Since the beginning of the COVID-19 pandemic, businesses across the UK have faced a surge in cybercrime. In fact, research indicates that UK businesses experienced one attempted cyberattack every 46 seconds on average in 2020. Industrial businesses are a prime target for hackers and the ramifications of a data breach or denial-of-service attack are far-reaching, making system security imperative. Here, David Evanson, corporate vendor relationship manager at Novotek UK and Ireland, explains how industrial businesses can keep their vital systems secure.

For many business leaders and engineers, it is still tempting to consider large multinational companies or data-rich digital service providers to be the prime target for hackers. However, the growing volume of cyberattacks on businesses globally show that any company can be a target of malicious attacks on systems and services.

According to research by internet service provider Beaming, there were 686,961 attempted system breaches among UK businesses in 2020, marking a 20 per cent increase on 2019. Of these attacks, Beaming noted that one in ten intended to gain control of an Internet of Things (IoT) device — something that indicates a tendency to target system continuity rather than conventional data.

Both factors together are cause for alarm among industrial businesses of all sizes. Hackers are targeting all manner of companies, from start-ups to global organisations, and focussing more on the growing number of internet-connected devices and systems that were previously isolated.

The consequences of a device being compromised range from data extraction to service shutdown, and in any case the financial and production impacts to an industrial business are significant. There is no single quick fix to bolster cybersecurity due to the varying types of hacks that can take place. Some cyberattacks are complex and sophisticated; others less so. Many attacks on devices tend to fall into the latter category, which means there are some steps industrial businesses can take to minimise risk.

Novotek has been working closely with industrial businesses in the UK and Ireland for decades. One common thing that we have observed with automation hardware and software is that many engineers do not regularly upgrade software or firmware. Instead, there is a tendency to view automation as a one-off, fit-and-forget purchase. The hardware may be physically maintained on a regular schedule, but the invisible software aspect is often neglected.

Older firmware is more susceptible to hacks because it often contains unpatched known security vulnerabilities, such as weak authentication algorithms, obsolete encryption technologies or backdoors for unauthorised access. For a programmable logic controller (PLC), older firmware versions make it possible for cyber attackers to change the module state to halt-mode, resulting in a denial-of-service that stops production or prevents critical processes from running.

PLC manufacturers routinely update firmware to ensure it is robust and secure in the face of the changing cyber landscape, but there is not always a set interval between these updates.

In some cases, updates are released in the days or weeks following the discovery of a vulnerability — either by the manufacturer, Whitehat hackers or genuine attackers — to minimise end-user risk. The firmware version’s upgrade information should outline any exploits that have been fixed.

However, it’s important to note that legacy PLCs may no longer receive firmware updates from the manufacturer if the system has reached obsolescence. Many engineers opt to air-gap older PLCs to minimise the cybersecurity risk, but the lack of firmware support can also create interoperability issues with connected devices. Another part of the network, such as a switch, receiving an update can cause communications and compatibility issues with PLCs running on older versions — yet another reason why systems should run on the most recent software patches.

At this stage, engineers should invest in a more modern PLC to minimise risk — and, due to the rate of advancement of PLCs in recent years, likely benefit from greater functionality at the same time.

Firmware vulnerabilities are unavoidable, regardless of the quality of the PLC. At Novotek, we give extensive support for the Emerson PACSystems products that we provide to businesses in the UK and Ireland. This involves not only support with firmware updates as they become available, but also guidance on wider system resilience to ensure that businesses are as safe as possible from hardware vulnerabilities. The growth in cyberattacks will continue long beyond the end of the COVID-19 pandemic, and infrastructure and automation are increasingly becoming targets. It may seem a simple step, but taking the same upgrade approach to firmware that we do with conventional computers can help engineers to secure their operations and keep running systems safely.

Complete the form below to receive a copy of the whitepaper.

An annual report by Kaspersky Lab, The State of Industrial Cybersecurity 2018, revealed several interesting facts about how industrial cybersecurity is perceived by businesses and applied to Industrial Control Systems (ICS). The survey of 230 worldwide professionals reveals disconnections between what is feared by businesses, and what’s happening in reality.

For instance, 66 per cent of the surveyed businesses were most concerned about advanced persistent threats (APT), like data leaks and spying (59 per cent), because of their perceived potential impact. In reality, APT’s make up 16 per cent of cybersecurity incidents. Actually, conventional malware and virus outbreaks are becoming the greater problem. These attacks are not overly sophisticated and made up 64 per cent of cybersecurity incidents, last year.

Aside from misconceptions about the external threat landscape, disparities also exist within organisations. In relation to Kaspersky Lab’s survey, technology website tripwire.com cited a report by the SANS Institute. SANS found that, among nearly three-quarters of firms that were confident in their ability to secure their industrial internet of things (IIoT), there were more likely to be different internal perceptions about the effectiveness of their security measures. While leaders and department managers were more likely to have a “rosy outlook” of their security, operational technology departments had a more pessimistic view.

Such misconceptions would be even more of a concern within critical national infrastructures. Cyberattacks against water, energy or chemical supplies can have very real consequences for countries and their populations.

Upgrading control systems

From a hardware and systems perspective, more than half — 54 per cent — of the surveyed businesses identified integrating ICS with IT systems and Internet of Things (IoT) ecosystems as among the most pronounced challenges. This last statistic places a wider challenge faced by plant managers into a whole new context: specifically, how best to achieve space and cost savings by reducing the size and complexity of plant equipment.

Plant managers are turning to new systems to achieve greater levels of flexibility and profitability in their production. This coincides with older programmable automation controller (PAC) systems, like trusted Series 90-30 controllers, reaching the end of their operational lifespans. In many cases, these 90-30 systems have been relied upon as integral to plant operations for upwards of 25 years.

How can plant managers effectively upgrade their systems, while ensuring that cybersecurity measures keep up with the rate of technology adoption — and the external threat landscape? Fortunately, answers lie in smart hardware and its role in helping manufacturers enhance process flexibility and performance.

Centralised security

One solution lies in better control. The RSTi-EP CPE100 is a compact controller for PAC systems — specifically, to control the RX3i CPU from Emerson which has emerged as a popular and effective upgrade for 90-30 systems. In a nutshell, the RSTi-EP CPE100 leverages the power and flexibility of PAC systems in smaller applications.

The RSTi-EP CPE100, entire PAC systems can be programmed in stand-alone applications, or the system can be used as an auxiliary controller in larger process applications that use the RX3i. Not only does the system leverage the power and flexibility of PAC systems in smaller applications, there are also benefits in terms or cybersecurity — indeed, the RSTi CPE100 is secure by design.

With the system, companies can apply optimised security right from the very start. RSTi CPE100 incorporates technologies like Trusted Platform Modules and secure, trusted, and measured boot. It allows centralised configurations, so that encrypted firmware updates can be executed from a secure central location. Specifically, a suite of cybersecurity technologies can help prevent unauthorized updates. Meanwhile, built-in security protocols can protect against man-in-the-middle attack (MITM) — where the attacker secretly inters with communications between two parties — and denial-of-service (DoS) attacks.

Speaking of the “man-in-the-middle”, another key takeaway from Kaspersky Lab’s report is that, going forward, industrial companies must also pay more attention to employees’ understanding and awareness of cyber threats. Because the RSTi-EP CPE100 can streamline application development and integration, a further benefit of the system is that it simplifies training for operators and maintenance workers.

While cyberattacks on ICS computers are misunderstood by many within industry, it’s necessary to overcome these misconceptions while keeping up with the best cybersecurity measures. Novotek recommends that managers should pay attention to system security from the very beginning of their integration. The more critical the application, the more important it is that ideas surrounding cyberattacks accurately pre-empt the realities.

50 years ago, the thought that a plant manager could stay home and be able to have meaningful oversight of operations, while collaborating with other remote colleagues on the details, was unbelievable. If COVID-19 had struck at that time, most factories would have simply closed entirely.

Today, instead, with the right industrial IT solutions, plant management — along with team supervisors, quality leaders, engineers and continuous improvement managers — can work as a team as if they were together, regardless of where they are. A combination of developments in IT and OT have come together to make this possible.

There are now ways to securely deliver existing automation software applications such as SCADA via the web. Likewise, plant data repositories, or Historian software, have had the speed and power of their collection and storage capabilities supplemented with modern, web-based tools for exploring data. This includes ways to quickly add context and description to otherwise technical data points, so there can now be one source of raw truth that is accessible from anywhere, comprehensible by anyone.

Full-fledged production tracking systems or MESs have similarly had rich web-based front ends built, so that the detailed flow of events and activities can be tapped into from anywhere, regardless of how those systems may have had to be tied to on-site automation and sensors

The driving force behind the evolution of plant tech, though, was to enable greater productivity. With information from core operations readily at hand, alongside information from the broader enterprise, leading firms began to accelerate their continuous improvement efforts, undertake deeper collaboration with suppliers and other industrial partners and develop better insights into how to refine products and processes. The fact that their modern systems lent themselves to remote work and collaboration would come to be seen as a bonus aspect to these capabilities.

Despite the ready availability of modern plant IT and automation, and the numerous documented cases of manufacturers realising the benefits of modern systems, many factories remain wedded to paper, spreadsheets and ad-hoc/as-able machine data analysis efforts (often based on manual extraction and collation of data from individual assets).  The implications of this go beyond it being comparatively inconvenient to deal with remote working.

Firms that have incorporated more modern plant solutions already enjoy significant advantages in their cost of production, their operational flexibility and their predictability in relation to meeting demand. The question is whether such current advantages will be further entrenched, or whether we will see a surge of investment from others to take on these capabilities. There is also a question of whether the firms catching up will look to go beyond simply sustaining their operations and towards fine-tuning or even re-shaping them.

Lessons from leading organisations

The next wave of technology adopters can benefit from observing how organisational structures and behaviours have been changed as modernisation has unfolded. New tech has certainly changed the way line-side operators stage, execute and manage production. However, the freer flow of data to different stakeholders has also seen improvement in surrounding business processes such as supply chain coordination and product design.

One of the cultural changes common in leading firms is broad recognition that detailed operational data supports the work of many stakeholders traditionally seen as removed from the production process. This has prompted the formation of cross-functional teams responsible for ongoing learning about the continuing evolution of automation and software.

Tasked with spotting developments that could yield outsize impact, not just sustain incremental gains in capability, cross-functional teams embody the recognition that technology is not only a critical tool to enable existing strategies, but potentially the key to new ones. That behavioural change also means that tech adoption is no longer intimidating or mysterious. With IT, operations, product design, engineering and quality leaders learning together, each group’s perspective and knowledge becomes part of a common understanding of how to understand the next technology wave in the context of the firm’s challenges and opportunities.

If the COVID outbreak showed how rapidly our steady work routines and supply networks can be disrupted, this is the time to see how technology can provide UK plc with increased resilience and a renewed operational vigour. It’s vital that manufacturers adopt the tools that support better insight and collaboration for the impact they can have on productivity, flexibility and even innovation. Modern plant systems should be seen as critical to success all the time, not just as a convenience during a pandemic.