Factories at risk as hackers find vulnerabilities

Factory security and safety is being compromised as manufacturers integrate plant automation and machine systems with business and engineering systems. That’s the warning from PA Consulting, British Columbia Institute of Technology (BCIT), the National Infrastructure Security Co-ordination Centre (NISCC) and security specialist Symantec. They warn that, as companies connect systems that were designed for operation isolated from the outside IT world, they must understand that they are now opening up to all the forms of cyber attack. They also say that recorded incident numbers are increasing and that the risks are not only to production uptime – and that’s substantial, with average costs now at £1m per event – but safety. Traditionally, plant systems have been viewed as immune since they were developed on proprietary operating systems and hardware, and also used in isolation. Both are increasingly invalid assumptions, and businesses and plant operators need to act now to protect their investments and their communities. And that’s not just for organisations that see commercial value in integrating their systems: incidents are also being reported that stem from infected laptops used by, for example, maintenance engineers. What’s required, says PA Consulting’s Justin Lowe, is a root and branch review of plant risk factors and appropriate security policies, not just IT measures. Too few companies’ directors even know if they’re at risk, right now. Speaking at a conference on industrial cyber security Gary Servounts of Symantec said that standard commercial security offerings are not appropriate to plant management systems, for example. “These systems have to be high availability and high performance. There are very few security offerings today to protect manufacturers and utilities,” says Servounts. And he adds that with the difficulties of communication between business and operational IT departments, solving the problems is going to be challenging. Symantec is working with Aveva and a number of the global control system vendors to provide validated cyber security systems for plant IT, some of which are now available. The remaining problem is validation time, with monthly Microsoft vulnerability patches still taking too long to certify before implementing on live plant. Best practical solutions involve taking a holistic approach to plant security management based on strictly enforced policies, blocks between the notional layers of plant networks and embedded security systems. See page 34 for more.