It’s been a hard slog, but everything’s gone to plan. Your plant is up and running. Automated systems are humming along nicely. The hardware and software are configured, spewing out data left, right and centre. Orders are coming in. Client fulfilments are being met. They’re happy. You’re happy. Then bang. Everything grinds to a halt. Conveyor belts stop, goods are backed up on production lines, the loading bay lies empty.
This is the real threat for companies who have embraced the Industrial Internet of Things (IIoT) in their automated processes. The IIoT brings many great things to the table. It gets devices talking – sharing information, sending and receiving data, allows actuators and sensors to compare notes – a plethora of functions designed to make modern plants functional and streamlined.
However, modernising manufacturing plant to include the IIoT also means it will become vulnerable to cyber-attack. Malware is nothing new and as recent attacks have shown they can cost plenty. The two biggest ransomware attacks to date in 2017 – WannaCry and NotPetya – crippled businesses around the world including oil companies, financial institutions and Cadbury’s chocolate factory in Hobart.
A 2014 study by the Federal Government called Stay Smart Online, stated that almost 700,000 Australian businesses were affected by cybercrime. The average cost to a business in lost downtime and other effects was more than $275,000.
Peter Clissold, who is a senior cyber security consultant for Schneider Electric, brings some sobering figures to the table when it comes to WannaCry incident – not so much the criminals made, but what it costs in terms of damages.
“It’s interesting when you look at the numbers that have come out of WannaCry,” said Clissold. “One of the last set of figures I saw show the criminals made about $144,000. However, there was anywhere between $200 million to $20 billion worth of damage done across the globe.”
According to David Higgins, who is the country manager of data security specialist WatchGuard Technologies, people who are developing devices for the IIoT sometimes forget about the security aspect.
“It used to be things like phones and laptops that needed security, now it’s IoT devices in manufacturing, mining and various other sectors,” said Higgins. “These things are developed by people who are not necessarily IT people. Certainly not security people. We collate information from firewalls our customers have protecting their devices; this information shows there are network scams for vulnerable firewalls and IoT devices. [Once exploited, cybercrims] could use a brute force attack to get access to a device. Also, anything that has got an open SSH (Secure Shell) or Telnet access is vulnerable.”
Telnet and SSH give people the ability to access devices remotely.
It never used to be this hard. Back in the days of paperwork, security was less of an issue as a criminal would have to physically go out of their way to get information from an organisation. Think Watergate – there was nobody sitting around in a room thousands of kilometres away trying to gain access.
“I’m a geologist by training and back before computers the data we recorded was handwritten,” said Higgins. “We were recording grades, loads and mineralisation. We kept the information secret because I worked for a public company and that information could be of value in terms of stock price. Now that sort of information – what grades are you running, what sort of loads you are pulling out – may have value for somebody who is looking to buy your company or resources from you. They might be negotiating contract prices. Securing that data is paramount because it’s basically recording everything about your company.”
Movement of data and who has access are also issues that need addressing, according to Clissold.
“Where the IoT starts to have some challenges is that as we build security up onto those industrial facilities, people can move data from one site to another, which could be from a secure zone to a less secure zone,” said Clissold. “You need to put controls around what people can and can’t do in those areas – all those operational things that you need to put in place to protect the infrastructure. This is not just from an information perspective but from an availability and integrity perspective. When we start to open up access to the data in these devices we are increasing the potential attacks that may happen within these facilities.”
Lackadaisical attitudes are also a problem. Higgins believes people want convenience over security. And when you have literally billions of devices being connected to the Internet, security is more important than ever. Especially in environments such as the process and control industry. With automation and robotics starting to take on a bigger role, there are more opportunities than ever for people with bad intentions to gain access to connected HMIs, software-run processing lines and other plant.
“Consumers generally are looking for convenience rather than security. If it’s a tradeoff between security and convenience I think convenience is going to win out every time with the consumer,” said Higgins. “Take the case of people thinking they are secure because they use a fingerprint to open their smartphone. But we have to remember that there is also a password sitting in the background that I can access as well. If I was made to enter both my fingerprint and my password to access the screen I don’t think many people would do it due to the inconvenience.”
Clissold backs this assertion up. He has experienced similar things with some of his clients. However, in the past year he has noticed a change in attitude.
“There’s still a complacency around ‘it’s not going to happen to me’,” said Clissold. “When you dig deeper about what they are focusing on with regard to cyber security, you look at what they are doing with operational facilities, it’s either ‘oh, that’s somebody else’s problem’ or ‘somebody else is looking after that’, or ‘we’re going to get to that in the next round of activities’. They are not really addressing those challenges. Twelve months ago it was in the too hard basket, but now people are starting to take it out of that basket and starting to make some significant changes.”
Higgins main concern isn’t for the big players in the market, but the small- to medium-sized enterprises (SMEs). Although, in that space he is starting to see a shift in attitude.
“The people in enterprises have always taken it seriously,” he said. “Insurance companies and banks and mining companies and the like take it seriously and they spend a lot of money on cyber security. Generically speaking – up to now – SMEs have gone with a bit of a ‘she’ll be ’right’ attitude. That is changing. The potential downside of what will happen if you are breached – beyond ransomware – to where you are attacked and you are leaking all your data out – such as product information or your IP – is becoming more serious. However, I’m not sure that the people using IoT devices recognise that all their devices need to be protected. If the information you have on your devices is of value to you, it’s of value to a cybercrims, too.”
Higgins has some simple steps to ensure that devices are protected. They are tried and true, and bordering on common sense, but people still don’t take precautions.
He recommends that all IIoT devices are put behind a firewall. This first line of defense not only stops attacks but gives feedback on what types of malware have tried to gain access to your back end. It is also important the firewall can block remote access connections such as Telnet and SSH.
An old adage, but one that needs repeating year after year, is don’t use standard user names and passwords like ‘admin’ and ‘username’.
Also, make sure you update any patches. “If you look at white hat hackers – people who find vulnerabilities and then inform the vendors – they put in patches,” said Higgins. “My recommendation is that just like a patch on a phone or PC, it is important you implement the vendor updates that are patching any vulnerabilities that are found.”
Clissold says business needs to take an overall look at their wants and needs.
Organisations have to look into, and invest in, a cyber security management system and to make sure they understand what sort of security framework they want to apply within their environment,” said Clissold. “They need to look at the differences between IT and IT security. Instead of having two separate frameworks running, work a little bit harder to make sure the one framework is applicable to both parts of the business.”
Higgins also points out there are a couple of issues on the horizon that need addressing by those using IIoT devices. One involves a future trend, the other government legislation.
“The interesting trend from our point of view is that we are starting to use AI and machine intelligence to provide better security,” said Higgins. “So as we get all these massive attacks of malware we can start to use IoT and AI to understand where the malware practitioners are going and get in front of them. The problem is you have to assume the malware guys are going to be using the same technology.”
Complacency is not an option. Higgins says there are going to be more sophisticated attacks.
“We’re talking ransomware – millions come out of ransomware,” said Higgins. “A bank robber pulling a balaclava of his face and going into a bank will be a thing of the past. Why rob a bank when you can sit in a nice air-conditioned office and launch an attack from there? These are highly organised and highly efficient individuals. They’re running it as a business. They have marketing plans. They’ve got developers writing sophisticated malware.”
And companies who have turnovers of more than $3 million have to realise that new legislation coming into effect in early 2018 means that companies and individuals can be liable for massive fines if they don’t protect their internet-enabled infrastructure.
“Anybody who has a data breach has to identify the information being lost and has to publicly disclose the fact,” said Higgins. “They have to disclose it to the privacy commissioner and that they have been hacked.
“There are a couple of real kickers in the legislation. If you share the information you have with another organisation and that other organisation gets breached, you can still be held accountable.”
There are significant fines – up to $350,000 for the individual and $1 million for companies. However, it is the mandatory disclosure and brand damage that will hurt the image of the company.
Higgins doesn’t believe the government is using the fines as a revenue-collecting exercise.
“It’s not trying to frighten people,” said Higgins. “I think it is the government trying to say, ‘look, as businesses move more and more online, as we move to a fully digital economy, everybody is going to be responsible for ensuring the data they’re collecting is secured’. I think it’s more about awareness. And remember this, the malware guys will be using better and newer techniques to deploy more vicious and malicious attacks.”