Shutdown of three bases results in a loss of 1.14 billion USD. Minor Security issues may cause major production incidents!

10/08/2018 16:59:01

Security construction cannot be ignored by the manufacturing industry!

On August 3, three core bases of a well-known chip foundry in Taiwan were attacked by ransomware, resulting in a total shutdown of the production line, causing an estimate of 1.14 billion USD, which shocked the whole manufacturing industry!

Moreover, according to a recent report by New York Times, severe data breach incident seriously hit the manufacturing industry. More than 47,000 sensitive files were released from 100 manufacturers. It contains 157GB files in total, covering assembly line, schematic diagrams of the factories, private information of staff, confidentiality agreements, robot configuration, specifications, presentations, etc.

Why security incidents occur in such frequency recently?

On the one hand, manufacturing industry is becoming a new target sought after by attackers.

Profits are what they are aimed at. The business system of the manufacturing industry bears sky-high valuations. Attackers can launch attacks against the normal operation of the control system. For example, orders can be given to certain engineering control equipment to shut down the equipment or modify parameters, which can directly incur major production accidents. Furthermore, with the development of intelligent manufacturing and industrial internet, more and more enterprises will resort to systems like ERP and MES to improve production efficiency. Therefore, the manufacturing industry has long been inseparable from data. In the perspective of hackers, data is money. Thus, security issues like ransomware and data breaches have become new challenges facing the security of the manufacturing industry.

In addition, as the intelligent manufacturing and industrial internet develop, informatization and automation will evolve further towards connection. Consequently, the scope susceptible to attacks becomes wider and the cost for attacking is continuously brought down.

On the other hand, the information security construction for the manufacturing industry is brim with problems.

1. Automation system runs with “loopholes”
The security awareness of automation system designers is relatively weak. The designs for engineering control agreements, equipment and systems pay great attention to usability but are neglectful of security at the very beginning. Once the system is put into operation, the update and upgrading cyclic period is quite long. Many PCs still use XP system with a memory of 512m. The vulnerability contained within is constantly exposed in the era of intelligent manufacturing when IT and OT has gotten integrated. The attackers then can have access to launch attacks by means of loopholes.

2. Engineering control lags behind in terms of security
The automation system itself is relatively “fragile”. It cannot resort to means of scanning and virus killing conducted by IT system. It is for the reason that the “strong” security measures may give rise to production failures. Thus, even if they resort to the means of firewall, they dare not to open the blocking mode. Therefore, the security of engineering control mostly constructs “weak” security with the application of white and black lists at its core. The security measure is so weak against new types of viruses like WannaCry. It sounds like fighting against guns and cannons in the gunpowder era with shields used in the cold weapon era.

3. APT attacks start from the informatization system
For example, the BlackEnergy incident done to Ukrainian power grid system happened because the hackers firstly broke in through the office network and then cut into the control layer. 290 industrial security incidents were lately reported by ICS-CERT. Among them, 77 came from spear fishing, 43 from weak authentication and 35 from sniffing attacks. In many cases, security incidents concerning engineering security started from IT system. Its security defense system is hard to get obvious improvement in a short term because of its inherent attributes. However, by means of overall security buildup through the IT system, attacks will be stalled before entering the OT layer. It is one of the efficient ways to improve the security of the whole manufacturing industry.

How manufacturing enterprises can deal with the new security landscape?
The manufacturing industry almost all suffer from two kinds of attacks. The first one broke in the production network with the help of internet and office network; the second is to infect the internal production network by means of USB, rogue devices, etc. Therefore, the following security revamping measures are suggested:

Recognize asset and risks beforehand so as to eliminate security weaknesses.
By means of technologies like asset identification, loophole analysis, strategy self-test, the initiative can be taken to recognize all the protected asset objects and their risk status. Make sure that the security defense strategies are effective and security risks like open ports, high-risk loopholes and weak passwords should be resolved in advance.

In addition, separation and USB control should be done well. By means of constructing the micro-insulation system, the controlled host can be insulated upon the outbreak of virus. By doing so, it can prevent other hosts from being infected and narrow down the affected scope. For example, isolate different workshops, and in the meantime, manage and control USB access running on the production line by means of software and physical methods to avoid infections through USB.

Besides investment in OT security, the strengthening of the security construction of the IT layer should be paid attention to.
Many manufacturing enterprises are in need of connecting OT and IT in the process of logging onto MES, which makes the vulnerabilities of engineering control exposed. Therefore, when the security construction of OT is ongoing, the same should be done to IT layer, isolating the production line from dangers and risks.

On one hand, the capability of situation awareness should be cultivated. Upon infection, the reinstallation of the PC system can alleviate the threatening situation to some extent, but it is still hard to pinpoint the source of the virus. Consequently, after the access to the internet, the new system is still susceptible to getting infected again, which cannot root out dangers and risks at the source. By security situation awareness, traffic of the whole network can be collected. By technologies like AI and big data, continuous analysis can be conducted to trace and pinpoint dangers. When the source is found, measures can be taken to root it out.

On the other hand, a security dynamic closed loop should be constructed instead of static deepening and comprehensive defense. Through the formation of a dynamic security system featuring prevention, detection, defense and response, the overall security capabilities of the manufacturing enterprises can be improved to provide continuous security protection in a closed loop.

Our Social Networks

Global Service Center: