For years, process control systems were secured with a combination of “security through obscurity” and willful ignorance. Increased threats from malicious hackers sponsored by nation-states and criminal organizations are demonstrating that neither of these approaches is sufficient. If you are to have a hope of keeping your manufacturing processes safe, you have to lock them down.
The first step is the most obvious: Change default passwords. The number of production, manufacturing and process control systems that still use the factory-assigned passwords is staggering. These passwords tend to be readily available via a Google search, so continuing to use them is the electronic equivalent of leaving the key in the lock of your front door.
2. Default Names
Step two is similar: Change the default names of devices and networks. This is another very, very basic step, but one that far too many manufacturers fail to take when deploying control systems. Now that the most basic steps have been taken, it’s time to work on more serious security strategies.
3. Process Control and Business Networks—Separate but Equal
Treat your process control network like you treat your business network—and keep the two separate. Each of these is important, but many manufacturers treat one as more important than the other. In actuality, the two are related in what they do for the business and why they can be critical for safe manufacturing.
Treating the process control network like the business network means building a perimeter around the manufacturing network similar to the one built around the financial and IP portions of the business.
That means a firewall and IPS (Intrusion Prevention System) or a UTM (Unified Threat Management) controlling traffic in and out of the network. Notice that traffic out of the network and within the network is important. Many times unusual traffic through and out of the network is the only way that a successful intrusion is detected.
Separating the process and business networks is important because it is too easy for a vulnerability in one of the networks to introduce malware for the other. Business-side users, for example, may be more likely to use USB thumb drives that could carry malware targeting industrial controllers. And a poorly defended manufacturing line might provide an easy attack vector for malware that could move into critical databases.
There are legitimate reasons to keep the networks separate, communicating through secure gateways, but each well defended from the outside world.
IT security professionals are well beyond the point of wondering why a hacker would be interested in a production line. Whether they’re interested in disrupting the manufacturing process, stealing intellectual property, or gaining access to data beyond the factory floor, process control makes an inviting target. Lock it down and avoid becoming the headline of your own manufacturing security horror story.