By Bruce Geiselman
Every plastics manufacturer, large and small, needs to worry about cybersecurity, industry experts say.
“Anybody who is in manufacturing, who uses computer equipment, should be worried about cybersecurity, and the reason is that everyone is exposed to cybersecurity risks these days,” said Steve Mustard, an independent consultant who will take over next year as president of the International Society of Automation (ISA).
As companies embrace Industry 4.0 technologies, enabling remote monitoring and control of equipment, they also increase the risk of hackers gaining access to their computer systems.
“The most obvious scenarios are people being vulnerable to phishing emails,” Mustard said. “You get an email that has a link in it, you click on it because you think it is a genuine request, and you get malware downloaded on the computer, for instance.”
A phishing email also might trick an employee into clicking on a link that asks for credentials to the company’s invoicing system, and then cybercriminals have the information they need to steal company funds.
“The statistics are quite clear; the vast majority, about 85 percent of cybersecurity incidents, start with someone clicking on a phishing email of some sort,” Mustard said.
As manufacturers increasingly bring internet-connected computers to the production floor, their risk of exposure to cybersecurity threats increases. Companies need to protect not only their information technology (IT) office equipment, but their operational technology (OT) equipment on the factory floor.
“In the manufacturing process, you’re more concerned about the availability … the operational effectiveness of the equipment,” Mustard said. “You want to make sure that you’re running 99.999 percent of the time, and anything that reduces that availability is going to cost you money.”
Because a lot of manufacturing equipment includes the same kind of technology that is used in the office environment, it is vulnerable to the same kinds of issues, Mustard said. For instance, an employee might have a USB device or a laptop that he or she used elsewhere and unknowingly allowed it to be infected with malware. If the employee plugs it in to the manufacturing network, it can infect the network.
“You’ve now got the potential to have a loss of production, which could be expensive,” Mustard said.
In a worst-case scenario, malware could make machinery malfunction, causing damage.
“We’ve seen that in other places, where a blast furnace in a steel plant in Germany was damaged because of interference with the safety system,” Mustard said.
If safety systems are compromised, it could put workers at risk.
For example, a company might have chemicals or raw materials that would be harmful if released into the environment, Mustard said.
“Those things may seem far-fetched and a long way from the typical plastics manufacturer in their day-to-day business, but the point is that everyone is vulnerable these days because of the widespread use of the conventional technology that we use in the office, the Windows equipment and the like, and if plastics manufacturers don’t take this issue seriously, they are going to be sorry,” Mustard said. “All plastics manufacturers are at some point in their future going to be impacted by cybersecurity incidents, and I can say that with absolute certainty. There is, unfortunately, no way to prevent that.”
The questions companies should be asking themselves are how badly are they going to be affected by a cybersecurity incident and can they respond quickly enough to prevent it from affecting their production? Or will they be shut down for weeks while they try to recover?
“That is the difference between being prepared and not taking it seriously,” Mustard said.
According to Jeffrey Shearer, an industrial control system security professional with the SANS Institute, an organization that specializes in information security and cybersecurity training for industry, small companies face significant risks because they are more likely to rely on remote access to their equipment for diagnostics and repair.
“If it’s a small mom-and-pop shop, so to speak, then they need more remote help,” he said.
If a remote technician needs to see equipment in operation, the processor needs to figure out a way to grant secure access, he said.
Preparing for a cybersecurity incident
The first step is recognizing that the threat is real.
“I emphasize that because a lot of people are still in the boat of [thinking] it’s not going to affect me, and if you don’t believe it’s going to affect you, then you’re not going to do the other things properly,” Mustard said.
Some companies are reluctant to address cybersecurity issues because they think it will be expensive, but that is not necessarily the case.
“There are many things you can do that are not expensive, and you can reduce the likelihood and also the impact of a cybersecurity incident,” Mustard said. “That is what I spend most of my time talking to clients about. I am not talking about buying expensive IT software and hardware to do network monitoring and all kinds of amazing technology to stop things from getting in, yet.”
While software and hardware solutions are important, the most important thing any company can do is to provide basic awareness training to its employees. Workers need to understand that they are both the first line of defense against a cybersecurity incident as well as potentially the weakest link. In other words, employees are in a position to be the first to spot anomalies indicating a cyberattack, but they also are the most likely to allow malware or a hacker into the computer system by clicking on a phishing email or using an infected USB drive or laptop.
Employees also have to police what vendors bring in, Mustard said. A company should establish policies that, for example, prohibit a vendor from plugging in a USB device or connecting a laptop to a computer network. At a minimum, an employee should scan the vendor’s devices and equipment for malware and viruses before they are connected.
Other basic, inexpensive steps include installing and regularly updating anti-virus software and applying Microsoft Windows patches, as well as patches from other vendors, in a timely fashion. Some companies are reluctant to apply patches because if the software is running smoothly, they fear a patch could introduce a glitch or require equipment to be taken out of production during the update. However, companies need to accept that this planned downtime is critical to overall effectiveness, Mustard said.
Also, look for out-of-date devices that might still be connected to a network, such as a computer running the Windows XP operating system, which is considered end-of-life software, said Bindu Sundaresan, a consultant with AT&T Cybersecurity.
Other basic suggestions include providing access to computer equipment only to employees who need it. Employees should have unique passwords, passwords should not be written down and posted anywhere public, and manufacturers’ default passwords need to be reset. Mustard also recommends that companies put physical locks on open USB ports to discourage employees from attaching their own equipment.
“That deters people from plugging in their phone to charge it up or downloading photographs and then potentially downloading malware,” Mustard said.
Shearer emphasized that manufacturers need to use firewalls to block suspicious computer traffic and have humans and software investigate anything that looks suspicious. He also recommended that companies conduct exercises to determine what hackers might be able to access if they get into their system.
“The first thing you have to do is you have to double down on monitoring,” Shearer said.
He recommends that each company establish a baseline that outlines which pieces of equipment should be communicating with each other under normal operating conditions. Software and employees can then monitor for unusual behavior, such as if an injection molding machine begins communicating with a computer in the office when it previously had not done so.
He also said companies should conduct “ethical hacking exercises,” in which they intentionally compromise a host, like a computer, to see what areas of a network and what data they can access.
It starts at the top
A successful plan for addressing cybersecurity risks starts with a commitment from C-level executives. “The reason why most of these things fail is because they are underfunded,” Shearer said.
Top executives must decide to address cybersecurity threats, assess their risk and determine how much they are willing to budget. He compared cybersecurity to health-care insurance. A company can opt for the equivalent of catastrophic insurance, which has a low premium but potentially high out-of-pocket costs, or it could go with a premium plan that costs more upfront but limits unexpected expenses down the road.
A processor’s cybersecurity investment might depend on its customers and the types of products it makes. For example, a company making toy soldiers likely would want to spend less on cybersecurity than a company making complex medical devices that rely on sensitive data for quality production.
A recent trend is expanding the use of firewalls to prevent different work cells from unnecessarily communicating, which can localize a cyberthreat.
“Most of the time, firewalls are used to separate an office environment from the industrial manufacturing environment, and there’s normally only that division,” Shearer said. “What’s getting popular is to push smaller firewalls down toward the [work] cells so that your entire manufacturing facility doesn’t get compromised all at once.”
Lack of training prevents some companies from fully embracing cybersecurity best practices, Shearer said. Some equipment makers, including injection molding machine makers and PLC vendors, offer firewalls and other safeguards with their equipment. However, users often lack the knowledge to take advantage of them.
“What we find in most cases is they never turn it on, and I think that never turning it on is because people are overwhelmed, and they don’t have the skill set,” Shearer said.
Employee training needs to be part of a cybersecurity plan, he said. That may mean hiring a contractor to provide it.
Another critical step is backing up your data and programs, Mustard said.
If, for example, hackers successfully install ransomware in your manufacturing plant, you do not want to pay a ransom to them to unlock your computers because there is no guarantee they will comply. Even if they do, you’re still vulnerable to the same type of attack.
Instead, you need to respond by wiping your computers and reinstalling the data and programs.
“Now, if you don’t have backups in the first place, you can’t do that, and that’s where a lot of outages in manufacturing due to cybersecurity happen,” Mustard said. “If you have a backup, even if you do get an incident, you can restore yourself to normal operational state relatively quickly, and that’s important.”
It’s important to test backups regularly to ensure they will work when needed, he said.
Make a cybersecurity response plan
Most companies have written plans to guide employees on how to respond to natural disasters like storms, floods, fires or earthquakes. Every employee knows where to go and how to respond, but not as many companies have plans for cybersecurity threats.
“What do you do when you detect malware on a computer?” Mustard said. “What is the process? Who do you contact? How do you go about it? What do you do, step by step?”
It is important for every company to have a plan and to ensure employees know how to follow that plan. They should hold exercises in a test environment to ensure the plan will work and they know the correct numbers to call in an urgent situation.
While these steps may sound basic, they are the most important steps a company can take to protect itself, Mustard said.
“These are the things you should focus on,” Mustard said. “I’m not dismissing any solution that improves security, but I’m saying that … the guidance for me is clear that you need to focus on those basics first, get those in place, get those locked own, and then you’ll be in much better shape and you can start to think about what to do next.”
Threats are not overblown
“The obstacle is getting people to believe that they need to do something,” Mustard said.
A company with a cybersecurity incident can have its employees’ personal information put at risk or its financial information could be stolen. However, perhaps even more significant is the possibility of lost production.
“When you’re talking about plastics manufacturers or any manufacturers, it’s the operational side that I think is the biggest concern for them,” Mustard said. “When you’re looking at it on balance, the biggest risk they have is the loss of production or the damage to the equipment or the harm to people or the harm to the environment or the reputational damage they have from harm to the environment.”
This would be in comparison to a bank or a credit card company, which would be concerned about a loss of sensitive data, he said.
“Whether it’s operational security or data security, it’s a problem, and it’s a big problem,” Mustard said. “It’s not overblown.”
One of the reasons companies might not appreciate the risks of inadequate cybersecurity is because no one knows the scale of the problem.
“The reason why we don’t have the statistics about the scale of the problem is because a lot of people don’t report cybersecurity incidents,” Mustard said.
Sometimes, victims do not report incidents because they’re embarrassed or scared it could happen again or, in the worst-case scenario, they aren’t even aware that their security has been breached. Studies have shown that it sometimes can take months or even years for a company to detect a cybersecurity incident, Mustard said.
Malware designed to damage equipment
Although it’s expensive, it is possible to develop malware that can make it appear machinery is operating normally when it isn’t.
“If you so desired, you could create malware to interfere with a manufacturing process such that the operators think it is behaving normally, but, behind the scenes, it is actually doing something different,” Mustard said. “It could be damaging the manufacturing equipment. It could be creating something that is contaminated that can’t be used.”
One example was the Stuxnet malware discovered in 2010 that targeted Iran’s nuclear program by making it appear centrifuges were operating normally when they were outside of parameters, which damaged them.
“That kind of thing can happen,” Mustard said. “I’m not suggesting that the average plastic manufacturer is going to be subjected to an elaborate attack like that, but it’s all possible.”
A more likely scenario involves ransomware.
“You just get some ransomware on the computer equipment that’s controlling the process, and then all of that process is shut down and you can’t run it until you restore the computer equipment to the operational state, and like I said before, many people don’t have those backups,” Mustard said.
Without backed-up data, it could take weeks for a processor to resume normal operations, he said.
“If you can’t run your process without that computer equipment, and it’s out of service for a week, how much does that cost you?” Mustard said. “What would you do? If you don’t have an answer to that, then you need to think about an answer to that.”
Plastics processors should also consider what security steps their suppliers and vendors are taking.
“As a plastics manufacturer, if you are operating the best cybersecurity management system ever in your facility but you connect to a vendor who has no cybersecurity monitoring, the weakest link is now the vendor,” Mustard said. “As an attacker, if I look at this plastics manufacturer and I say, well, they’re very secure, there’s no way I can get in there, I can easily find vendors who work with them, and if I find that a vendor isn’t very secure, I’ll get in that way.”
Physical security plays a role
Even if a manufacturing plant is not connected to the internet, has security guards at the gates and requires that employees use secure keycards to access the building, it still may not be safe from cybersecurity threats.
“Obviously, you are not going to get someone attacking you from the outside,” Mustard said. “The problem is you can still have someone attack you from the inside.”
That is what happened in the Stuxnet case involving Iran’s uranium refinement facility. The facility was secured from outside access, but someone managed to get a USB drive infected with the malware into the facility and it infected the computer network when the drive was plugged in.
All companies need to rigorously control not only who can access their facilities but also which parts of the facilities they can access. Mustard has visited clients where employees who did not know his identity allowed him to walk around without scrutiny.
“I can walk around a lot of these places freely and no one stops me from going into control rooms and server rooms, and that is bad physical security because a lot of those people don’t know who I am,” Mustard said. “They should be challenging me. I might be someone with malicious intent.”
Plastics processors and other manufacturers need to understand they could face threats from disgruntled employees or a vendor’s disgruntled employees who visit their facilities.
“That’s why vigilance is important to spot anything suspicious,” Mustard said.
COVID-19 poses additional threats
“When you provide a method to access facilities legitimately, you are now exposing those to illegitimate access,” Mustard said. “It’s always the case. If you make it easier to access something, you are making it easier for people who you don’t want to have access to have access as well.”
There are several precautions a company can take, such as requiring multi-factor or two-factor authentication. This could be similar to precautions many banks have taken provide secure online banking. An employee may have a password to access his employer’s network, but a code generator then produces a unique code that must be entered in conjunction with the password.
“Someone can know your password but still can’t get access to your code generator, so they can’t get in,” Mustard said.
Another precaution could be accessing a company network only through a secure virtual private network that encrypts data and prevents anyone else from intercepting communications on the internet.
Mustard has worked with Eric Cosman, co-chair of the ISA99 committee, which develops standards on industrial automation and control systems security. Together, they wrote a white paper titled “Industrial Cybersecurity for Small- and Medium-Sized Businesses” for the ISA. The authors identified some common cybersecurity threats:
• Amateur hackers: Individuals and groups can access many online tools and resources to find systems connected to the internet and interfere with their operation, often for the challenge or prestige.
• Professional hackers: Hackers with more skills and resources target organizations with ransomware and other disruptive techniques and tools for profit.
• Activists: Groups can work with hackers to disrupt the operations of organizations whose business practices are contrary to their beliefs.
• Disgruntled employees or contractors: Using inside knowledge or privileged access, they can seek revenge by disrupting operations or stealing confidential information to be sold to competitors.
• Nation states or terrorists: Organizations with large resources target critical infrastructure organizations to create instability or to exert their will. The Stuxnet attack on Iran’s nuclear enrichment facility is one example.
• Accidents or unintentional actions: Employees or contractors can inadvertently take actions that result in a cybersecurity incident.
In the same white paper, the authors outlined common cybersecurity vulnerabilities and how manufacturers can address them.
• Inadequately trained employees: Companies need to train employees not to reuse removable media without performing virus checks and to be alert to signs of a cyber incident. They also need to make their employees of the threat of social engineering attacks, in which cyber criminals lure victims into divulging personal information that might later be used for fraudulent purposes.
•Inadequately secured networks: Avoid direct connections with external networks when possible, and control traffic in and out of the internal network and between different areas of the internal network.
• Inadequately secured equipment: Equipment, whenever possible, should be kept in locked cabinets or rooms, physical and electronic locks should secure access to physical inputs (like USB drives), and unnecessary applications or services should be removed or disabled.
• Inadequate anti-virus management: Equipment running without anti-virus protection is vulnerable to malware attacks that can spread throughout the organization. Anti-virus software should be regularly updated with the latest malware signatures and security patches.
• Inadequate change management: Changes to system software or hardware can introduce new vulnerabilities, so they must be reviewed for reliability and possible risks before implementation. Information should be backed up prior to making changes in case of an update failure.
• Inadequate security patch management: Equipment should be kept up to date with security patches from vendors.
• Inadequate backup management: Backups are essential to restoring failed hardware or equipment infected with malware, so companies need to determine what needs to be backed up and how often, maintain backups according to a defined timetable and periodically test backups.
• Inadequate password management: Manufacturers must enforce the use of strong passwords and periodic changes of passwords.
• Use of shared accounts: Avoid them because they can make it impossible to verify who took a specific action. Not all users should have the same privileges. Keep in mind that, when an employee leaves, he or she will retain knowledge of account details.
•Use of default accounts: Many devices or systems (including WiFi routers and sensors) have manufacturers’ default usernames and passwords. Those should be reset whenever possible. Otherwise, anyone with knowledge of an equipment manufacturer’s defaults can easily gain unauthorized access. Some default account information is published on the internet.
• Inadequate incident response: Many organizations have no plans to deal with a cybersecurity incident or don’t practice what to do to ensure their plans are effective. Organizations can be exposed to major consequences (such as extended production downtime, equipment damage, theft of confidential information, and even injury or death) should a cybersecurity incident occur.
The ISA’s white paper, which includes additional cybersecurity recommendations, is available at www.isa.org/uploadedFiles/Content/PDFs/Industrial_Cybersecurity_for_SMB_WP.pdf.
Bruce Geiselman, senior staff reporter
International Society of Automation, Research Triangle Park, N.C., 919-549-8411, www.isa.org
SANS Institute, Bethesda, Md., 301-654-7267, www.sans.org