For years, process control systems were secured with a combination of “security through obscurity” and wilful ignorance. Increased threats from malicious hackers, often sponsored by nation-states and criminal organisations, are demonstrating that neither of these approaches is sufficient.
If you are to have a hope of keeping your manufacturing processes safe, you have to lock them down.
1. Stiffen up those passwords
The first step is the most obvious: change your default passwords. The number of production manufacturing and process control systems that still use the factory-assigned passwords is staggering – and these commonly assigned passwords are easily searched on Google
However, when you change it, don’t just go tapping out the six easiest characters on your keyboard
In fact, security firm SplashData’s annual Worst Passwords list has had the same top-two spots for five years: “123456” and “password” – with the company estimating three per cent of users had used the former
“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” said Morgan Slain, chief executive of SplashData, upon the release of the 2017 list.
2. A default by any other name
Step two is similar: Change the default names of devices and networks. This is another very, very basic step, but one that far too many manufacturers fail to take when deploying control systems
While keeping a default name does nothing to make your password easier (or harder) to hack, it serves as a proverbial red rag to a hacker – if you’re too lazy to change the name, you probably haven’t bothered to change the password.
Having a name that in no way references your router will make you a far less appealing target, and a default password – which, again, please remember to change – much more difficult to simply Google.
Now that the most basic steps have been taken, it's time to work on more serious security strategies.
3. Process control and business networks – separate but equal
Treat your process control network like you treat your business network – each is equally important, and the two are related in what they do for the business – but don’t confuse equal treatment with lumping them in the same basket.
Treating the process control network like your business network means building a perimeter around the manufacturing network similar to the one built around the financial and IP portions of your business.
That means a firewall and IPS (Intrusion Prevention System) or UTM (Unified Threat Management) controlling traffic in and out of the network. Don’t make the mistake of ignoring the latter either, as unusual traffic through and out of the network is often the only way to detect an intrusion.
As for separating the two networks, this is important because a vulnerability in one network can easily introduce malware into the other.
Business-side users, for example, may be more likely to use thumb drives that could carry malware targeting industrial controllers. Meanwhile, a poorly defended manufacturing line can provide an easy attack vector for malware that could move into critical databases.
Security professionals are beyond the point of wondering why a hacker would be interested in a production line. Whether they're interested in disrupting the manufacturing process, stealing intellectual property, gaining access to data beyond the factory floor, or extorting your company, process control makes an inviting target.
Lock yours down and avoid becoming the headline in your own horror story.