More manufacturers are connecting their industrial operations to smart devices and the Internet to automate tasks and boost productivity — but if manufacturing and IT executives aren’t taking the right measures to protect the network on which these operations run, they may be opening the door to cyber attackers.
Cyberattacks can cause manufacturing disruptions that lead to defective products, production downtime, physical damage, tarnished brand and reputation, and even loss of human life — and the unfortunate truth is these attacks are not as rare as one would like to think: An IBM X-Force Research report indicates manufacturing is the second most-attacked industry after healthcare.
Despite these unsettling findings, cybersecurity still isn’t top priority for many in the sector: Professional services firm Sikich found only 33 percent of the manufacturers it surveyed were performing annual penetration testing within their IT groups. Even less is being done to secure industrial control systems (ICS), which now are often connected to smart assets and enterprise systems, as well as the Internet via wireless network — and if that network is not secured properly, the company may be opening the door to bad guys.
The threats facing manufacturers these days aren’t just run-of-the-mill Trojan Horse viruses or malware — hackers have gotten a lot more sophisticated.
Security Threats to a Wireless Network
Wireless networks as a whole are naturally more vulnerable to attack than wired networks due to connectivity through the air. This means that automated environments running off improperly secured wireless networks are susceptible to a number of cybersecurity threats, such as:
- A “man-in-the-middle attack,” in which a hostile adversary takes control of a communication link between legitimate parties and makes them believe they are communicating with one another, when in fact the hacker controls the link
- “Denial-of-service” attacks: Even though hackers cannot spy on the network or inject their own data, they can put up enough interference that authorized users are unable to access their own networks
- Packet injection attacks: A hacker inserts data packets into a network, often impersonating another device
- Replay attacks: Attackers can sniff packets (even encrypted ones) and replay them into the air, even if they have not defeated the encryption and have no idea what the packet contents are
To ensure that automated and process control systems tied to a wireless network are not creating risks for a manufacturer, manufacturers should utilize a layered security approach comprising five main features.
Encryption and Authentication
Strong layers of encryption and authentication are one of the simplest ways to minimize the risk of cyberattacks. They protect against traffic analysis threats and keep attackers or adversaries from being able to “sniff” information off the wireless network. AES-256 encryption — considered among the top ciphers, and theoretically uncrackable — is recommended for a manufacturer’s wireless network. Additionally, a strong authentication algorithm, such as Galois Counter Mode (GCM) or Counter with CBC MAC (CCM), should be used in conjunction with the encryption algorithm.
However, it’s also important to ensure that the network devices providing the encryption and authentication protocols have sufficient processing bandwidth, so that enabling these high-strength security protocols don’t inadvertently slow down overall wireless throughput and connectivity, which can impact the real-time data flow that process control and automation require.
Another defense against attackers is leveraging role-based access control for the network and ICS.
Some IT operations have an admin role — a super user — that controls everything, but that creates only one entry point into the network, and the admin role becomes the weakest link. If the admin is inadvertently compromised, so, too, is the keying material used to provide encryption and other trust mechanisms.
Other roles should be incorporated, such as security administrator: a completely different account from the admin that manages the security configuration of the various network devices. Both the admin and security admin roles should require dual identification to access the network. This means using not just a password, but also a second identifying element like a hardware token or certificate — something that this role must physically possess to identify itself. This eliminates the single point of failure created by using just a password.
Other roles may also be created, such as generic user accounts that let other employees or external customers to log in with read-only accounts to see process control network stats and information, but don’t let them directly control it.
Secured Key Distribution
As manufacturing operations start deploying a secure network, each wireless access point or security router within a system must be set up with the same key so they can all communicate with each other. This sometimes entails IT personnel going to each device manually, connecting to each one and typing in a common static secret key — which is an effective secure-channel keying approach, but not efficient from an operational standpoint. The operational inefficiency impact can often result in a weak security configuration, such as keys not being changed often, or keys being known by more than one IT personnel, which exposes potential key leaks due to social engineering type of attacks. Once a key is known by an adversary, they can use it not only to decipher encrypted traffic at that moment, but also for past encrypted communications that they might have sniffed from the wireless network.
Newer devices allow each access point to be remotely keyed, but these access points should be designed to leverage some of the stronger security protocols that are out there, such as derived shared secret algorithms: Each element can conduct a secure message exchange that allows it to generate a shared secret that only it can access. The shared secret is then used to derive other internal keys that are used to encrypt (i.e., wrap) the actual network traffic key prior to transmission to the device requiring keying. The receiving device uses its internal shared secret to decrypt the received wrapped network key and then use it for secure communications.
Perfect forward secrecy is another property of secure communication protocols in which compromise of long-term keys does not affect past session keys, helping protect past sessions against future compromises of secret keys or passwords. As such, secured key distribution — with shared secret derivation using perfect forward secrecy — is the recommended approach when keying each element of the network.
Digitally Signed Software Distributions
As manufacturers tie smart devices into a process control system, they have to be wary of one of the biggest challenges of IoT: the inherent vulnerability of these devices.
One of their weaknesses is that many devices don’t have the security mechanisms to detect unauthorized software updates. If a device’s simple password protection mechanism is compromised, adversaries can send non-authorized software updates to the device. The device will accept and process it, and may appear to be running normally, but instead that “update” is functioning as a back door into the network, or even turns that device into a “robot” that can scan the internal network for information or even be used to carry out denial-of-service attacks.
IT can protect against these attacks by ensuring that the device only accepts software updates that come from trusted sources. This can be accomplished by requiring devices to only accept digitally signed software distributions, which is a certificate-based concept that allows a device to check a digital signature on the software update and compute whether or not it is trusted software. If the digital code doesn’t match, then the device will reject the update, which prevents unauthorized software from getting into the system.
One important feature that tends to be overlooked is the ability for logging. For all elements and components in a network, everything needs to be able to log any type of security-related access or modification. If an adversary does cause some kind of disruption, those logs will help IT figure out what elements have been compromised and how far that attack went.
It seems simple, but if an attack occurs and there is no logging, there is no way to trace when something happened and where on the network it happened — and that necessitates shutting everything down and starting from scratch.
Mitigating the Risks
When President Lyndon B. Johnson signed a bill in 1964 that created the National Commission on Technology, Automation and Economic Progress, he remarked, “If we understand it, if we plan for it, if we apply it well, automation will not be a job destroyer or a family displaced. Instead, it can remove dullness from the work of man and provide him with more than man has ever had before.”
We’ve only begun to scratch the surface of all the benefits automation can provide — but it’s also important to be conscious of the risks involved as well, and take steps to mitigate them. These five security must-haves will help protect manufacturers’ wireless networks, keeping operations productive and ensuring a quality product.
Chad Mercer is senior systems engineer at Rajant.