Minding the gaps to protect industrial PLCs from cyber threats

1 January 2020 Information Security

Times have changed dramatically since the first programmable logic controllers (PLCs) found their way onto factory floors to control and automate manufacturing and industrial processes. One of the biggest changes is the advent of the Internet that changed available communication technologies from Profibus, a protocol gateway that directly connects PLCs to the machinery they control, to Profinet, an Ethernet-based industrial communication system that provides faster real-time communication and can interconnect network devices to the Internet.

PLCs, designed to control machinery and specific processes, were never built with cybersecurity threats in mind and protecting PLCs against these threats requires healthy isolation from the Internet.

With the change in how industrial machines communicate within a network came new risks. Systems that were isolated in the past are now visible on the Internet. This can be compared to public transport where people are not operating in isolation anymore, but relying on public exposure to travel.

Operational technology (OT) networks have always been designed and configured in a flat and unsegmented configuration where all the OT devices are all connected on the same network. When OT networks run unsegmented alongside information technology (IT) networks, which also uses Ethernet connections, disparate systems like payroll systems and PLC systems can be accessed from the same network. If an IT network is infected with malware, the manufacturing operation’s OT network is exposed to the same malware. OT networks should, therefore, be isolated from IT networks in the fundamental planning of an organisation’s operational technology infrastructure.

This is where air-gapping comes in. Air-gapping is part of the actual set-up of a network where a secure network is physically separated from an unsecured one. Clear separation between critical and non-critical systems can limit the impact of a breach and makes it possible to apply appropriate security controls. For example, non-critical systems can have access to view information on critical systems, but not necessarily make changes.

“Air-gapping within OT networks, where you isolate your PLC environment from the rest of your systems, is the modern way of doing it. When done effectively, air-gapping makes it possible to allow interplay between systems, but there are healthy boundaries to keep your PLC environment safe from the types of cyber threats that afflict IT.

“For instance, industrial control systems, including those that many PLCs integrate with, use Microsoft Windows, which opens up the same risks to the PLC system as those affecting PCs. Yet traditional software security tools are not effective enough in protecting PLCs.

“The Stuxnet case study was a wake up call for the industry and made role players in the industry realise there are risks of additional threats when exposing production processes to the Internet and that small changes can have a big impact.

“Other malware is designed specifically to target PLCs. The malicious Stuxnet worm, for example, was designed to target industrial PLCs, ultimately modifying the codes and giving unexpected commands to the control system with far-reaching consequences. It can cost money, downtime, reputational damage, and even lives.”[1]

“In a water plant, if a PLC goes haywire because of being compromised, water quality can be impacted and as a result, affect thousands of lives. In Iran, the Stuxnet virus made a small modification to a PLC environment and forced a complete shutdown of this uranium enrichment plant.”[2]

“By implementing an effective PLC security strategy, which includes air-gapping in the correct areas, identity and access management, and asset discovery, you can mitigate these risks and avoid setbacks and costly downtime,” says Charl Ueckermann, CEO at AVeS Cyber Security.

He explains; “In the old days, companies had proprietary protocols in terms of how they ran productions. Those were well-networked protocols, and they were isolated from IT-based cyber environments. To create efficiencies, do better Just-In-Time manufacturing, eliminate waste, reduce working capital and provide instant information, it became necessary to get PLCs connected via Ethernet, which means there is a high level of connectivity between cyber systems and PLCs nowadays.

“The problem lies in the way in which communication channels have been opened up between OT networks, IT networks and the Internet. There is a lack of proper segregation, adequate VLANs aren’t created, and often a firewall or two is slapped into the mix. This means that there are rivers of information rushing together and they really should run separately so that one cannot infect the other.”

Complete isolation is not the solution. That would be like having all the doors to a shopping centre locked, stopping everyone from entering, including customers. Instead, you want to control access, allowing customers in and unwanted ‘guests’ out.

Similarly, you want to be able to inspect and control the nature of traffic going in to and out of OT environments, as well as between different PLCs so that the business still benefits from connectivity between them without exposing systems to unwanted risk.

“When it comes to identity and access control, you should define exactly who is allowed into the environment, what timeframes they are permitted access, and what they can work on while they are there. This is most certainly one of the highest-ranking priorities in the PLC security plan.”

The first step, however, should be a cybersecurity vulnerability assessment. Modern manufacturers need to understand where all their PLC data resides and how people connect to that data. In a manufacturing environment, there will typically be different PLCs in different parts of the organisation, factory or mine, and these are interlinked. It is essential to know how they are exposed to other computers that have connectivity to the Internet as these create open gateways for industrial cyber threats. This includes all Internet-connected devices, even smartphones that employees might be plugging into their computers to charge during their day at work.

Once companies have a comprehensive understanding of the environment and how the different network areas are connected, it becomes necessary to call on technology to assist with controlling access to the environment’s systems, which includes physical and digital assets, as well as put processes in place to protect data. Ongoing monitoring solutions are also needed to maintain visibility of the data flowing between and in and out of the various environments.

Not all threats and attacks occur from the outside, which is why Ueckermann stresses that in addition to effective policies, procedures, and technologies, companies need to put their employees through security awareness and training.

“People need to be critically aware of their associated responsibilities in protecting the organisation against malware or cybercrime for that matter. In a typical manufacturing environment, employees are required to go through proper health and safety induction. Likewise, they should be required to undergo a cybersecurity induction because when it comes to PLCs that can behave erratically and dangerously if they are compromised, lives are at stake.”

For more information, contact AVeS Cyber Security, 086 100 2837, info@aves.co.za, www.aves.co.za.

[1] Fruhlinger, J. (2017, 08 22). What is Stuxnet, who created it and how does it work? Retrieved from CSO: https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html

[2]Kelly, M. B. (2012, 04 13). The Stuxnet Virus At Iran's Nuclear Facility Was Planted By An Iranian Double Agent.</sup> Retrieved from Business Insider: https://www.businessinsider.com/stuxnet-virus-planted-by-iranian-double-agent-2012-4?IR=T


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
Get proactive with cybersecurity
Information Security
The ability to respond effectively to a cybersecurity breach is critical, but the missing piece of the puzzle is a thorough, proactive evaluation to ascertain weaknesses and identify any hidden threats.

Read more...
How to effectively share household devices
Smart Home Automation Information Security
Sharing electronic devices within a household is unavoidable. South African teens spend over eight hours per day online, making device sharing among family members commonplace. Fortunately, there are methods to guarantee safe usage for everyone.

Read more...
How to securely manage your digital footprint
Information Security Training & Education
Managing your online presence is critical to safeguarding your privacy and security. It is imperative to take a proactive approach, including using robust cybersecurity best practices.

Read more...
The state of code security in 2024
Information Security
The 2024 State of Code Security survey reveals that organisations have continued to shore up application security defences over the last year, according to OpenText Premier Partner iOCO Application Management.

Read more...
What is the level of safety and integrity of the software supply chain?
Information Security IoT & Automation
Organisations are embracing AppSec practices and focusing on their software security posture. However, they highlight that insufficient funding and security resources, plus a disconnect between developers and security teams, remain major roadblocks.

Read more...
Cybercriminals target financial service providers to get at sensitive client data
Information Security
According to Ryan van de Coolwijk, Product Head for cyber at iTOO Special Risks, hackers target financial service providers because they hold sensitive client information that unauthorised individuals could use for fraudulent activities.

Read more...
Fortinet establishes new point-of-presence in South Africa
News & Events Information Security
Fortinet has announced the launch of a new dedicated point-of-presence (POP) in Isando, Johannesburg, to expand the reach and availability of Fortinet Unified SASE for customers across South Africa and southern African countries.

Read more...