post written by Tim Ingalls, Project Engineer, Superior Controls, CompTIA Security+ certified professional
Last year, you wrote about OT system exposure to cybersecurity attacks. Has the risk increased or decreased since then?
As we monitor the news around the country, the assault on Automation systems has seemed to have increased significantly. The most recent publicized attack was a Florida water plant where an attacker was able to modify the system to add over 100x the amount of lye to the water, attempting to poison the population. The US Cybersecurity & Infrastructure Security Agency recently released a security advisory for Rockwell PLCs that is a 10/10 in severity. These, along with the multitude of security vulnerabilities in the windows OS makes having the automation as a separate, secured entity even from the main network is imperative.
What types of attacks are occurring? Is there one type that is more prevalent?
The current attack vector appears to be through open connections to the internet, and insecurity of those connections. The Florida hack was accomplished through TeamViewer, which is a relatively common software in the industry and a leaked password that had not been changed since 2017. The released Rockwell vulnerability allows for the changing of PLC code without requiring access to engineering workstations.
How would you grade the industrial response to the risks so far? Why?
The automation industry’s response appears to be slow but increasing. There is significantly more discussion lately about Automation networks in Cybersecurity forums and discussions of Cybersecurity in Automation forums. Generally speaking, automation systems are very lax when it comes to security, due to it only being recently connected to the wider network. When the only devices connected to the automation system were those systems, then things like simple shared passwords that never change were not as big a problem as they are now. At this point, the automation network needs to have the same care and protection applied as the general office network itself.
Remote work continues in 2021 and may become standard in the future. Given that reality and the fact that remote work significantly increases risk, what can companies do?
Securing the Automation network is a multilevel approach due to the limited downtime and patch compatibility. There should be significant discussion between the IT group and the automation group on connectivity from remote engineers. Usually it will consist of IT managing the connection to the internet through remote VPN or Desktop services, and once on the corporate network automation can then have a secure connection into the automation network systems.
What measures should a company take before a cybersecurity attack?
Automation systems should be completely removed from any internet access possible, both incoming and outgoing. Any internet connectivity required should happen through a secure proxy and firewall, which then is able to extremely limit where the devices have access to a handful of websites. Finally, the PLCs should always be placed in the RUN switch position where changes to the code are much more difficult. Also, system backups should be taken regularly and stored offline in case of any compromise.
What measures should a company take after an attack has occurred?
One design factor in an automation network is the ability to run as an island. If there is any compromise found to be happening or has happened the network should have all external links severed immediately and the system reverted. The need to get these systems back online will usually supersede any downtime for investigation of the cause.