“Industrial companies dislike foreign bodies,” says Thierry Hernandez, industrial account manager at Stormshield. Yet the issue of securing production infrastructures is a fundamental one, and mature cyber-solutions are available. But is the industry ready?
OT – for Operation Technology – is everywhere. And especially in factories, where production is increasingly automated. “The link between IT and OT has existed for decades,” says Thierry Hernandez, Industrial Accounts Manager at Stormshield. But now, with Industry 4.0, there are a lot more data flows. And those flows are accompanied by cyber risks. But what risks are they? And what protection is available? What strategies should be implemented in the short, medium and long term? Here are some clues to solving the puzzle.
Multifaceted cyber risks for industry
Despite the fundamental importance of data flows in OT networks, some manufacturers struggle to deal with the issues involved. Their day-to-day priorities have little to do with fending off attacks, focusing instead on ensuring the safety of their field teams, who work with heavy and potentially dangerous machinery, and the continuity of production lines.
It’s important to bear in mind that risks can be the result of negligence, and not to focus only on direct malicious attacks. Because there are many people working in a factory, each movement or operation acts as an additional potential entry point.Thierry Hernandez, Industrial Account Manager Stormshield
In terms of OT cyber-threats, “it’s important to bear in mind that risks can be the result of negligence, and not focus only on direct malicious attacks,” says Thierry Hernandez. Because there are many people working in a factory, each movement or operation acts as an additional potential entry point.” This turns routine industrial operations, such as remote maintenance and update campaigns, into potential vulnerabilities. For example, to ensure that remote maintenance does not become a threat vector, it is important to ensure that operators have access only to the machines they need. User authentication and associated privileges become key factors to be controlled.
Another major cyber risk vector? USB sticks, as stated in a study by Honeywell: in 2021, 37% of threats were designed specifically to make use of removable media. However, this poses a real challenge in the industry, because of their ubiquity: the parties in question are often external service providers who do not have access to the network, making USB media vitally important for integrators. “People prefer to take the risk of using USB sticks rather than taking the risk of facing hold-ups in production,” says Hernandez. In order to make the use of such tools as secure as possible, they need to be controlled upstream, generally with the help of decontamination stations.
Lastly, intentionally malicious attacks (known as APTs, or “Advanced Persistent Threats”), are rarer. But they do exist, and industry struggles to deal with them. Vincent Nicaise, Head of Industrial Partnerships and Ecosystems, explains this by the fact that awareness of the vulnerability of such networks has been slow to materialise. “Cybersecurity in IT has been with us since the advent of the Internet. Our concerns over OT networks only date back about ten years, he says. Since 2010, there have been a few major attacks, which have hit not only industrial sites but also critical infrastructure, uranium enrichment sites and electrical substations… some of which have not even been connected to the Internet. People only became aware of the threat to industrial systems after the fact. And the maturity of actors and decision-makers in this sector has grown considerably since then.”
Whether due to negligence or malicious attacks, the same Honeywell report points out that 79% of threats are likely to have a critical impact on operational technology systems. Hence the urgent need to protect these critical systems.
A specific approach for industrial cybersecurity
And when you're trying to these OT networks, you can’t just copy and paste the same solutions and techniques you’d use for IT. That's because IT and OT approaches to cybersecurity are not the same.
For some production lines installed 20 years ago, cybersecurity obviously wasn't a consideration.Vincent Nicaise, Head of Industrial Partnerships and Ecosystem Stormshield
Firstly, whereas IT is flexible and responsive, industrial IT is based on much longer cycles. For example, a pool of IT resources will be changed approximately every five years, says Vincent Nicaise; operational technology, on the other hand, can last up to 40 years. “For some production lines installed 20 years ago, cybersecurity obviously wasn't an issue. And back then, specifications for such projects didn’t feature a cybersecurity component with a several million-euro price tag,” he points out. This time lag applies to both hardware and software: information systems are regularly updated to use the most recent operating system available. On the other hand, it is not always desirable to update OT software, as the hardware will not necessarily be compatible with recent software versions. And whereas in IT, Security Maintenance (SM) and Operational Maintenance (OM) go hand in hand, the same is not true of OT: “SM can undermine OM,” Thierry Hernandez concludes.
Environment also differs significantly between the two approaches, as the OT environment is less well controlled. Firstly, in terms of location: IT assets are generally sited in places such as premises or server rooms, where access control is easy. OT assets, however, may be located in less controllable environments, such as a street cabinet or a water tower in the middle of nowhere. In addition, these technologies are often subjected to uncomfortable conditions: dust, humidity, extreme temperatures, vibrations, etc. “A traditional firewall cannot operate at -40 degrees: you need hardened equipment,” Vincent Nicaise explains. The installation of cyber security technologies therefore poses one initial difficulty, whereas access control for physical maintenance presents another.
Lastly, cybersecurity priorities differ. Vincent Nicaise provides a visual description in the form of two pyramids. The top layer of the first pyramid – representing IT – is confidentiality: these networks convey a great deal of sensitive data requiring protection. The next layer is integrity: ensuring that the information received is the same as the information sent. Last comes availability: ensuring continuity of service. In the case of the OT, the priorities are reversed, he demonstrates. Availability is the critical aspect: it is impossible to stop a production line in certain cases. “For example, if we want to have electricity in our homes, we need to have 24/7 power transmission,” Vincent Nicaise says. Similarly, a water treatment plant must be able to provide water to the population without any disruption to service. Integrity is the next highest priority, as it is important to ensure that the instruction values are not altered. “In 2021, a water treatment plant in Florida was hit by a cyberattack which sought to increase the concentration of sodium hydroxide. The malicious act was quickly identified, but the potential catastrophic consequences are easy to imagine…” And confidentiality is an also-ran in terms of operational technologies. Why? “In many cases, the data is not confidential,” Vincent Nicaise says.
And having determined the correct approach, how do you set up an industrial cybersecurity project?
Setting up industrial cybersecurity
While the risks associated with an attack may generate a degree of panic, there is no need to be alarmist, the two specialists agree. “Before you can set up your cybersecurity, you need to have a certain level of awareness. You can start with the genuinely critical points and work your way down,” explains Vincent Nicaise. To do this, cybersecurity experts conduct a risk analysis. As in the case of IT, this consists of identifying the risks, their criticalities and probabilities, in order to decide where to take action. “For example, you can have smart objects that are insecure, but incapable of causing significant damage. Are they a priority?” Vincent Nicaise asks.
The use of compatible firewalls to control operational flows is often recommended, along with protection for workstations, making it possible to identify and block unusual activities. Simple mechanisms can then be deployed, such as the implementation of network segmentation, DMZ (demilitarised zones) for IT/OT zones, and partitioning. And to go further, integrators can analyse the flows between devices to determine whether they have a legitimate need to communicate with one other. But the addition of solutions – firewalls, supervision of PLCs, network stations, etc. – can lead to a temporary loss of visibility that makes manufacturers nervous. “We have to reassure manufacturers,” says Thierry Hernandez. “Our products are designed for industry and are non-intrusive”, i.e. they are not designed to be an obstacle in daily production activities.
Ultimately, what needs to change is our perception of cybersecurity for production resources. A number of companies have become aware of the challenges of protecting their OT, sometimes guided by government directives. This is particularly the case for Opérateurs d’importance vitale in France, in sectors such as energy, water and sensitive Seveso sites, which present major accident risks. But in the manufacturing sector, the subject is still of marginal importance. “From industry’s point of view, the immediate benefit is not clear,” says Hernandez. Industrial users will favour tools that offer production benefits. But if they realise that an attack can potentially bring production to a halt, then they will understand they're getting a return on their investment.” In industrial cybersecurity, as elsewhere, prevention is always better than cure.