Keeping Machines, OT Networks and IT Safe From Cyberattacks PostedFriday, September 18,2020 at 12:21 PM Photo by Michael Geiger on Unsplash By Wayne Labs System integrators and machine builders are great sources when you want to learn how to protect control networks from viruses and ransomware. After all, they design and build machines that must operate continuously without incident, supplying operational data to those who need it—and keeping their equipment and the rest of the plant safe from cybersecurity intrusions—malware, viruses and ransomware. One such machine builder that has been making cyber-secure, safe machines and IT/OT networks communicate without incident for six years is elliTek, Inc., a Control System Integrators Association member. I spoke with elliTek’s president, Brandon Ellis, who has probably seen it all—from the vantage point of where the rubber meets the road. Located in Knoxville, Tennessee, elliTek builds custom machines for manufacturing systems and offers comprehensive turnkey and design/build services—in addition to tech training. The SI offers IIoT solutions and system integration services for vision inspection systems, robotic work cells and linear motion systems—to name a few. FE: Brandon, in your estimation, how critical is food and beverage compared to pharma operations in terms of cybersecurity? Brandon Ellis: Honestly, I believe food and beverage is as critical, if not more so than pharma when it comes to the potential harm that could result from a malware/ransomware infection. Many manufacturers in food and beverage have migrated to SCADA based systems as a means of transferring manufacturing data. Unfortunately, these systems, being primarily Windows-based, have demonstrated many industrial-based vulnerabilities as evidenced by Stuxnet when it derailed a uranium enrichment plant in 2010 by simply locating a known PLC and exploiting the OPC communications layer to establish an active, online connection directly to the PLC and wreaking havoc—that was 10 years ago! Yet these systems continue to be used. So, what is the nature of my concerns? Again, I think food and beverage is as critical as pharma. After all, how many of us have placed food and beverage products into our bodies while blindly trusting that the ingredients are as listed on the package? Moreover, how many of us have offered these same items to others—friends, parents, siblings, our children? Pharma is highly regulated in most cases, but often food and beverage regulations are not as stringent, which may allow for even scarier possibilities. FE: So how can ransomware deleteriously affect food? Ellis: Ransomware encrypts data and asks for money. What is the big deal? Consider this: What if instead of simply locking the data, the data is slightly changed maliciously at the source (the recipe handler for example). Now consider that these changes, perhaps random in nature, can result in changing the amounts of ingredients and potentially affecting the safety of those ingesting it? What then if the ransomware waits until the change is found, and, upon an attempted modification, the encryption occurs and the data locks? Even if the ransom is paid and the data released, the data is already invalidated. FE: What are points of a cybersecurity penetration? Ellis: To be cyber-secure, many consider the final means of protection to be avoidance. Having had conversations with IT folks in the aftermath of an infection, and hearing about vectors ranging from VPN and cloud-based entry points to common networks and something as simple as a USB thumb drive, the list of potential penetration vectors is quickly turning into a rather long one. FE: Today, everyone wants machines that are smart with remote monitoring functionality. Even my network printer lets me know when there’s a problem or it needs more supplies. So whose problem is cybersecurity in a mixed IT/OT and third-party machine builder environment? Ellis: Yes, third-party systems are the current rage, as many supposed OT based manufacturers work to solve their version of the problem, which, invariably, they describe as the IT department! Many of these largely marketed systems promise machine monitoring, remote support, online dashboards, etc.—all hosted on a remote cloud. They are wonderful! Machine builders and OEMs love them as they allow low cost, remote monitoring, and connectivity, and often as a paid service offered to the end-user. These services allow the machine builder to remotely support downtime occurrences, thus averting the time and expense of traveling to the site, while also enjoying a monthly subscription! It is a great idea! Unless you fear cyberattacks. Unfortunately, all of the pros of the above approach also offer many cons in terms of potential penetration points as these systems are designed to allow engineering and production to side-step the very folks, aka the IT department, who represent the primary defense against cyberattacks—further, production is actually paying for these vector points! Savvy IT professionals often deny these services for this reason. Incredibly these many suppliers still miss the point and are currently responding with a cellular 4G/5G uplink built into their products in a continued effort to again bypass IT and all their cyber-secure practices and systems. The cellular uplink is even scarier as a new, uncontrolled, and unmonitored vector is easily introduced—one that is subject only to the degree of IT security implemented by the third-party user, not the manufacturing plant. If the monitoring facility becomes compromised, and the cellular links are exposed, the path may be easily opened. Once the connection is made, any integrated, wired, or wireless network connection at the machine level will likely be vulnerable as well. Scary stuff indeed! FE: What about keeping the internet separate from the OT network or machine(s)? Ellis: A common question asked quite regularly is “What about production networks that are disconnected from the internet?” I cannot count how many times I have heard someone confidently state that their production network is safe because it is not physically connected to the internet. Considering today’s IIoT standards, not only is it largely unreasonable to be totally disconnected, doing so can also provide a false sense of security. I have witnessed the aftermath of disconnected networks, which were nearly annihilated due to the same false pretense. In one specific instance, this misconception led to the removal of troublesome anti-malware and antivirus software, as well as the disabling of PC based firewalls as none of these were necessary (after all, nothing was ‘connected’). The penetration point turned out to be a USB thumb drive which was used by an employee to innocently move work files from a home PC to a work PC (which is especially common during today’s COVID-19 staggered, work-from-home requirements). Once introduced, the virus spread across the isolated/‘disconnected’ plant floor network with reckless abandon as there was no means of defense. Windows production-level PCs were of course the victims. The recovery took days, and production suffered the most. This was not ransomware, but a simple virus. The fact is, even if USB ports are disabled, plant engineers must have access to the controller network in order to perform program updates, backup’s, etc. on plant PLC’s, HMI’s, etc., so, whether it’s a USB drive or an entire PC from the outside ‘connected’ world, no usable and productive IIoT based production network can be totally disconnected. Even manufacturers running non-Windows OS’s are at risk. FE: OK, What is a safe way of linking IT and OT/machine networks? Ellis: I have stated to many folks that if anyone claims their device/software/cloud/etc. is impenetrable, walk away. Even with our MES gateways, we work diligently to overcome potential penetration points; the task of overcoming all penetration points is one that requires layers of prevention. One of our most prevalent prevention steps consists of using a proprietary hardware-based firewall to isolate each IT and OT network versus relying strictly upon software. Yes, this is more expensive, but we feel it is warranted, and, thus far, it has proven to be. In short, when (not if) the attack occurs on one network or the other (IT or OT), we will do our best to negate the chance of propagation to the complimentary/isolated network. Doing all you can to allow data manipulation and movement, while also achieving a secure and hardened separation, is a constant battle—one we have been succeeding in for over six years. About Brandon Ellis Brandon Ellis founded elliTek, Inc. in 2009. As a systems integrator, Brandon knew there had to be a better solution to allow dissimilar control platforms to “talk” to each other through the sharing of data. This area of expertise placed Brandon among the first to realize the value of the M2M (machine to machine) movement in the world of Industrial IoT. Despite the turmoil associated with joining two dissimilar and complex worlds, the benefits of bridging the gap served as the driving force for elliTek as it began to focus on increasing its expertise levels within each. With the development of its MES Appliance products and Brandon’s leadership, elliTek continues to provide high-level products and machines that focus on the balance of functionality yet done with simplicity. This article was originally published by Food Engineering.