersecurity research on the federal level, there are common-sense tips for everyone to implement on the factory level:
- Identify and compartmentalize your key information and technology. Know who has access to critical information. Don’t put all your eggs in one basket – better to lose a piece of the puzzle than the entire picture.
- Conduct training for managers on at-risk behavioral traits that indicate an increased likelihood of insider spying, including unreported foreign trips, seeking proprietary or classified information unrelated to work duties, paranoia about being investigated, and disproportionate anger over career disappointments.
- Ensure coordination and collaboration between HR, security, IT, and all employees, not only for updating passwords and security patches, but for creating a culture of accountability and security where data protection is seen as everyone’s responsibility.
The best asset in any organization is the employee that has the training, awareness and dedication to spot an issue and the courage to raise it to management.
As threats appear seemingly daily, so should solutions. The value of production efficiency means sharing it wisely and protecting it securely.
 MForesight: Alliance for Manufacturing Foresight (Ann Arbor, MI)
To learn more about this trend, watch our recent webinar, “Keeping Connected Applications Secure"