December 9, 2022 Is Your Plant Vulnerable to Internal Cyberattacks?

Unsecured OT hardware is a potential vector for insider attacks, commonly missed by IT planning.

By: Kimberly Cornwell

Cybersecurity risks are well-known in industry. As a result, many manufacturers have implemented comprehensive strategies and protections against external cyber threats and vulnerabilities. Robust plans include creating tactics to close off routes for external access and mitigate the risk of external hacking. These external-facing protections are incredibly valuable but leave manufacturers vulnerable to the dangers of internal cyber threats.

Internal attacks often pose more significant risks than external hacks because insiders have the access and knowledge to cripple a business since internal access routes into critical systems can often be wholly unsecured.

To be efficient, staff and contractors need access, often broad access, making internal dangers much harder to detect and mitigate. Therefore, the first step to securing these systems is understanding the risks surrounding industrial control systems (ICS)/OT environments.

The Costs of Insider Attacks

Industrial cyberattacks can potentially harm employees, customers, or even people in the general area of a facility in extreme cases. With insider access, unsecured data ports mean anyone with a USB drive or ethernet-capable device could take control of a whole facility. Malicious actors can lock down systems, completely reprogram equipment or wipe data. The attacker could be an employee with grievances, an outside OEM in a contract dispute, a contractor brought in for a specific project, or anyone with access to internal networks directly without using the internet. It’s possible to get this internal access to some facilities that still have unsecured WiFi simply sitting in their parking lot!

The potential for harm from insider attacks is extreme, and the effects can be tough to resolve. Risks to health and safety are the primary concern. Downtime and other direct costs of an attack are multiplied by reputation risk. Missed deadlines or logistics issues created by an insider attack can extend the damage for months or years.

Responding to the Risk of Insider Attacks

Effective insider cyberattack protection planning should include all aspects of regaining access and restoring functionality to IT/OT infrastructure. All the potential risks to the company and business-critical assets must be understood to ensure the plan covers everything. During this process, the maximum allowable downtime in the case of a disaster needs to be identified. Understanding these aspects guides the decision-making process on what to back up, how often, and through what mechanisms.

One of the most important aspects of a solution to any attack, including insider attacks, is a robust process for disaster recovery. While not a new concept, disaster recovery has often been implemented in the context of natural disasters and power failures. The ability to instantly execute a system rollback on demand can revert all software to a state before the attack was perpetrated, minimizing downtime.

In addition to disaster recovery, implementing policy to prevent breaches is essential. For example, is there a procedure if you see an unidentified device, such as a USB drive, in a machine? Frequently, “workarounds” done to save time, such as unsecured data ports or leaving PLCs with default or even no password security, provide easy vectors for insider attacks. Credentials, ID verification, access restrictions, and extra levels of security do introduce inefficiencies for individual tasks, but those inefficiencies must be weighed against the risk of insider attacks.

When evaluating a disaster plan, there are many questions to ask:

• What steps are in place if an unexpected modification to code occurs?
• Are machines shut down and isolated from the network?
• If an event occurs, is there a post-analysis process in place to patch that particular vulnerability?
• Does the cybersecurity protection in place even allow you to detect an insider attack?
• Is someone on your cyber team alerted when an unrecognized device connects to the network?
• If systems are accessed or operating unusually, are there programmed-in alerts?
• Can you enable network sniffing software and run it without IT noticing?
• Does robust and comprehensive logging indicate who made the change and what changes were made?
• Are all updates and alerts sent via email or text to key stakeholders?
• Is monitoring of equipment for changes in the source code, as well as key production parameters, implemented?

These questions will help you assess your risk. Often, even with very robust IT security, OT security may look like the Wild West, with an “anything goes” approach to allowing devices and connectivity, even to critical systems. ‘Identify, respond, and analyze’ are key phases in cybersecurity risk management. Unfortunately, in the OT landscape, the identification step is often overlooked entirely. Creating a proactive and evolving cyber security program for your OT assets should be a priority for all companies.

Good cyber hygiene minimizes the people authorized to make changes and systematically limits access when appropriate. When employees leave a company, do they lose access to the plant floor equipment when they lose access to their email and intranet accounts? A former employee will still be able to log in to PLCs and HMIs if the two systems are not tied together.

IEC 62443 standards provide an excellent baseline for implementing security. Different risk levels coincide with different standards. Measuring your own process and policy against the standard provides a starting point to understand where you “rank” with your current process.

Once you understand possible vulnerabilities in your process, you can evaluate the dangers and risks and implement practices that differentiate between an attack being a major inconvenience or a complete disaster.

Kimberly Cornwell is a System Engineer with Siemens Digital Industry Factory Automation Division and a member of the Factory Automation Cybersecurity Tech Team. She enjoys helping clients tackle their tough industrial engineering challenges. An MIT Mechanical Engineering graduate, Kimberly fell into industrial controls while working for a semiconductor OEM and has never looked back. At MIT “hacks” were viewed positively – she now uses that mischievous spirit to help identify vulnerabilities in the industrial OT landscape. kimberly.cornwell@siemens.com

Subscribe to Industry Today