Transcription of Workshop
Brandon Witte | Sightline:
So today we’ve got a workshop focused on the vulnerabilities of Industry 4.0, more and more today we’re seeing cyber attacks against ICS systems and manufacturing & utility sites around the globe, and this is only going to get worse as the technology continues to modernize in the factories of today. So today, David and I are going to go through and talk with you a little bit about how this came to be, and more importantly, how you can protect yourself against these new threats that are appearing in the market.
Hi, I’m Brandon Witte with Sightline Systems. And with me today, I’ve got David Gibson from Unisys Corporation. And we’d like to spend a few minutes talking with you about smart factories and securing the vulnerabilities of Industry 4.0. As you’ve heard in the news recently, there’s been more and more attacks against manufacturing sites, and Unisys and Sightline have joined forces to come up with solutions to help protect the systems against these types of attacks. So we’re all probably familiar with the smart factory concept and Industry 4.0. But just summarizing, you’ve got the convergence of it and ot worlds coming together, introducing new technologies to the manufacturing floor, all in the hope of improving productivity, and, and operational competitiveness.
There’s all kinds of statistics out there showing the benefits of the smart factory. Here’s just a few examples from Deloitte and Touche, a study that was done back in 2019. But as you can see, there’s over a 10% increase in productivity. When applying the smart factory or Industry 4.0 techniques to your operation, folks are seeing an increase in labor productivity, capacity utilization, as well as improving production output. So there’s a lot of good reasons for seriously considering if you haven’t already introducing these smart factory concepts into your into your operations.
All of these new capabilities help improve operations, but they also create new complexities that weren’t there before. With the smart factory, gone are the days of an isolated network, for instance, and all of this new technology is introducing all kinds of new interfaces: serial to serial, fiber to serial, fiber to internet, the list goes on, as well as introducing all kinds of new protocols to the way systems are communicating with one another. Before we had Modbus and Profinet as the prominent players on the on the shop floor, but today we’re seeing things like OPC UA, MQTT, and a variety of other ones to help connect all of these new systems together. With all of these new protocols, we’re seeing all kinds of new networks. Wireless is entering the manufacturing environment. We’re seeing the wide area network (WAN) being introduced and the cloud, and all of these things are introducing new complexities as well as enabling the plant to do even more.
Unfortunately, this introduces new vulnerabilities that weren’t previously exposed at the manufacturing site. And unfortunately, cyber attackers are exploiting these, causing havoc around the globe, hitting everything from commercial entities to utility companies, disrupting operations and causing all kinds of problems. So David, can you highlight just a few of the types of risks that companies are seeing now in the manufacturing environment? The the smart factory with all those great new capability that it adds to operations, is introducing a variety of new threats and risks to to one’s operations, which, if not properly cared for can cause devastating results.
David Gibson | Unisys
So that’s correct, Brendan. The slide we’re looking at the moment is list of new risks and threats. And to the left hand side we see some of the potential threats: Privilege Abuse & Escalation, Malware & Ransomware, Spearfishing, Bot & Brute Force Attacks, Distributed Denial of Service (DDoS), Advanced Threats, Industrial Espionage. These threats bring a lot of risk to companies, as we have seen recently, and we continue to see in the press almost every day. There’s business disruption, there’s loss of production, reputational damage, and the list goes on, ultimately hitting the company’s stock price.
In recent times, we’ve seen some examples of where attacks have happened to very large organizations, which are almost surprising to see. So recently, there’s been a very large US technology company, a global Japanese automobile manufacturer, with hits on multiple sites in several countries. This specific attack was a targeted attack on ICS infrastructure. So once the attacker gained access, it was designed specifically to attack the ICS Simpson technology, with the aim of disrupting the manufacturing process. There’s not as much information about this attack yet, but we know that some of the sites in different countries were taken offline.
One specific attack that I really want to call out was a really good example of how successful these these attacks can be. This was an attack on a Norwegian aluminum manufacturer. The attackers spent some weeks doing some reconnaissance before they struck, understanding how to gain access, etc. We’ll talk about that a bit later on. Once they managed to attack, it was quite devastating; 20,000 computers were taken offline, 170 sites were hit, 40 countries were hit. So unfortunately for the attacker, the company really had a do or die mentality and they were really determined to survive regardless of what it took and from the data we can see, no response was received to the attackers ransomware note. Despite considerable disruption to the organization, lessons were learned. With their fights for survival, they were successful, and today, they are now seen as the gold standard by law enforcement organizations on how to deal with such attacks. Not only did they not pay the attackers, they were also open & transparent to the to the outside world on what was going on, that this attack was happening, the extent to the attack, the impact on the company, etc. So, this is a really good example of companies which have been hit, which did not pay out, who take actions to repair their systems and their company, but in an ideal world, they don’t want to be here.
We want you know, you need to protect yourself so as not to be in this position. This is where Sightline and Unisys come in with their offering.
Brandon Witte | Sightline
Now, that’s great, David, because we’re seeing more and more of these types of attacks. The automobile manufacturer had operations shut down in multiple countries by the same type of attack, and it leaves an organization really exposed. There are operational losses, obviously, for not being able to run for multiple days, not to mention the the brand negative press that one’s getting which can be extremely difficult to recover from. In some cases, companies are unsuccessful in recovering from such disruptions, and unfortunately, these can happen to just about anyone.
In the manufacturing space, we’re seeing more and more that the environments are, politely saying, legacy systems. It’s not the newest technology all the time running on the floor. Some of the computer systems are quite old and are prime targets because they haven’t been updated with the latest patches or the latest operating systems. And all it takes is that one phishing email to expose a company to just devastating issues. For me, the scariest ones are when you don’t know what’s happening, frankly, and those secret attacks that are happening, collecting information and secretly sending it back somewhere for espionage or other purposes and can go on for years and where unknowingly your information is being transmitted to the attackers.
David Gibson | Unisys
There are a number of steps that the attacker will take for these attacks, and with the company I called out earlier on, they can be very costly. From what we read, it would cost them 45 million British pounds to fix the the infrastructure that was attacked, so it can be very disruptive and very expensive. You can call out the steps that the attack that goes through: identifying, looking at systems in use, looking for weaknesses, there are a number of steps that they will take. It’s really important to know that in some cases, the attack might have already been happened, but the companies aren’t aware they’re in there doing this stuff.
The steps are usually or typically thus:
Stage One- Reconnaissance:
The Reconnaissance phase goes on, they’re looking for information within the public domain. This is information which we all put out there about a company in the public domain. We think it’s harmless, but to some of these individuals or state sponsored terrorism, if that’s in fact what it is, this information can be called up. They’re looking for information about the types of systems in use, devices, processes, usage of equipment, email addresses & format, employee names, anything which they can use to gain access to launch an attack. So although this information might be harmless to some, it could be very useful.
Stage Two- Weaponize:
Once they’ve done the Reconnaissance phase, they begin to Weaponize. This is them sitting in their little dark rooms or wherever they are, coming up with a plan to gain access into the systems of the intended target. They spend some time exploring and studying all the information they gained through the Reconnaissance phase to prepare themselves to attack.
Stage Three- Initial Breach:
The next step is really the Initial Breach. This is the attackers beginning by penetrating the network; the target is usually unaware that this has happened.
Stage Four- Exploitation:
So, they sit in there, they’ve gained access into the network, for the next step, they will do some Exploitation. So, from within, they begin to encrypt the files and they’re looking for additional weaknesses within the IT systems in the infrastructure. They’re looking for unsecured ports, or anything else which is unsecured, which can help them basically launch the attack.
Stage Five- Control:
The next step is control. Once Control has been established, the software has called home. So, they’ve laid the foundation within the Exploitation phase, and they’ve got some control. Now, the software is calling home to ask for further instructions.
Stage Six- Spread the Infection:
Then, finally, the Spread of the Infection or the main attack. This is to exploit the initial access and weaknesses, and to spread the the software, the ransomware, whatever it is, across all the network’s IT, OT, and Backup Networks; whatever is connected is potentially a target. Their mission is to cause maximum damage and disruption, to take control so they get what they are after, whether that’s a ransom or whatever.
So those are the steps they would typically go through. It’s interesting to note that a lot of times people don’t know the attack is within their IT infrastructure, so they’re sitting there idle and this can go on for quite some time before they’ve actually launched the attack. So, these people are very capable, very sophisticated, and very dangerous.
Brandon Witte | Sightline
Yeah, absolutely, and the mindset that this couldn’t happen to us, is just ill placed in today’s society. There was an interesting statistic I came across, which said that 30% of cyber attacks are from within. These are attacks that have started somewhere within the organization. Now that could be a malicious user, it could be a phishing scam where someone’s opened an email inadvertently, but 1 in 3 attacks is coming from inside the walls of the organization. That’s pretty frightening, just how easy this can be for for these attackers.
David Gibson | Unisys
Then with how easily it spreads, you really need to adopt a Zero Trust strategy because once there’s a phishing email, it’ll just spread. We’ve seen that happen; somebody opens up an email and it specifically attacks the OT infrastructure. I believe that was the case for the the automobile company in Japan, where the attack actually was on OT, but it came through the IT organization. So really, nowhere is safe.
Brandon Witte | Sightline
Now, that’s that’s a good point, David. So how can how can you help yourself or help your organization protect against these types of things that are happening, but also take advantage of these advancements in technology to make your operations more competitive?
That’s where Unisys & Sightline have come together. Sightline has been helping customers collect and analyze information for over 30 years, but more and more recently, we’re getting the challenges associated with how to protect the data that we’re collecting. Organizations want to leverage what they’ve learned in one factory with that of another. How do you trade this information back and forth, but also protect your environment as well as all these new sensors and other bits that are being added and creating all kinds of new exposure points? That’s where our solution, what we call SIAS, comes into play: Secure Industrial Analytics Solution. So, using Sightline to collect information about what’s going on, we can help with real time decision making, alerting to situations, automatically responding to scenarios within the environment. Those could be operational or it could be security related, but it’s having central collection and analysis of this information to help avoid downtime, improve operations, or protect the environment from issues that are occurring.
In making this these analytics more accessible, all too often we hear about the great things that Machine Learning and Artificial Intelligence can offer, but it also means that you need a data scientist or a group of data scientists to work through and create and train models, test them, and do all of this work in order to try and gain some insight or predictability based on data. What we’ve tried to do is make these capabilities accessible to everyone so that you don’t have to have a master’s degree in data science in order to use the software.
This software will help you in your everyday job, taking advantage of advanced forecasting techniques, looking for the root cause of an issue, and making it much much easier to make decisions faster with more awareness about what’s going on. However, with the addition of the Unisys security capabilities, we can do this in a much, much more secure environment and introduce some fundamentally important aspects to help protect the environment.
It’s almost making the network of today look like the network of yesterday, at least from the manufacturing space. David mentioned earlier the concept of a Zero Trust network and I’ll let him go into a little bit more detail about some of the capabilities and features that the security side of our solution brings to help protect and set organizations up to be better equipped to defend against these attacks that are happening.
David Gibson | Unisys
So what we do on the security side, it’s very complicated, but it’s really simple to explain. We have a few objectives. The things we’re going to do is to hide endpoints and sensitive data. So it’s almost like a terminology from Star Trek, with cloaking the devices and the data so it can’t be seen, okay, so this is one of the first things we’re going to do. There’s three things we’re going to do. Number one is hide through Cloaking (Step 1).
Then Zoning (Step 2) is reducing the attack surface surface by giving employees within the organization access to systems and processes for their function specific to what they do. So within the organization, there are a number of “zones”, so if a system or an employee in a specific zone is breached, only that zone could potentially be compromised. Effectively, you’re reducing the attack surface. The data, however, is then encrypted for an additional security layer. If data is encrypted, it can’t be used by any attacker. So, we’re Cloaking by hiding endpoints and sensitive data; we’re going to Zone to reduce the attack surface so not everyone has access to everything, which is what happens when a virus is spreading.
The last thing we’ll do is Isolation (Step 3). Time is of the essence of an attack. So as soon as an attack or abnormal behavior is identified, we will dynamically isolate using the capability of Sightline. With our security software, it’s immediate. That’s what you need when time is of the essence. We’re going to act & alert, even if the abnormal behavior is a system malfunction and it might be safe, to isolate until the issue has been checked and validated. Even a malfunctioning system or process can potentially have costly, costly impact on the rest of the production line. On the other hand, it could be a real threat, so we will take immediate action using dynamic isolation capability. So those are the three things we will do with security from a high level.
Brandon Witte | Sightline
Thanks, David. So if we go into a little bit more detail about our solution, this real-time seamless Monitoring gives you the ability to respond to issues, whether they’re operational or security related, much, much faster, with an audit of what’s happened. You have all the historical data associated with various processes available; those could be the computer systems running your lines, as well as the machinery that’s that’s creating your product or enhancing your product. The analytics provide an easy-to-use facility, so that the data can be analyzed for anomalies. It can be used to improve quality and reduce downtime. Many customers are using the solution for doing just-in-time maintenance, as opposed to following a schedule, which helps minimize downtime of the production line. So, that’s just an example of some of the capabilities you’re getting with the Smart Factory, but also with that security, that the Unisys solution brings to the table.
With Root Cause Analysis, having that data accessible, it helps to understand the answer to that question of why something’s happening. Why does line three constantly go down or disrupted? Is there a event or or something else that’s happening that could be causing it? Or worse, is it a malicious employee who’s, just for fun, causing a disruption or is upset about something that’s going on? All of these types of events can be watched in real time and addressed immediately. And with the security features, we can isolate the event until it can be investigated. As David said, the security features are allowing this to happen in a completely secure environment.
I like the phrase “reducing the attack footprint”: by minimizing the things that people can get to, it minimizes the things that someone could disrupt, plain and simple, which is so different than the firewall focused on keeping people out. But, there’s so much that can happen within the organization, that we need to protect ourselves against data being transmitted in plain text. For instance, if they can’t understand the data, it’s a lot harder to figure out some way to use it against you, or to take advantage of it. All of these new security features, which, as David said, can sound complicated, but provide an extremely powerful framework for protecting an organization in a simple way.
There’s all kinds of cool things that you get that we’ve talked about: Alerting, Advanced Analytics to help solve problems faster, and the list goes on. From the security side, it’s all about figuring out if something is wrong and looking for things that are going on within the environment that are unusual or aren’t supposed to be happening. It’s constantly watching if someone is trying to access a computer that they don’t have access to or repeatedly, if someone entering their password incorrectly or seeing an unusual amount of network activity, and the list goes on. With all kinds of different scenarios that can be analyzed, to use that to tell that security infrastructure that it needs to protect. That’s really what it comes down to: having the capability to protect the network, and then the intelligence to know when something’s going wrong.
David Gibson | Unisys
Also, Brandon, we’ve talked about this quite a bit, but in today’s manufacturing environment, especially with a Smart Factory, you absolutely have to monitor everything that goes on, not only for security purposes, but for your operational efficiency. However, the risk IS there and we see these risks time and time again, almost on a daily basis. The size of the attacks and the sophistication is is really of concern, you almost get the impression that there is a little war going on. We know who, in some cases, is doing State-Sponsored Terrorism; we know the four or five countries that are doing it. So, whatever you do within your factory environment using the monitoring capability, you’ve got to do it securely. Otherwise, your entire organization is put at risk in the connected world.
Brandon Witte | Sightline
David, you’re absolutely right. Because, unfortunately, having the fanciest technology to run your operations and optimize, can be brought to a screeching halt when a cyber attack occurs and if operations are taken offline. As we said before, the cost of such an event can be just devastating for an organization, and in some cases, impossible to recover from.
David Gibson | Unisys
Exactly. If they do, in fact, recover. So the ultimate cost is destruction of the business. So there’s real risk here: some companies may not recover from this.
Brandon Witte | Sightline
At the worst side of things, there are the dangerous or physically destructive attacks, where power plants have been impacted and pipelines. In some cases, these have actually caused horrendous and environmental issues with the the explosions that have resulted from the attacks and taking power grids offline for weeks at a time.
David Gibson | Unisys
It’s almost as if there is, as I said earlier, a little war going on. A lot of this is State-Sponsored Terrorism. And, although we talk a lot about manufacturing here, what we’re talking about is OT. So, those sort of environments in the power companies and the water companies and such; we’re very interested in protecting their their OT environments as well, because potentially there’s a use here, so we’re looking at protection of any OT infrastructure with this solution.
Brandon Witte | Sightline
David, if we go back, so far, we’ve talked a little bit about how great this new technology can be at improving operations. We’ve talked a little bit about the risks. We’ve talked about how these attacks happen. We’ve talked a little bit about what our solution is to address these problems. If we go back and talk a little bit about the anatomy of a cyber attack, I think it would be helpful if we layered in how to address these particular vulnerabilities or steps of the process, and how our solution tries to take advantage of that. So for instance, on the Reconnaissance side, you mentioned cloaking. So by hiding those pieces, it makes it a lot harder to gather intel about it.
David Gibson | Unisys
Correct. So we were hiding the endpoints and the data so it’s it’s invisible to be seen. So when they’re doing the Reconnaissance, that’s a limiting factor in terms of what they can see. We have CS Aware, which is the ability to scan your own networks or company’s networks to understand existing information flows. So with Reconnaissance, there’s a couple things we can do there.
In the Weaponize phase, obviously, they’re planning their attack. Whatever form that might be in terms of the initial breach, CS Identity, which is security based on user, and CS Cloaking. Access is only given to endpoints within zones, so there’s a number of things where you’re reducing the attack surface, limiting what people do, limiting what people can see.
In terms of the Exploitation phase, the zoning is compliant with IEC 62443, CS Filtering, blocks unused ports, CS Encryption, secures data in transit, compliant to NIAP and Com Criteria. CS Endpoint Monitoring identifies unusual behaviors, so this is where we’re looking for the unusual behavior to to do Isolation. If we do, in fact, identify unusual behavior, immediately we’re going to enact a dynamic isolation of the endpoints under attack. It’s immediate; as soon as we see unusual behavior, we’re going to isolate.
In terms of the Control phrase, the CS Coding blocks internet access by default.
When the Infection Spread, we talked about as Step 6, zoning secures IT & OT with cryptographic zones, and with CS Cloaking, endpoints outside of the other secure zone are not visible. So there are a number of things we’re doing with the solution to reduce the ability for the attacker to attack at all the various steps they’re going through in the process, Steps 1 through 6.
Brandon Witte | Sightline
Right, so with Zoning, for instance, David, we’re making it much harder for an attacker to find other things within the environment, or with the Cloaking that you mentioned, if you can’t see something or you don’t know it’s there, it’s a lot harder to attack it, I would guess.
David Gibson | Unisys
Absolutely. So this is why we don’t trust anything, or anyone, through our Zero Trust. We’re, at every stage, trying to limit the attack surface, to hide endpoints and hide data, and block with a number of things; it’s everything to stop the attacker at every stage of the attack process.
Brandon Witte | Sightline
That’s great. I think we’re just about out of time; I wanted to thank everyone again for for spending a little bit of time with us today. Hopefully, you found the session informative. And, if you’d like to learn more about SIAS or cybersecurity and its impacts on the manufacturing space, please visit us online at sightline.com/security.
David Gibson | Unisys
Thank you, everyone. It’s been a pleasure presenting today.
Brandon Witte | Sightline
Stay safe. Take care.
David Gibson | Unisys
Thank you.