- September 12, 2016
By Shmulik Aran, NextNine
A manufacturer and its connected production environment are exposed to a full range of cybersecurity threats. Mitigating the risk of cyberattacks is a rigorous process that requires the hardening of security controls around the IT, ICS and SCADA platforms.
By Shmulik Aran, CEO, NextNine
Manufacturing enterprises are constantly exploring new practices for improving their security posture. This is especially true for manufacturers that are currently converging their IT and OT operations.
By connecting manufacturing equipment to IT networks, plant managers have greater control over each function in the manufacturing process and are in the position to make better decisions that can improve reliability, safety and profitability. However, along with these benefits, a manufacturer and its newly connected production environment are exposed to a full range of cybersecurity threats.
Mitigating the risk of cyberattacks is a rigorous process that requires the hardening of security controls around the IT, ICS and SCADA platforms. This is a continuous, complex project requiring the collaboration of IT and OT teams, as well cooperation between individual plants and the corporate offices. The process entails obtaining full visibility of all distributed assets, establishing secure connectivity to every asset and protecting each asset with current patches and antivirus signatures, while being able to alert on policy violations and more.
The Starting Point
This process for mitigating cybersecurity risks starts with establishing full visibility and conducting a complete inventory of all the assets connected to an industrial network. Logically, in order to execute an effective security plan, a manufacturer must first know what devices, equipment and systems exist and how each is configured and connected.
According to the analyst firm Gartner in its Strategic Planning Assumption No. 2, “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources,” and recommends “security organization must invest in capabilities to discover and track shadow IT.”
Mapping all the assets is the first step towards end-to-end visibility, but getting this complete inventory is far easier said than done. A manufacturer needs to gather an accurate accounting of the hardware and software configurations, services and applications that are running, status of device patches and antivirus software, inventory of open ports and more. At the same time, a manufacturer needs to gain a consolidated view of all assets across the enterprise, including distributed and remote plants.
When done manually, creating a complete asset mapping with full identification for just one plant is a time consuming and tedious process that is prone to mistakes. Once completed, the mapping is already outdated, as vendors will visit the plant adding new devices, new services will have been deployed and new patches will be waiting to be installed. The industrial environment is dynamic making yesterday's inventory inaccurate tomorrow. Thus, there is a definite need for automated asset discovery and mapping with all changes from the baseline being documented and incorporated into a revised inventory.
The challenges of asset discovery
Conducting asset discovery in a manufacturing environment presents many challenges. To start with, some of the equipment is likely to be 25+ years old, which means this equipment was not designed to communicate with network probes. As a result, older equipment must be discovered in an unobtrusive way to avoid disrupting availability.
These days, most plants connect their industrial controllers to host machines that operate on either a Windows or a Linux operating system. An active scan can be used to ping an IP address to determine if a device is actually there. If there, the scanner can connect to the host device to collect the necessary information, such as the machine type, its operating system version, how the hardware and software are configured, the status of controls like antivirus software and so on.
The host machines that manage the ICS controllers are typically stable enough for an active scan. Ironically, it is often these devices that are the source of malware that gets into the controllers and spreads to industrial machines. This why it is so important to learn what vulnerabilities might exist on the host machines and establish a security routine to patch and protect these devices.
The PLCs on the ICS side of the network are sensitive to pings, probes and network traffic. The CIO of a plant certainly cannot risk doing anything that might result in these devices becoming unstable or unavailable, making active scanning techniques not an option. Therefore, a passive approach is required to not only detect and identify these devices, but also to understand what they communicate with and how. Even this is a challenge due to the decentralized nature of ICS traffic flows, alongside the lack of capability of legacy network equipment, making the use of standard passive scanning technologies difficult. However, less intrusive technology involving traffic analysis can help to fully discover and identify these sensitive devices.
Benefits of accurate inventory
A comprehensive and up-to-date asset inventory is vital to developing an appropriate defense strategy of an industrial network and maintaining a strong security posture for manufacturing infrastructure. The manufacturer needs clear visibility into what devices and equipment are on the network, what they communicate with and how, the characteristics of the devices and the presence of any known vulnerabilities.
With the growing shortage of skilled cybersecurity personnel, all these processes must be automated and managed at the headquarter level where cyber-experts are located, allowing plants to focus on production.
Once a there is a clear picture of the assets, a manufacturer is in good position to prepare its OT security strategy and establish perimeter defenses and put proper hardening processes in place.
This article is the second in a series of four articles on OT security management in manufacturing enterprises. The first article presented an overview of the OT security challenges faced by manufacturers connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected manufacturing environment. This article and the following two articles take in-depth looks at each of these recommendations. The next article will provide an analysis of options for establishing secure connectivity among connected industrial assets.
About the Author
Shmulik Aran is the CEO of NextNine, a provider of security management solutions for connected industrial control system environments.Learn More
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe