As we've been seeing in many headlines and articles, there is a clear awareness that the manufacturing floor is under attack. There's a great debate on the tools and methods that should be used in order to protect the manufacturing processes in the plant. We do know that it is a difficult task because we must make sure that the security that is applied does not impact the actual manufacturing process. Things like latency and a sorted other.
By searching "industrial control systems cyber security news" on Google, you'll see results for hundreds of articles. These articles are from roughly a month time period. Based on this, it is very clear that security in the industrial space is moving to the forefront of the conversation in a big way through numerous environments. Manufacturing is one of the largest segments under attack on a regular basis. Investment in security techniques and practices and products in order to protect the manufacturing line is neither a new idea nor one that is being ignored any longer. Now, the question is how do we share possible solutions rather than only reporting the issue.
There is no magic bullet however, so taking several technologies and techniques into account, a solution for manufacturing, as well as other industries, can be applied. In the Sikich 2019 Manufacturing and Distribution Report, they point out that cybersecurity is about real attacks and no longer a hypothetical. In addition, they mention that there is a divide in investment when a company's revenue is above or below$500 million. We see that industrial network purchases are based on the same products no matter the size.
There is an opportunity to take advantage of inherent security capabilities of these types of products. Enabling security features inherent in the hardware and software used to build the manufacturing cell network provides a layer of protection throughout the network as a system and reducing the burden on dedicated security devices and software at points in the network.
Cisco Work Cell Security is based on the use of tags that are attached to each of the packets that transit various interfaces in the network, such as switch and router interfaces, firewall interfaces, and the like. The ability to define and use these tags is based on technology in the industrial network devices (switches and routers) themselves. These tags make up what is the equivalent of a whitelist. Now a whitelist is something that is used to permit only what is allowed and block anything that is not specified.
A blacklist on the other hand, blocks specific things and then allows everything else which is an opposite way to secure the network or the environment. This then requires the customer and the user to understand their network, and more importantly, their applications in the context of who needs to talk to who. For example, there is no need for an HMI to have a connection to, say, an accounting system or a building management system. It is simply an abnormality that should not be allowed to happen.
So, how do you go about doing this? First, you must document the obviously good connections from the obviously bad. Then, document the less clear reasons for communications between devices that you find occurring. Following that, you must classify the devices into groups using a logical construct that fits your process (things like "all paint line devices" or "all packaging robots" or all "PLC's and I/O").
The next step is defining the tags based on your classifications of what is allowed in that class. The tags are created and managed on a tool like Cisco Identity Services Engine that communicates with and then deploys the tags to the interfaces. There are at least one or two operations that then happen on an interface that has received a tag for the identity server (ISE). One is to place a tag on the packet that is being sent out the interface. The other is to act on the tag as it is about to exit the interface. One action is to allow it and the other is to block it.
At this point, some of you will think that an access control list (ACL) would do the trick, and to a point it could. The thing is, each ACL is unique and can get very complex as you define what it will permit or deny and often unique to its position in the network. While the tags are based on a classification that defines what is permitted across the network and not at a particular interface or device.
Using NetFlow to track conversations with and without tags will give you a view to what is happening normally and abnormally so you can tune the tags and adjust. That is done by sending the NetFlow data into Stealthwatch so that you are alerted to any anomaly or attempted anomaly.
While preventing an inappropriate connection, which is important, that is only a portion of the solution. The other thing we need to be able to do, is inspect the data in the packet for its appropriateness and then act or react based on what we find. To do that, we incorporate one more tool called Cisco Cyber Vision which is used to evaluate the content of the traffic. The issue here is that we could find that the communication participants is normal, yet the message content are not. It's a little like two coworkers whispering obscenities at each other; nothing good comes of it.
What we know from the search results is that industrial network security is top of mind. And in reviewing those search results, we know that PHISHING and SPEAR PHISHING are key ways in. A great deal of consulting is done on:
These are external to the manufacturing cell network and are focused on estimating the ability to keep the criminals out. Yet, the criminals do still get in. What is needed and contained in Cisco Work Cell Security is about built-in protection if the criminals actually make it in.
As one of my professors liked to say, it's not a question of if, but when, you will be attacked. But the real question is, is your facility ready?
If you'd like to learn more about securing the manufacturing cell, our Work Cell Security solution, or our other manufacturing solutions, check out the resources below: