INTERNET OF THINGS
Complacency biggest challenge against cyber attacks Having connected devices in the work place is a good thing, but security is an issue that needs addressing. Mike Wheeler talks to security experts about how companies can protect themselves.
I
t’s been a hard slog, but everything’s gone to plan. Your plant is up and running. Automated systems are humming along nicely. The hardware and software are configured, spewing out data left, right and centre. Orders are coming in. Client fulfilments are being met. They’re happy. You’re happy. Then bang. Everything grinds to a halt. Conveyor belts stop, goods are backed up on production lines and the loading bay lies empty. This is the real threat for companies who have embraced the Industrial Internet of Things (IIoT) in their automated processes. The IIoT brings many great things to the table. It gets devices talking – sharing information, sending and receiving
data, allows actuators and sensors to compare notes – a plethora of functions designed to make modern plants functional and streamlined. However, modernising manufacturing plant to include the IIoT also means it will become vulnerable to cyber-attacks. The two biggest ransomware attacks to date in 2017 – WannaCry and NotPetya – crippled businesses around the world including oil companies, financial institutions and Cadbury’s chocolate factory in Hobart. Peter Clissold, who is a senior cyber security consultant for Schneider Electric, brings some sobering figures to the table when it comes to the WannaCry incident – not so much how much the
With literally billions of devices being connected to the Internet, security is more important than ever in the process and control industry.
20 www.pacetoday.com.au OCTOBER/NOVEMBER 2017
criminals made, but what it costs in terms of damages. “One of the last set of figures I saw show the criminals made $144,000,” said Clissold. “However, there was between $200 million to $20 billion worth of damage, lost opportunity and remediation across the globe.” According to David Higgins, who is the regional director of data security specialist WatchGuard Technologies, people who are developing devices for the IIoT sometimes forget about the security aspect. “It used to be things like phones and laptops that needed security, now it’s IIoT devices in manufacturing, mining and various other sectors,” said Higgins. “We collate information from firewalls our customers have protecting their devices; this information shows there are network scams for vulnerable firewalls and IIoT devices. Anything that has got an open SSH (Secure Shell) or Telnet access is vulnerable.” Telnet and SSH give people the ability to access devices remotely. It never used to be this hard. Back in the days of paperwork, security was less of an issue as a criminal would have to physically go out of their way to get information from an organisation. “I’m a geologist by training and back before computers the data we recorded was handwritten,” said Higgins. “We kept the information secret because I worked for a public company and that information could be of value in terms of stock price. Today, that sort of information may have value for somebody who is looking to buy your company or resources from you.” Movement of data and who has access are also issues that need addressing, according to Clissold. “Where the IIoT starts to have some challenges is that, as we build security
up onto those industrial facilities, people can move data from one site to another, which could be from a secure zone to a less secure zone,” said Clissold. “You need to put controls around what people can and can’t do in those areas. This is not just from an information perspective but from an availability and integrity perspective. When we start to open up access to the data in these devices we are increasing the potential attacks that may happen within these facilities.” Lackadaisical attitudes are also a problem. Higgins believes people want convenience over security. And when you have literally billions of devices being connected to the Internet, security is more important than ever. Especially in environments such as the process and control industry. With automation and robotics starting to take on a bigger role, there are more opportunities than ever for people with bad intentions to gain access to connected HMIs, software-run processing lines and other plant. “If it’s a tradeoff between security and convenience I think convenience is going to win out every time with the consumer,” said Higgins. “Take the case of people thinking they are secure because they use a fingerprint to open their smartphone. But we have to remember that there is also a password sitting in the background that I can access as well.” Clissold backs this assertion up. However, in the past year he has noticed a change in attitude. “There’s still a complacency around ‘it’s not going to happen to me’,” said Clissold. “When you dig deeper about what they are focusing on with regard to cyber security, you look at what they are doing with operational facilities, it’s either ‘oh, that’s somebody else’s