Smart Factory: Cloud connection brings risks
While Industrial Internet of Things (IIoT) software creates opportunities for improved efficiency, lower costs and less downtime, users should consider potential cybersecurity risks and ask questions of vendors, according to cybersecurity experts.
Because the systems that track data and monitor and control machinery are linked to the cloud, they are more vulnerable to cyber threats.
“The issue with automation systems is that traditionally they have not been connected to the outside world,” said Steve Mustard, an engineer and cybersecurity chair with the Automation Federation, an organization founded by the nonprofit International Society of Automation (ISA). “They’ve traditionally been in factories that are isolated, stand alone and usually are quite restricted in terms of access. From a security point of view, they never really were a concern. But because organizations decided they wanted to improve their efficiency, they started to connect manufacturing systems to their business systems and from their business systems to the outside world.”
The networking of manufacturing and business systems exposes manufacturers to the same types of cybersecurity risks that others in the computer world have been suffering from for years, Mustard said.
“Hackers find something on the internet and they decide to find out what it is and see if they can damage it or break it just for fun or because they want to make money by installing ransomware and then charging people to remove it,” he said. “They are now vulnerable to all those risks.”
A lot of work has gone into securing these computer systems, and users can take protective steps that include ensuring up-to-date firewalls are in place, information sent over the internet is encrypted, and antivirus and anti-malware programs are installed and regularly updated. In addition, companies should have strong passwords, up-to-date backups of all critical information and guidelines for safe practices, such as ensuring employees know not to click on suspicious links in emails.
Adding IIoT devices, including sensors, can present risks, Mustard said.
“IIoT comes along, and now we’re going to deploy an order of magnitude more endpoint devices — devices monitoring temperature, pressure, flow and to control things like lighting. These devices are connected to the internet now, which makes everything a lot easier and a lot cheaper for organizations to deploy, but you’ve now got an order of magnitude more connections to the internet. So, you’ve now created a much bigger security problem.”
Some IIoT companies aggregate the information from sensors on site at a plant and then transmit the data to the cloud, which minimizes the outside connections. But not every company does that, Mustard said. Some IIoT devices connect directly to the cloud.
“Some manufacturers don’t understand security adequately, and they don’t know how to fix it properly,” he said.
One step that a user of IIoT devices can take is to change the password on internet-connected devices from a manufacturer’s preset password to something unique. However, some sensors today have “hard-wired” passwords that are impossible to change, Mustard said.
Companies employing an IIoT system should do their research and ask vendors tough questions. Make sure vendors use the latest software and strong passwords and that they understand the problems and risks, he said.
“The thing is, people are very trusting, so if a manufacturer tells them everything is going to be OK, they believe that,” he said. “They are not security experts.”
Much like companies today seek UL certification for the safety of electrical equipment, Mustard thinks would-be purchasers should insist on cybersecurity certifications. For example, the ISA has established a set of standards known as ISA/IEC 62443 for cybersecurity of industrial control systems.
In addition, companies should collect only the data they need to obtain their objectives, he said.
“Another common problem with IIoT is people go the wrong way about it,” Mustard said. “They say, I am going to deploy this IIoT solution and then figure out what to do with it. They collect more data than they need, and, as a result, they deploy it less effectively than they could have. Decide what it is you want to achieve. From there, you can decide how to collect the data. It is too easy for people to really just do stuff without thinking about it. You might be offering up more vulnerabilities than you realize.”
Doug Wylie is the director of the industrials and infrastructure portfolio with the SANS Institute, a for-profit organization that specializes in information security and cybersecurity training for industry. He warns plastics companies to keep security in mind when connecting computers and industrial control systems to the cloud.
“For the plastics industry, there is a tremendous amount of intellectual property and process knowledge in the manufacturing environment,” he said. “As control systems become more connected, and as remote network access is introduced to these systems, the risks of unintentional or malicious threats to the operations of these systems increase rapidly. Risks can include someone trying to disrupt or damage operations, or they can be less dramatic, yet still hold potentially even greater impacts such as theft of recipes, product designs and drawings, or the loss of specific intellectual know-how relating to manufacturing processes that are often unique from manufacturer to manufacturer.”
The fact that computer and industrial control systems are becoming more connected and that information increasingly is stored in the cloud isn’t inherently bad, Wylie said. In fact, well-managed cloud-based servers and storage can, in some cases, offer more security than the older infrastructures that some manufacturing companies might use on site.
However, every new connection does raise security issues and concerns companies need to carefully consider, he said.
“Security incidents can affect a manufacturing process, and even a small disruption in a system can affect the machinery and lead to an abrupt shutdown, loss of product or even worse. Let’s face it, chipping out hardened plastic inside an injection molding machine is neither fun nor productive. While systems are often designed around good engineering practices intended to help keep people safe, today’s systems are more complex, and it is difficult to anticipate every security risk, let alone counteract every threat.”
A plastics company, even a small one, might not necessarily be the direct target of a nation-state, disgruntled worker or even the competition, but general attacks on computer-based and industrial control systems can and do find their way into factories, he said. That’s why it’s important to be vigilant and consider all forms of risks that can affect operations where business and product systems may be linked and exchange information.
Companies should challenge their suppliers to demonstrate security is one of their priorities, he said. IIoT is such a quickly evolving field that many new products are simply racing to enter the market, he said.
“New manufacturers of new products may or may not be following a disciplined development process,” Wylie said. “Some newcomers are looking to drive quick sales, but their focus may not include much attention to their customer’s security.”
New and established product manufacturers need to recognize they have an ongoing responsibility to their customers to provide support throughout the reasonable lifespan of their products and systems. This includes making sure customers have reasonable options for how to patch, maintain or upgrade their systems should weaknesses be found and as cyber threats evolve, he said.
Customers also have a good degree of responsibility for security.
“Not investing in security is somewhat equivalent in my mind to buying a car and not changing the oil throughout the life of that car,” Wylie said. “At some point, you are signing up for trouble. There is a responsibility we carry as the asset owner to properly maintain the products or systems that we buy. The recent WannaCry/WannaCrypt incident itself is an indication of just how important proactive, preventative patching is.”
The WannaCry/WannaCrypt ransomware attack in May struck computers worldwide, including systems at some major corporations, with a number of them experiencing significant disruptions to their operations. However, Microsoft had issued a Windows patch ahead of time that addressed operating system vulnerabilities and helped to mitigate the malware’s impacts where the patch was applied.
“The process of testing and applying patches to control systems used in operations will never move as fast as it does for IT systems, but we can at least take time to understand the risks a patch is designed to address,” Wylie said. “For the times when it’s simply not possible or practical to directly apply a security patch, companies should still at least determine their risks and consider other reasonable countermeasures that can be taken.”
The SANS Institute provides cybersecurity training to individuals and companies across all industries and is dedicated to developing an educated workforce that can help safeguard business systems and operations, he said.
Bruce Geiselman, senior staff reporter
Research Triangle Park, N.C., 919-314-3920,
Bethesda, Md., 301-654-7267,