Future factory: Protecting the plant from cyber-criminals

An increasing number of food and drink firms have been involved in incidents of cyber-crime. The attack against KP Snacks was the most notable in recent memory – the company was compromised by ransomware in January this year, disrupting its manufacturing and shipping processes.

In fact, one in five staff in the manufacturing industry admit to having been involved in a security breach or loss of sensitive company data, according to research by Impero Software. The weakness identified in many instances stemmed from a lack of training among members of staff and the way sensitive company data was accessed by them.

Impero found that three in ten members of staff wanted better cyber security training, while 28% said they lacked the confidence to recognise and report cyber security threats at work.

Despite the lack of confidence among these members of the industry, just over half said they accessed company data on personal devices on average three times a week and among this group almost a quarter reported that their organisation did not enforce a strict security policy for personal devices.

No-longer analogue driven​

“Although many think of manufacturing as more analogue-driven, this is simply not the case anymore,”​ said Impero chief executive Justin Reilly. “The modern manufacturing environment is underpinned by a complex and often diverse network of connected devices, from cloud-based data storage systems, to automated assembly solutions and, increasingly, AI and robotics.​

“While important for the sector’s evolution, this proliferation of devices has made it especially vulnerable to malicious attacks. Without adequate training to help staff spot and react to cyber threats, or clear device security policies and tools in place, many manufacturers will be left exposed to significant risk.”​

The availability of cybersecurity infrastructure also shows room for improvement. Only about half of respondents reported having access to secure remote access software or virtual private networks. And almost six in ten did not require multi-factor authentication when logging on to systems.

In the face of these vulnerabilities, how can manufacturers secure their systems against cyber-attack? With the divide between information technology (IT) and operational technology (OT) becoming increasingly blurred each day, manufacturers can’t afford to fall behind.

One way to help prevent cyber-attacks from happening in the first place is to have a set of standards that provide the tools and guidelines needed to secure an installation against cyber-attack.

International standards​

David Bean, solutions manager at Mitsubishi Electric, claims manufacturers need to recognise IEC 62443 – an international series of standards that address cyber security for operational technology in automation and control systems.

“It defines the differing security roles of the key stakeholders, specifying the unique requirements for each security level within the control ecosystem,”​ he explained.

“IEC 62443 reinforces the accepted ‘defence in depth’ strategy, defining methodologies for implementing OT cyber security measures and outlining procedures as well as policies that can form the methods for firstly hindering an attack and secondly recovering from an attack.​

“It is notable that IEC 62443 places some considerable onus on the automation equipment supplier to embed protective features within their products to contribute to system design considerations and lifecycle management, as well as respond to any vulnerabilities that may be discovered.”​

IEC 62443

International Electrotechnical Commission (IEC) 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems.

The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

It divides the cybersecurity topics by stakeholder category / roles including: the operator, the service providers (service providers for integration and for maintenance) and the component/system manufacturers.

The different roles each follow a risk-based approach to prevent and manage security risks in their activities.

To this end, Mitsubishi has established a product security incident response team and offers a risk audit service that helps asset owners understand the risks and consequences of a potential cyber breach. The service provides a written report on the status of the networked industrial control systems and offers recommendations for any remediation that is required to meet the standards set out in IEC 62443

An insurance policy​

“In essence, an OT cyber security solution is an insurance policy and as with so many things in life, the more comprehensive the policy, the greater the level of protection,”​ Bean concluded.

“Implementing a robust solution is part of a successful digital transformation strategy and ensures that companies can boost productivity and enhance their competitiveness.”​

The road to a secure system isn’t an easy one though. The severity of cyber-security attacks has been steadily increasing and manufacturers are finding it hard to keep up. Making matters worse is the lack of skilled staff able to employ counter-measures to cyber-security attacks on operational technology.

This was an observation made by Siemens director of industrial security services Stefan Woronka. “Experts in OT security are even harder to find than IT experts,”​ he explained. The slight differences between the fields also prevents IT experts simply transferring across to OT – OT security requires OT experts who know their way around automation technologies.

While businesses such as Siemens have the luxury of having both OT and IT experts under their employ, many food factories do not. Making matters worse is the fact that even providers such as Siemens will not have the answer to every OT security problem. Its experts won’t be able to rectify an issue on another provider’s piece of kit, for example.

This once again puts the onus on developing a standardised system for cyber-security between equipment and software providers. Although developments in OT security lag behind their IT counterparts, the education piece is there and more eyes are being drawn to the importance of securing factories from digital threats.

Removing the niche label​

Woronka added: “We have to finally remove the ‘niche’ label from OT cyber security by more clearly communicating the risks along with the wide array of possibilities of better protection.”​

As the digital age marches on with almost intimidating speed, food and drink manufacturers need to be wary of the new challenges that digitalising their businesses will bring.

Understanding how these changes will affect your business is key. It’s not just about putting new systems in place in the future factory. There will also always be a need to address the human factor – and the potential errors that brings with it.

However, it seems that all the pieces are there for food firms to get it right first time no matter how far along in the digitalisation journey they are. The question is how to put them in the right place.

KP Snacks ransomware attack

The Conti malware gang claimed to have access to KP Snacks’ systems for some time and had infiltrated confidential data.

Nick Turner, vice president and general manager for Europe, the Middle East and Africa at Druva. Said: “Modern data protection systems provide enhanced resilience against this sort of attack by ensuring that even system administrators are highly restricted when it comes to deletion of backups – such permissions can help prevent attackers from encrypting or deleting backup files, and protects from internal threats.​

“These systems also have the ability to use Artificial Intelligence to automatically analyse the tens of thousands of files that need to be recovered and identify the last known clean copy of each – massively speeding the restoration of services and enabling the organisation to get back up and running quicker.”​