Given the rise of the cloud and ransomware, what are the priorities for industrial cybersecurity?
The number of industrial groups affected by cyberattacks skyrocketed in late 2020. And the year 2021 is heading in much the same direction, if not more so. Although 5G and the IIoT are regularly cited as new entry points that need to be secured, the attacks we’ve seen recently seem to have taken a very traditional form. It looks like a review of our priorities for 2021 will be needed.
Early cyber attacks against industry mainly affected gas, energy, nuclear and water companies… and seemed to have more to do with geopolitics. But over the last few years, the targets have been diversifying. It is no longer just about players in the energy industry, but also in manufacturing, distribution, agri-food and even transport and mobility. Beneteau, Toyota, Trigano, X-Fab: the number of cases hitting the headlines in recent months reveals companies of all sizes, and in all sectors. It’s clear that no one is safe.
Snake: the poster boy for a new attack surface
The quality of some of the industrial attacks, which are highly targeted, raises questions. Such as WildPressure, an attack campaign in March 2020 using the Milum Trojan and targeting industrial companies in the Middle East. Or the infiltration in late April of the control systems of an Israeli wastewater treatment plant.
Even ransomware is becoming increasingly sophisticated, such as ekanS/Snake, which was released in January 2020. This new type of ransomware poses a particular threat to the OT world, with its ability to target software and communication protocols specific to the industrial world.
This is a new departure. Although previously confined to IT networks, this next-generation ransomware has become a new and serious threat to OT networks. This more complex, more devastating malware reflects the increasing sophistication of intrusion techniques. “Ransomware is being tailored to specific industries,” says Khobeib Ben Boubaker, Head of Industrial Security Business Line at Stormshield. “But although the form may be changing, the basic principle is still the same: to infiltrate and take advantage of the connections between the OT and the IT to gain access to the industrial lower layers.” This evolution in attack practice has a direct impact on operational issues. It is a crucial issue that every industry needs to address.
The fragility of industrial systems
In the course of just a few years, the cybersecurity of industrial systems has become a major issue. With three main weaknesses, which still need to be addressed in 2021:
- connections between one factory and another. The management of an extensive industrial pool of resources (via a distributed architecture), with factories that are increasingly interconnected, represents a major attack propagation risk;
- the increasing porosity between industrial systems and information systems. By their very nature, industrial systems are already complex, and operate using a constant two-way flow of real-time communications between sensors and PLCs, and between PLCs and SCADA architectures. As OT/IT convergence accelerates, communications are spilling over from SCADA to MESs and from MESs to ERPs, opening up new attack surfaces;
- cyber governance. With this OT/IT convergence, the question of governance in many industries has still not been resolved. On the one hand, IT teams need to become more competent in handling the challenges and specific characteristics of OT, and have a mission to change the mindset of general management on OT security budget issues. On the other hand, OT teams must learn to work with these IT teams in the overall security strategy.
“What is being exploited is the fact that there is more and more convergence in the industry, providing increasing connections to IT,” Khobeib Ben Boubaker concludes. The purpose of this convergence is to shorten response times, monitor production or optimise resource management. But as factories become more connected, they are increasing their attack surface. And with Industry 4.0 and the promise of connected objects boosted by 5G, the factory – historically designed as an isolated citadel – is now becoming an interconnected, sensor-packed environment. But this digital transformation must not come at the expense of cybersecurity. In terms of cybersecurity for industrial systems, the first issue is the interconnections between IT and OT. ERP (on the IT side) and MES (on the OT side) are increasingly interconnected, and are exchanging more and more data. So any attack on the IT side affects the OT side, too.
This is exactly what happened to several industrial players. In February 2021, motorhome and caravan manufacturer Trigano fell victim to ransomware that took down some of the group’s servers and halted production at several sites in France, Italy, Spain and Germany. The company gradually restored all these services and even resumed production after a week of downtime. Honda underwent a similar ordeal, but on a larger scale. Having fallen victim to ransomware in June 2020, the Japanese manufacturer was forced to suspend some of its production operations. In all, 11 factories were affected in the US, Brazil, Turkey and India. And more recently, the Indian steel group Tata Steel found itself having to deal with a ransomware attack.
It’s all about segmentation
And the Honda case is a particularly interesting one because the attack started at one factory and spread to others. So the first step is to implement segmentation between all the factories, to ensure that any attack is stopped and contained in one place. An example is the Fareva pharmaceutical group, whose data centre in Savigny-le-Temple (Seine-et-Marne) was targeted by an attack. As a result, the IT staff on duty shut down the ERP. “Our IT people reacted quickly, which has saved us from worse losses. About 0.5% of our system has been compromised by this virus,” said Frareva chairman Bernard Fraisse in the Les Echos newspaper. However, this subcontractor, which specialises in the transportation and packaging of pharmaceutical products, has seen its IT systems paralysed in almost all of its factories. All its French sites were affected, with the exception of two, located in Ille-et-Vilaine and not connected to the company’s central server. And this “segmentation” is what saved them.
“Performing segmentation in the industrial world is where security begins,” Khobeib Ben Boubaker warns. “It ensures that the production system, quality system and safety system are not all interdependent. This minimises rebound attacks.” Such digital protection measures are essential. And they lay the foundations for global security, even before considering the deployment of 5G or IIoT.
They require three main security steps to be taken. The first step is to maintain the barrier between IT and OT. This means segmenting the information systems between themselves, the factories between themselves, the office network and the industrial system, the industrial system and the internet… in short, ensuring that there is a basic level of security between the factories and everything else. The second step is to segment the industrial network. Nowadays, industrial systems in factories are often “flat”, meaning that there is no segmentation. Equipment is sometimes all on the same network. In the event of an attack, it only takes one piece of equipment to be affected for the attack to spread to the entire plant. Introducing segmentation helps to secure certain areas, slow down the attack and contain it. Finally, the third stage consists of getting as close as possible to the industrial controllers and securing the communications between them.
We need to understand one thing: whether the issue is IT or OT, we are still dealing with computer communications,” Khobeib Ben Boubaker emphasises. “Just like traditional IT, industrial IT needs to control its communications by using the right firewalls.” And this remains true even in the Cloud.
The new security challenges of cloud computing
A few years ago, manufacturers swore by on-premise environments . But today, more and more companies are reducing their on-premise investments and opting for the cloud.
This is gradually making the Cloud a new factor to be taken into account in the overall security strategy. And because it is directly connected to the industrial system, using the Cloud brings new security challenges:
- The importance of securing data uploaded to the cloud
“The cloud is capable of storing a certain amount of information. But how sensitive is this data? Some information may be commercial or production-related. We need to define the sensitivity of this data… and set up the right level of security in line with the risk analysis,” Khobeib Ben Boubaker says.
The Cloud is often associated with predictive or preventive maintenance applications or solutions. These separate elements of the factory allow the operational status of equipment and processes to be monitored, and data to be fed back into the cloud… and therefore to the outside world. “Getting data out” is always a risky operation, because of the risk of leakage or alteration. Manufacturers who decide to outsource their data must ensure that the applications and tools sent to the cloud are secure, by putting firewalls in the cloud in order to secure connections and data that transit between the cloud and an industrial site. This means securing the communications between the industrial system and the cloud.
- The importance of securing your infrastructure
Another challenge is to ensure you have a secure cloud platform, to prevent passing problems on to the industrial system. “Some cloud providers also provide security, via managed or decentralised services operated by another provider. However, even if this is handled by the IT team or a third party, you have to make sure that the right security measures are in place,” Khobeib Ben Boubaker observes.
The error is (often) human
Another important issue is remote maintenance. In February 2021, a cyber attacker managed to break into the computer network of a water supply plant in Florida and attempted to alter the sodium hydroxide content of the water. The intrusion was noticed by a computer technician, who was surprised to see that someone was remotely moving his mouse cursor to increase the concentration of this corrosive chemical additive to dangerous levels.
This attack not only raises the issue of cyber security of water networks, but also acts as a sharp reminder of the fragility of the plants in them. A computer network based on the obsolete Windows 7 operating system, the absence of a firewall between the Internet and the structure’s information system, or the same TeamViewer password on all the station’s computers: these all constitute “holes in the net”, and opportunities for cyber criminals.
It is also a question of culture. “ Very often, manufacturers are more afraid of negligent use of USB keys than of an attack from within the IT system,” Khobeib Ben Boubaker points out. However, all maintenance operatives, whether internal or external to the company, represent a potential vulnerability. “Whenever someone connects remotely to the company network to retrieve data from a server, they expose a weakness between the server and the outside world! It is imperative that the communication tunnel is secure: that the user can be properly authenticated and that the exchanges are encrypted.”
In 2021, let’s focus on the basics
Two strategies are generally implemented by manufacturers to ensure their activities are secure. On the one hand, adopting a holistic approach and securing everything at the same time: firewalls, segmentation, USB key management, hardening of workstations, user authentication, access management, etc. Securing the factory is then a question of following a comprehensive programme that involves combining this security system with several solutions. More and more manufacturers are following this holistic security approach, turning to a consulting firm to carry out an audit, identifying the risks, devising security solutions and then integrating the various selected security components, via an integrator, to ensure complete plant security. But such an approach also requires a substantial budget.
This is a major obstacle for some manufacturers. On the other hand, some manufacturers therefore choose to take a step-by-step approach and focus on the basics, first securing the OT-IT interface and then addressing the security of the factories in sequence (e.g. starting with its local factories and then those based abroad). Segmenting its networks, maintaining best digital practice and ensuring that the Cloud is used securely: these are the main priorities for the industrial world this year. This will build a solid foundation before starting to consider the deployment of 5G and IIoT.