From building a cybersecurity strategy to using technology that blocks bad actors from sneaking in through a remote access connection, OEMs have new ways to protect themselves and their customers.
While cybersecurity has always been a concern for business, since the pandemic cyberattacks are on the rise, according to the Ransomware Task Force (RTF), an international coalition of experts formed to combat ransomware criminals. We can see the effects of cyber sabotage with the hack on a water treatment plant in Florida back in February, and the more recent shutdown of the Colonial Pipeline due to a ransomware threat.
But cybercriminals are not just targeting critical infrastructure—every single business can fall victim to these malicious acts.
As more manufacturers are letting technology partners and machine builders connect to systems through a remote access point, there are more ways for cybercriminals to sneak in and wreak havoc on a company, be it deleting important data or shutting down production unless a ransom is paid. This is causing concern for manufacturers that are using machines from many different OEMs.
For example, Cargill is a global manufacturer with facilities in 70 countries. “We have so many OEMs that we mostly deal with at the local level,” says Dominic de Kerf, Cargill’s smart manufacturing expert focused on automation, instrumentation, and process control. “They know a lot about their machines, but cybersecurity is not something they do well.”
And every supplier has a different remote access method, making the management of securing who is coming through an opening into the plant an IT nightmare. “We can open a secure connection, but it’s complicated,” de Kerf says. “We need some control and accountability.”
The concern was so great for de Kerf that when asked to join a remote access workgroup within the Organization for Machine Automation and Control (OMAC), he gladly accepted. Over five months, the group, comprised of representative from major manufacturing companies, OEMs, system integrators, and automation vendors, worked on outlining a seven step process for creating a comprehensive remote access plan that includes a careful assessment of security, corporate policy, usage, and monitoring requirements.
New resources to build a cybersecurity strategy
The result is the Practical Guide for Remote Access to Plant Equipment which was released in January 2021 and details best practices used in manufacturing to define, analyze, control, improve, and secure remote access.
The OMAC workgroup was facilitated by ei3, a provider of technology used to increase machine performance and secure remote connections. The company brought in Mark Fondl, founder of consulting firm ICT Global, to lead the project.
“I wanted to get the perspective of an entire ecosystem and develop topics and areas of discussion that are not so technical, but the goal was to develop common sense practical points of view that anyone can use,” Fondl says. “The target was not major corporations, but middle and smaller-sized manufacturing plants that may not have the experience but are looking for guidance in regard to remote access.”
Fondl recruited big CPGs, including Cargill, Frito-Lay, and P&G, as well as OEMs like ITW Hartness, Durr USA, Milacron, Mettler Toledo, Nordson, and ProMach. He also brought in technology suppliers Beckhoff Automation, Mitsubishi Electric Europe, SICK, Siemens, and of course, ei3, as well as many system integrators and associations like PMMI.
The 90-page guide, which is vendor agnostic, goes through specific steps to consider taking to safeguard a facility, focusing a lot on processes and terminology—especially between IT and OT departments—because although they may use the same words, they often have different meanings.
“I created a fish tank analogy when talking about IT and OT,” Fondl says. “They’re like two fish tanks, one fresh water and one salt water. To the outside observer they look to be the same, but if you live in one and are moved to the other, the subtle differences can kill you.”
In fact, data from a 2020 survey of CPGs conducted by PMMI and published as a Business Intelligence report called Trends in Adoption of Remote Access, noted cybersecurity as the top concern of remote access, followed close behind by organizational IT/OT barriers. According to the report, respondents were also concerned that there was no practical guide to help start the process of adding new remote services. Well, now there is.
In addition, PMMI followed up with its own guide to developing a cybersecurity strategy. The 2021 Cybersecurity: Assess Your Risk document published in March complements the OMAC document by addressing modern cyber threats—including ransomware—as well as Industrial Internet of Things (IIoT) vulnerabilities related to digital transformation and connectivity. It looks at assessing inside threats as well as cloud service providers, cybersecurity insurance, ways to mitigate risk, and more.
The PMMI cybersecurity report also zeroed in on what OEMs need to pay specific attention to, noting that machine builders are highly vulnerable to cyberattacks, and are often seen by cybercriminals as a bridge to reach other targets. Therefore, machine builders will need to take extra precautions to safeguard their data as well as their customers’ data. To that end, the report recommends that OEMs partner with a third-party expert to craft a comprehensive plan as well as implement damage-mitigation measures should a data breach occur.
And that raises the question: Who is ultimately responsible when there is a security breach?
“At the end of the day, the manufacturer is ultimately responsible, but whoever is developing the platform is responsible for making sure it is deployed in a secure way,” says Jacob Chapman, director of industrial IT and cybersecurity at Grantek, a systems integrator focused on the food and beverage, CPG, and pharmaceutical industries.
Pandemic sparks new ideas for securing the plant
Chapman worked on the OMAC guide, which he says is meant to walk IT and OT stakeholders through what they should know when navigating remote access. But, because it is vendor agnostic, it does not dive into the technologies available that are specifically designed to protect remote access connections.
And yet, there are many technology innovations in the area of remote access cybersecurity. Here are just a few:
Grantek’s Engineer in a Box. When COVID-19 limited OEM and vendor access to equipment and controls at their customers’ facilities, Grantek rolled out its Engineer-in-a-Box, a remote access mobile device powered by Dispel’s Moving Target Defense technology. It’s a plug-and-play appliance that provides secure remote access to industrial control systems (ICS). To use, it just needs to connect to an Ethernet port anywhere on an OT network. To disconnect, just turn it off.
It is the Dispel Moving Target Defense technology that creates a very different set up which flips the model of the traditional static defense system. “Rather than having a static target, like a castle that adversaries are trying to hit, we build submarines that move and keep assets safe because they can’t see where they went,” says Ben Burke, COO of Dispel. “It’s a cycling virtual infrastructure.”
According to Burke, a traditional on premise system may have several steps to connect through the firewall, but it is basically a beacon beckoning all to connect. “What’s different about the moving target defense is we push the connection entry point to the cloud and shift it over time, so you are not directly connecting to the OT environment. When you first connect, you have to go through our cloud infrastructure before getting there.”
The on premise gateway establishes an encrypted tunnel to the cloud network. Once that half of the bridge is built, the virtual desktop gets the user profile and connects to the other side of the network. The two come together to create a temporary bridge through which the user can access the encrypted tunnel through the gateway and firewall and then to the specific OT endpoint. This infrastructure cycles over time so that OT has a new virtual desktop with each log-in. “For an adversary, every day the entire user profile has completely changed. There is no methodology for performing reconnaissance on it,” Burke says.
ei3’s Amphion Edge Devices. Using industry standard security protocols it creates a managed secure network from the machine to ei3’s application in the cloud. “We are looking after the network, constantly patching and monitoring all aspects of our managed VPN,” says ei3 founder Spencer Cramer, noting “If you just put a VPN appliance on a machine and you are not updating it, that VPN appliance will quickly become a vulnerability to the organization.”
In addition to managing the security of the access point, ei3 controls the access of individuals. If an organization owns equipment from many different OEMs and uses services from different integrators, consultants, and even employees working from home, it’s not reasonable to open that equipment to everyone. “With the ei3 cloud security center, we give the owner of the equipment the ability to control the access to the equipment. They can create a temporary one-time link to open a door for a single person to access a single piece of equipment, and it’s all done through web pages, so no software or firewall configuration is needed. It’s done in a way that a plant manager or line supervisor can ask for support and once it’s done, that door closes and locks.”
The ei3 technology works with any type of industrial automation controls and networks, including legacy protocols. “This is an important point because you can find hundreds of companies that will help you connect to brand new equipment, but ei3 can help you with 15-year-old equipment,” Cramer says.
Claroty’s Secure Remote Access and Continuous Threat Detection. The Claroty platform offers an OT security system with remote incident management that spans the entire incident lifecycle, allowing cybersecurity teams to detect, investigate, and respond to incidents on OT networks across the broadest attack surface area securely and seamlessly from any location.
The tool itself is on the network and profiles all assets, communications, and processes to establish a behavioral baseline that characterizes legitimate traffic while providing continuous integrity monitoring. When a user receives an alert from the continuous threat detection, the platform utilizes information from similar events to provide context enabling a more effective response. “It detects every risk to the network and every threat that might come up,” says Guilad Regev, Claroty’s senior vice present of global customer success. It also has the ability to disconnect potentially harmful remote sessions.
FDT 3.0. The FDT Group, a not-for-profit industry association supporting the field device tool technology, which defines the data exchange interface between field devices and each control system and engineering or asset management tools, rolled out FDT 3.0 last June, which included the FDT IIoT Server (FITS) and FDT 3.0 Developer Toolkits. Part of the server upgrade includes enabling remote access, allowing someone to check on a facility wherever they are as long as there are security protocols that will allow it.
“We had a separate security team guiding the security aspects of the standard,” says Glenn Schulz, managing director of FDT Group, noting that security protocols are built-in to the standard. “But what it is allowed to do is up to the end users’ IT or OT departments in terms of how they choose to configure it.”
People play a role
While technology may be the front line—or maybe the backdoor defense—nothing will be completely successful unless everyone is working from the same playbook. According to the PMMI report, “The best cybersecurity plan is only as good as the individuals tasked with carrying it out.” This may mean creating a dedicated cybersecurity team that crosses IT and OT departments, in addition to partnering with an expert, as previously stated.
The PMMI report and OMAC reports, however, are the best places to start the conversation.