No one understood or more succinctly described the strategies and philosophies of war than the great Chinese general, Sun Tzu: “Keep your friends close, and your enemies closer.” Despite the fact that the author lived and penned those words almost 2700 years ago, the message resonates. Leaders today still apply the tactics described in The Art of War to our technology-driven world.
Sun Tzu also famously said, “To know your enemy, you must become your enemy.”
Now, no one is advocating that you become a dark web hacker to understand the challenges when creating security for PLCs. As a control engineer working for a reputable organization, however, there is value in understanding who the enemy is, and what their motivation and techniques may be.
PLCs developed in the early 1970s first replaced relays in control systems for automotive assembly lines. Soon, they were rapidly adopted and integrated across the industrial landscape. At the time, security was entirely physical — there was no access to these systems outside a given facility. Times have changed dramatically.
Advances in technologies involving machine-to-machine (M2M) communications have given organizations access to massive amounts of data. Such information can be translated into actionable items, leading to better and more timely decision making. The rise of the Internet of Things (IoT) has quickly brought access to this volume of valuable data via the Internet. Machines now can be connected anywhere on the planet.
Yet this increased connectivity and access also has greatly increased the vulnerability of networks — and the machines and PLCs utilizing them. Whether it be the process heating technologies or the manufacturing industry as a whole, cybersecurity has come to the forefront. It must be a top consideration during all phases of design and implementation.
So, who and what constitutes the primary threats in the machine-builder environment for those in the heating industry utilizing PLCs? Here are some considerations.
New Threats to PLC Security
Malware has been the primary cause of most disruptive and destructive attacks over the last decade. Hacktivists target an organization or industry based on their own beliefs, with a goal of causing massive disruption and destruction. An often-cited example is the 2010 Stuxnet malware attack on the Natanz nuclear facility in Iran that resulted in the destruction of 1,000 centrifuges. Over the past few years, we have seen a rise in the number of attacks utilizing ransomware to hold organizations’ as well as individuals’ sensitive or proprietary data hostage. Unless exorbitant payments were made, the victim’s information or digital assets would be destroyed or leaked to the public.
In sports, the cheaters and dopers always seem to be one step ahead of the regulatory agencies trying to maintain a level playing field. The Academy Award-winning documentary Icarus illustrates just how far individuals and states will go to cheat the system and stay ahead of doping controls.
The same is true of hackers. It is much easier for any hacker to take advantage of the cracks opened by an emerging technology than it is for an organization or industry to create impenetrable security measures.
These threats used to emanate mainly from small groups of hackers hiding in the shadows. Today, organized crime groups and even state-sponsored action constitute the greatest threats. Syndicates have the money and the muscle to employ the most accomplished hackers on the planet, who are all available for a price. The proliferation of nation-grade malware has put these powerful weapons in the hands of individuals who can inflict as much harm as a rogue nation.
Change is Constant
Today, attacks tend to happen quickly and are relatively short in duration. Even though a breach can usually be eliminated swiftly, the fallout and damage can be more far-reaching and lasting. While attacks against infrastructure such as the electrical grid or water supplies could pose an imminent threat to human lives, those targeting consumer data can be equally as devastating. A company or industry’s reputation may never recover in the wake of such an event.
Markets and Industries are moving quickly. Companies are seeking to be innovators or disruptors. They are racing to be first to market and are under intense pressure to perform. We are now in the midst of the rapidly emerging 4th Industrial Revolution and continue to see Moore’s Law on display as technology and innovation accelerate at a dizzying pace. What constituted state-of the-art security in any industry 12 to 18 months ago can be woefully obsolete today.
Even though it may be impossible to eliminate all security breaches in systems and devices, machine-builders can never rest on their laurels. They must remain proactively vigilant to maintain the best PLC security that can be incorporated into a design. These are the new battle lines in 21st century digital warfare. Sun Tzu said, “Invincibility lies in the defense.”
How strong is your defense?
In conclusion, when a security breach occurs, regardless of the specifics, understanding that time is of the essence will help smooth over most incidents. Trusting who has access to a control systems environment and thumb drive is crucial. If someone has access to the control system environment, ensure they are well-qualified and up-to-speed with the team and company.
Although it may not actually connect to the Internet, a control system is unsafe. Contrary to popular belief, a modem connection also could experience intrusion and a hack.
- Wireless networks, laptop computers and trusted vendor connections could be other sources of connections in which people may be likely to overlook.
- Keep in mind that the majority of IT departments are unaware of factory automation equipment, including CNCs, CPUs, PCBs, robotics parts and, last but not least, PLCs.
- Piggybacking off of the last point, IT departments’ lack of experience with the aforementioned equipment, along with their lack of experience with industrial standards and scalable processes, indicate that they should not be in charge and responsible for a company’s PLC security. Nobody wants an annoyed employee to make inappropriate changes to a PLCs communication highway.
- Hackers do not necessarily need to understand PLC or SCADA to block PC-to-PLC communication. They absolutely do not need to understand a PLC or SCADA system to cause operational or programming issues.
- Often times, control systems, including ones that many PLCs integrate with, use Microsoft Windows, which is popular amongst hackers.
Some PLCs crash simply by pinging an IP address, like what happened at the Brown’s Ferry Nuclear Plant in upstate Alabama. Since the incident in 2006, the plant has undergone numerous security, operational and management improvements.