The lifespan of industrial machinery is slightly more than 25 years. Now think about the world of computing 25 years ago. That was the era of the Microsoft Windows 3.11 and Windows 95 operating systems, Tim Berners-Lee’s invention of the World Wide Web, and floppy disks as the primary means of offline data storage. Google didn’t even exist. It seems like eons back if you compare it to the state of information technology today. Yet, even as far back as then, industrial equipment manufacturers were rushing to embed software technology in their products. This early dabbling in industrial control software is proving to be a cybersecurity headache, as was clearly illustrated just a few days ago. But before we get to that, first a look at what industrial control systems are.
What are industrial control systems?
Imagine a major power plant or a factory that facilitates manufacturing at scale. Within such an industrial facility sits some form of industrial control system (ICS). The system would comprise industrial hardware as well as the software that controls and monitors the hardware. Modern ICS has resulted in substantial, measurable improvements in efficiency, safety, and profitability. Introducing software in industrial processes however also means exposure to an array of cyber-risks that can impact safety, disrupt operations, and inflict financial costs.
ICS cybersecurity risks
Here are some of the most significant cybersecurity risks that endanger legacy industrial control systems today:
Embedded Windows OS
Hindsight is 20/20, so it would be unfair to expect industrial equipment manufacturers would have accurately predicted the future. Yet, deeply integrating computer technology that typically has a lifecycle of two years with industrial technology that has a 25-year lifecycle was a risky, perhaps imprudent decision. The constant security patches, OS updates, and anti-malware updates eventually cause the industrial control system to become an unwieldy, unmaintained, and inefficient cybersecurity time bomb. Businesses can segregate networks, install VPNs, and deploy firewalls but that will only seal some loopholes. It will only take a well-meaning employee plugging a USB stick or introducing a third-party laptop for malware to permeate the system.
Enterprise strength software
The introduction of user-friendly operating systems, simple programming languages, and easy-to-deploy databases opened new frontiers for manufacturers. The supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and manufacturing execution systems (MES) markets exploded with hundreds of industrial device companies getting in on the action.
While many of these systems served the intended purpose quite well, they often paid scant attention to cybersecurity considerations such as buffer overflow checking, data encryption, packet/protocol level authentication, and secure coding fundamentals.
Industrial environments were not designed with the thought that they would at some point need to run mini-datacenters. Since the datacenters were an afterthought of sorts, they were not equipped with the infrastructure required for reliable and secure operations. The physical and computer security policies were immature compared to standard datacenter locations. Cyber penetration testing often revealed some nasty lurking surprises.
Further, the technology used on manufacturing floors isn’t the conventional IT that can be supported by an in-house team for the most part. Instead, there’s heavy dependence on vendor support that requires providing direct remote access to the manufacturing core. That introduces substantial cybersecurity risk including facilitating backdoors that attackers could use to penetrate the network.
While no enterprise is completely immune from cyberattack, the large numbers of unprotected and unsupported operating systems in industrial manufacturing environments makes them especially vulnerable with potentially catastrophic consequences.
Shifting technology landscape
The Internet of Things and Industry 4.0 is radically transforming the technology footprint on the factory floor. Legacy protocols like Modbus and Profibus are giving way to TCP/IP communication. Centralized two-tier, on-premises architecture is evolving to decentralized cloud/edge multitier solutions. SCADA industrial systems are increasingly integrated with analytics, ERP, and MES platforms.
The largest solution providers have the financial muscle to heavily invest in research and thus evolve their products quickly. Smaller players, on the other hand, are usually bogged down by multi-decade legacy technologies that will take years to modernize. Until that is done, the solutions will remain vulnerable to cyberattack.
Many plant managers and other industrial control and automation system professionals do recognize the cybersecurity danger posed by older equipment. However, they aren’t always equipped with the knowledge and skills needed to counter the risks. To complicate matters even further, finding talent with knowledge and experience in industrial control systems is becoming harder while the previous generations of industrial control platform developers are transitioning into retirement.
Factory managers may become frustrated with the seemingly relentless stream of requests to apply new technologies. Many aren’t interested in becoming security experts but they realize their organization needs a cost-effective, appropriate plan for threat management. Whereas standards could define best practice, security governance is a challenge when it clashes with core business objectives such as productivity and efficiency.
ICS environments are bedeviled by certain challenges that conventional enterprise systems do not grapple with. It’s common for control and automation systems to run continuously with any stoppages being due to mechanical failure, lack of raw materials, or loss of power. Yet, the operation of an ICS will often be disrupted during patching.
To a factory manager, the cost of a patch-induced downtime as measured in terms of system productivity, efficiency, uptime, and safety has little appeal. That’s especially because the downtime may precipitate risks to the tightly tuned and highly engineered system. This resistance can, in turn, lead to lapses in patching that leave the ICS vulnerable to attack.
IT teams must lead industrial control systems cybersecurity
Industrial manufacturing cybersecurity will be heavily dependent on edge defenses for the next decade or so as industrial equipment manufacturers redevelop and rearchitect their control systems in tandem with contemporary cybersecurity standards. IT teams in industrial companies must, in partnership with technology vendors, play a central role in ensuring legacy industrial control systems are secure or replaced with newer, easier to protect systems.
Featured image: Pixabay