Coming as it did between two waves of the COVID-19 pandemic in mid-2020 and early 2021, the 12 October 2020 power outage in Mumbai is comparatively less remembered. The country's financial capital that prides itself as an 'always on' maximum city was without power for up to 12 hours in some parts. The city's lifeline and local train services were cancelled, offices shut down, and essential services had to rely on gensets to carry on. Following investigations by public and private agencies, the State's Power Minister appeared to confirm suspicions that this outage was the result of a cyber attack. This could have resulted from the Maharashtra State Electricity Transmission Company's servers being infected with malware, in particular trojan horses.
While not everyone agrees on the source or motivation behind this cyber attack, what is clear is that cyber crimes against critical infrastructure, and the manufacturing sector in particular, are on the rise. A manufacturing sector of the size of $1 trillion by 2025 will make an attractive target for cyber criminals and nation-state adversaries alike. Multiple industry reports note manufacturing as the second most targeted sector for ransomware-associated data extortion.1 Additionally, the number of cybersecurity incidents in this space has risen by an alarming rate of 50% from 2020 to 2021. Manufacturing dethroned finance and insurance to become the top attacked industry in 2021.2 Although increasing dependence on automation and adaption of technology in manufacturing has contributed positively to production, the above trends suggest that the tech tools bring with it susceptibility to cyber attacks.
Increased cyber attacks: reasons and consequences
While connectivity has the advantage of increasing productivity, faster identification, and remediation of quality defects, as well as better collaboration across functional areas, it can also multiply the potential vulnerabilities of a smart manufacturing facility. There are a few reasons why we are seeing increased cyber attacks on control systems in the manufacturing sector.
First, the intention behind cyber attacks has shifted to making a profit through ransomware, rather than an (erstwhile) harmless testing of cyber defences. In particular, ransomware has matured as a strategy and is an effective tool that promises cyber criminals big rewards for comparatively less risk. In fact, as per industry reports, ransomware accounted for 23% of cyber attacks on manufacturing companies.3 Of course, leaps in computer technology have led to cyber attacks being automated, and not dependent on human vectors for speed of attack and adaptation. Given the rapid pace at which new technologies are added to factories, organisations may be unprepared to respond to new threats that arise. With the growing sophistication of threats and expanding attack surfaces, it is often difficult to identify an attack until there is a negative effect on operations, making it important for manufacturers to stay ahead of danger.
Secondly, the manufacturing chain is more interconnected than ever. Factory automation systems now remotely control production in real time, plan resource allocation, and diagnose and minimise production errors. Manufacturing control systems cover:
- programmable logic controllers and distributed control systems;
- embedded systems;
- special-purpose systems;
- industrial Internet of Things ('IoT') devices;
- systems that manage quality;
- health and safety; and even
- facility management systems.
The growing complexity of control systems and the increase in offsite controls have led to manufacturing being as 'connected' as any other IT system. At the same time, the integration of new products and services into the manufacturing process as part of automation exposes it to vulnerabilities that make it easier for hackers to penetrate defences.
Lastly, there has been a comparative lack of focus and specialisation in protecting control systems for manufacturing operations. Rather than being managed by the IT function of an organisation, factory automation systems are typically even today managed by engineering or operations functions. Systems for manufacturing are not designed, protected, or updated to the same degree as in IT systems or other 'vulnerable' areas. The focus of security measures when it comes to manufacturing operations often lies on physical security, surveillance, intrusion detection, and business continuity, among others. Manufacturing system security is not typically covered in the service-level agreements and contracts with system integrators and equipment vendors.
Potential solutions in combatting cyber attacks
The rapid evolution in digital technologies must be met with corresponding modifications to the cybersecurity approach. However, making these modifications is a demanding task, especially given the pace of change, as well as the advanced skill sets required. Here are a few solutions that will become relevant for implementing change in the future.
Analysing risk and committing resources
The crucial first step is to understand the manufacturing environment, and the assets (digital or physical) that are at risk. Understanding the risk to critical assets will dictate how to address those risks through bespoke security measures.4 Risk analysis will also lead to a better categorisation of risks, help in prioritising resources, and also provide buy-in within an organisation on how to deal with these risks. This analysis should encompass the entire production line, whilst covering physical, as well as online infrastructure with special emphasis on IP protection, integrity of control systems, and connected third-party products.
Training AI for cybersecurity
Artificial intelligence ('AI') systems may have the capacity to keep pace with cybersecurity challenges of the future better than human actors. As the Indian Government's Report on Cyber Security, Safety, Legal and Ethical Issues5 notes, AI may allow computers to take over security tasks from humans, and do them faster and at scale. Discovering new vulnerabilities, reacting to attacks, and identifying latent trends are 'big data' tasks that AI systems are particularly suited for.
Of course, the quality of AI will depend on its training, and for that, availability of relevant and useful datasets is crucial. The Indian Government is poised to come out with a new data protection law, that will regulate access and use of personal data, and also non-personal data. It remains to be seen what impact this new law will have on the development of AI in the Indian context.
Gatekeeping in the metaverse
We are all familiar with the multiple levels of physical security, bag checks, device examinations, and physical access protocols that most manufacturing facilities already have in place. Ensuring security of online assets should follow the same stringent, layered checks and gates. Identity access management, email domain security, and special protections for trade secrets and other proprietary information are required to make the online domain as secure as the physical one. On a more granular employee level, this could translate to background checks for each new employee, limiting access on a 'need to know' basis, and user account controls embedded into IT systems.
'Cybersecurity by Design'
Much like the Privacy by Design concept in data protection, any new manufacturing environment should be designed keeping security in mind from the 'ground-up'. This requires organisations to re-evaluate their legacy systems, as they usually hamper an organisation's efforts to embed security into enterprise IT architecture. Security controls should be placed both at the front end of assets (control panels and online interfaces), as well as the back end (including vendor or third-party connected systems). Network segmentation, passive monitoring, secure remote access, controls on removable media, and timely backup of data would form the backbone of any such system. And finally, simple hygiene steps, such as regularly installing updates and patches, using encryption for sensitive information, securely disposing old media and systems, and giving employees training in cybersecurity, will help.
The path to securing manufacturing systems is challenging and demands significant changes, both systemic and cultural. It requires senior leadership support, educating employees, instituting a security first mindset, and changing processes. Manufacturers must safeguard themselves against any inadvertent damage caused by employees, as well as by those with malicious intent. All critical initiatives must have the backing and involvement of the board of directors and senior management. This conveys a strong message across the company and ensures business-wide responsibility. Organisations must be vigilant to effectively counter cyber threats. The appropriate defence should have touch points across technologies, processes, and people to address all concerns and imminent threats.
Adoption of industry best practices
Most companies deploy tokenistic measures in the name of cybersecurity and fewer review the efficacy of such systems periodically. With the increased dependence on operation technologies and as the tools to compromise cybersecurity become further nuanced, automated manufacturing units must be equipped with stealth levels of cybersecurity. While there may be no fool proof systems as of yet, a number of governmental and industry-body cybersecurity standards can be referenced for this.
The following frameworks, for example, can be implemented to detect threats and/or address any attacks timely:
- the National Institute of Standards and Technology's ('NIST') Cybersecurity Framework6 and Cybersecurity Maturity Model Certification ('CMMC') programme7;
- the Industrial Society of Automations' ('ISA') ISA/IEC 62443 series of standards recommended by the European Union Agency for Cybersecurity ('ENISA')8; and
- the International Organization for Standardization's ('ISO') ISO/IEC 27001 and ISO/IEC 18045 .
Organisations can also adopt other usual course measures, like documenting response plans and performing cyber compromise assessments, security evaluations of new technologies, threat modelling and simulation exercises, and employee training.
Originally published 01 June 2022
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.