Cybersecurity in

Smart Factories
W IN TER ED I TI ON
Contents

3 — OT and IoT cybersecurity: A marriage of digital factories

and cybersecurity

11 — Complete Visibility with Tenable.ot

12 — Smart manufacturing’s impact: Is it moving fast enough?

20 — A Practical Way To Reduce Risk on the Shop Floor

30 — Throwback Attack: Smart buildings, smarter hackers

34 — Smart Factories and Cybersecurity: Expert interview Series,

Moty Kanias, NanoLock

38 — Accelerating the adoption of smart manufacturing in

the U.S.

2
OT and IoT cybersecurity: A
marriage of digital factories and  Back to TOC

cybersecurity
C ybersecurity for operational technology (OT) and the Internet of Things (IoT) is a
field of study and practice to prevent the unauthorized access, manipulation, and
disruption of OT and industrial and consumer IoT devices and platforms. New empha-
sis is now being placed on reducing incident severity across sectors that deploy these
technologies, tapping into the strong safety culture throughout industrial environ-
ments.

The ISA/IEC 62443 series of standards — which focuses exclusively on industrial auto-
mation and control systems — succinctly defines the term security as the “condition of
system resources being free from unauthorized access and from unauthorized or acci-
dental change, destruction or loss.”

There has been an increase in cybersecurity incidents, both those that are financially
motivated and those primed to cause physical disruption, using both OT- and IoT-spe-
cific vectors and malware. Strategies for securing OT and IoT have traditionally de-
ployed defense-in-depth approaches. Defense in depth is a strategy with various meth-
ods for introducing stopgaps for security across an organization, layering controls in a
way that crosscuts people, technology and processes, and relies on tools and policies
that ensure robust and redundant protection. Tools and policies may include endpoint
security, access controls, segmentation, network monitoring, anomaly detection, patch
management and allow listing, and additional cybersecurity solutions depending on
the type and complexity of an organization, its assets and its networks.
3
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

Admittedly, cybersecurity is a large, complicated — and intimidating — subject that is  Back to TOC
further complicated by its many interactions with adjacent subjects. Visualizations of
what the subject includes take many forms. One particularly popular mind map was de-
veloped by Henry Jiang and improved over four years. Another popular graphic from
Momentum Cyber categorizes the hundreds of tools that target various security needs
and specialties, such as data, endpoint or application security, risk and compliance,
and incident response. Interestingly, only a fraction of those tools — probably less than
10 percent — focus on OT and industrial control systems today.

At its roots, OT and IoT cybersecurity is an accidental by-product of Industry 4.0. The
fourth industrial revolution, characterized by the real-time optimization benefits that
connected systems provide to a business, has driven information technology (IT)/OT
convergence and exposed vulnerable OT and IoT systems. As technologies that help
businesses realize the benefits of connectivity mature, so does the increase in risk. Put
another way, the more important digital factories become, the more important OT and
IoT cybersecurity becomes; the two are married.

Increasing risks to OT and IoT security

In fact, cyber risk has been increasing so quickly that the federal government, insurers,
cybersecurity professionals and asset owners alike are struggling to keep up. On May
7, 2021, the U.S. suffered the largest attack to date on its critical infrastructure: the
Colonial Pipeline ransomware attack, which shut down its pipeline system for five days
— the first time it had done so in its 57-year history. The very day operations resumed,
President Joe Biden issued an executive order specifically referencing OT security, ele-
vating the topic’s attention internationally.

4
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

From a legal perspective, courts are evaluating responsibility for cybersecurity incident  Back to TOC
liabilities. When Merck was affected by the 2017 malware attack known as NotPetya
— which was deployed by Russia with Ukrainian companies as its primary target —
Merck’s insurers famously declined the insurance claim by citing a policy exclusion for
acts of war. However, in January 2022, a New Jersey Superior Court judge ruled that
the exclusion cannot be used. This ruling will certainly cause actuarial calculations to
change, further accelerating the already increasing premiums for cybersecurity insur-
ance policies.

The Colonial Pipeline attack and major shifts in legal and liability rulings are just
two examples showing that there has never been a moment of more rapid change
within the OT and IoT cybersecurity space than today. And from an asset owner’s
perspective, the business risks associated with OT and IoT cybersecurity have never
been higher.

In OT and IoT, different systems are responsible for performing functions, controlling
functions, monitoring functions and analyzing functions, traditionally designed with
mission state and continuity in mind. The evolution of the technologies we care about
in OT began with on-premise connectivity between systems, often using Ethernet, to
connecting multiple sites and often remote locations, to the expansion of supervisory
control and data acquisition architectures. They are increasingly adopting cloud tech-
nologies. These systems are deployed and configured without visibility into the com-
munications and data patterns that power their operating status, resulting in limited
information to investigate and understand the root cause of a cybersecurity incident or
data management accident.

5
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

The Industry 4.0 push for intelligence and the crunching of more data has led to the  Back to TOC
development of IoT solutions that require massive amounts of asset intelligence and
data that few spend the resources to understand and maintain from a security perspec-
tive. With this landscape, the continued overlap of IT and OT, and the rapid expansion
of smart devices for industrial and consumer use, asset owners are often left in the dark
about how to address security concerns and mitigate risks.

It is clear that the technology available and the activities required to secure comput-
er systems are enormous, but what may not be clear is how OT and IoT cybersecurity
relates to cybersecurity generally. Is OT and IoT cybersecurity a subset of a broader
cybersecurity space as some suggest, or is it entirely different?

The answer: OT and IoT cybersecurity is the practice of cybersecurity applied to OT

and IoT systems. In some areas, securing OT and IoT systems is the same as tradi-
tional IT systems. Identical tools and processes can be leveraged. In other areas, they
are entirely different, requiring specialized tools, protocol expertise, and tailored
methodologies.

Trends in OT and IoT cybersecurity

On Feb, 24, 2022, Russia began its invasion of Ukraine, which have affected interna-
tional markets, foreign policy and cybersecurity. The Cybersecurity and Infrastructure
Security Agency (CISA) issued a “Shields Up” advisory as a direct response to the
increased cyber risk. New strains of destructive malware — which leave devices perma-
nently destroyed with no means to recover — have been detected in Ukraine, including
WhisperGate, HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper. Worse,
it has been reported that the malware has been detected on U.S. building automation
6
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

system networks, a clear example of the risks to third-party OT/IoT asset owners when  Back to TOC
distant warring nations engage in cyberattacks.

There has been a full realization that operations that tolerate little to no physical down-
time are lucrative targets. Threat actors are doing their homework and learning more
about the purpose-built nature of OT and industrial IoT operations, meaning that un-
authorized access is more dangerous than ever. Recent attacks have focused on three
relevant trends:

• Targeting centralized control and management capabilities as a single point of

failure

• Achieving longer dwell times (i.e., doing extra work to go undetected for longer
periods)

• Increased understanding of OT and IoT operations to disguise manipulations as

legitimate activity.

Within the technology space, OT-specific security tools continue to grow and gain
popularity. OT cybersecurity pundit Dale Peterson recently posted a blog article stat-
ing that “the first OT security product segment to have a company, actually multiple
companies, valued over $1 billion is OT detection.”

History demonstrates that the cybersecurity vendor market is extremely dynamic; over
the past year, FireEye (products) and Mandiant (services) split, followed by an acquisi-
tion of Mandiant by Google for $5.4 billion. Such major mergers and acquisitions activ-
7
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

ity is part of a larger trend in surging mergers and acquisitions volume. We can expect  Back to TOC
this to continue, with OT and IoT cybersecurity software tools changing corporate
ownership and growing in complexity and company valuation.

From a technical perspective, providers and asset owners are increasingly adopting
cloud hosting as a part of their strategies. Nozomi Networks, for example, released
Vantage, a cloud-based software as a service platform for OT and IoT security moni-
toring in 2020. Other tools, including Armis, MediGate and many IT-oriented cyberse-
curity tools also use a cloud-centric platform for security monitoring. As asset owners
demand greater scalability and advanced analytics of enterprise-wide security data
for insights, cloud platforms will continue to gain in popularity across all OT and IoT
verticals.

Securing smart factories

Factories are historically data-rich but information-poor ecosystems. As the benefits of
a smart factory drive more and more connectivity and intelligence drives innovation,
the reality is that cybersecurity risks will grow. All smart factory initiatives must include
a strategy for appropriately managing the risk to the business to a tolerable level, plain
and simple.

To do this, organizations are increasingly investing in a security operations center

(SOC) that monitors logs and events within their IT environments and OT environments
in one location. Security information and event management (SIEM) and security or-
chestration, automation and response (SOAR) tools are typically used to do this.

In effect, logs and events are aggregated from OT, IoT and IT security tools into a
8
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

single location, where analysts can continually monitor for suspicious activity. Or after  Back to TOC
an incident has occurred, logs can be correlated, and a narrative can be built to under-
stand how the incident occurred.

In the case of a SOAR, the tool may be enabled to automatically take preventive ac-
tion when certain logs and events are seen. In some cases, additional software plat-
forms are included in the mix, such as threat intelligence platforms to keep the team
informed of the latest threat signatures and malicious activity occurring throughout
the world.

Unfortunately, the investment required to deploy an SOC is massive. It is further com-

plicated by the shortage of cybersecurity talent globally as well as by the realization
that a security operation center alone is not sufficient. Instead, asset owners small and
large are turning to managed security service providers (MSSPs) that integrate tools
deployed within the asset owner’s environment into the MSSP’s SOC. In fact, Forbes
published that the MSSP market is expected to reach $40.97 billion this year, based on
Allied Market Research’s 10-year report. The trend toward SOCs and outsourcing to
MSSPs is here to stay.

Beyond traditional security monitoring, the OT and IoT environment is unique in that
the underlying control systems are controlling a physical process. OT monitoring tools
take advantage of this by not only alerting on known malicious signatures, but also by
monitoring the process variables themselves and alerting on anomalies.

For example, if a process variable goes significantly outside its typical range or if a
process variable stops updating, OT security monitoring tools can alert on that change
9
OT and IoT cybersecurity: A marriage of digital factories and cybersecurity

without any manual configuration. Process variable anomaly detection is a hotly dis-  Back to TOC
cussed topic, with pundits theorizing on how process variable anomaly detection may
mature going forward.

Stay tuned for how this marriage between smart factories and cybersecurity responses
continues to evolve.

Jacob Chapman and Danielle Jablanski

Jacob Chapman has a background in automation engineering, project management,
account management, industrial networking, and ICS cybersecurity. He is solutions ar-
chitect, BD and Alliances, for Nozomi Networks. Chapman also maintains involvement
and leadership positions in international societies and standard bodies, including as
the Cybersecurity Committee chair of the ISA’s Smart Manufacturing & IIoT Division, a
registered U.S. expert to TC65 of the IEC, and a member of the ISA99 standards de-
velopment committee. Danielle Jablanski is president of the North Texas Section of
ISA, OT cybersecurity strategist for Nozomi Networks, and a nonresident fellow at the
Cyber Statecraft Initiative of the Atlantic Council’s Scowcroft Center for Strategy and
Security. Jablanski is staff and advisory board member of the nonprofit organization
Building Cyber Security. She holds a master’s degree in international security from the
Josef Korbel School of International Studies at the University of Denver and a bache-
lor’s degree in political science from the University of Missouri – Columbia.

10
Complete Visibility with Tenable.ot

 Back to TOC


Complete Visibility with Tenable.ot
Tenable.ot is an industrial security solution for the modern
industrial enterprise. Find out how you can give your
organization the ability to identify your assets, communicate risk
and prioritize action.

11
Smart manufacturing’s impact:
Is it moving fast enough?  Back to TOC

Smart manufacturing can have many positive impacts for companies, but the
problem is many aren’t buying in because they don’t know what kind of short-
and long-term benefits it can provide.

S mart manufacturing technologies such as artificial intelligence (AI), the industrial

Internet of Things (IIoT), augmented reality (AR), virtual reality (VR), digital twins,
digital threads, manufacturing execution systems (MES), advanced analytics, cobots
and more all very powerful technologies. The synergies among these technologies
make them so much greater than the sum of their parts. All of them [technologies
related to Industry 4.0] are helping transform the manufacturing industries back into an
economic powerhouse.

This transformation, however, isn’t happening for many companies. The reason is be-
cause some companies simply aren’t using smart manufacturing and all those powerful
technologies, or they’re not using them very much. Many companies aren’t really sold
on smart manufacturing and the technologies that go with it. They might have one or
two pilot projects going to prove smart technology and its benefits before it’s adopted
beyond the pilot. How long is long enough before the results of the pilot project say
it’s time to move forward?

Manufacturers that embrace smart manufacturing can use those technologies to cre-
ate a competitive edge. Companies that aren’t moving fast enough won’t make a real
impact on the business and will find themselves falling behind their competition. There
are many reasons why manufacturing industries need to move much, much faster to
implement smart manufacturing.
12
Smart manufacturing’s impact: Is it moving fast enough?

Smart manufacturing’s bottom-line benefits  Back to TOC

As manufacturers embrace smart manufacturing, they’re transforming operations
from traditional, old-school manufacturing operations to high-tech digital manu-
facturing operations and realizing tremendous bottom-line benefits. The results are
seen in increased productivity, reduced costs, reduced inventory, improved quality,
reduced scrap and rework, improved yield, improved asset utilization, reduced ener-
gy costs and more.

These tangible benefits have a direct impact on manufacturing operations’ bottom line,
but they impact much more than that. Smart technology also generates intangible bene-
fits, which are just as valuable, but more difficult to quantify. It helps manufacturing opera-
tions do things better, faster and cheaper – all of which directly impact the bottom line.

With these modern technologies, manufacturing operations also can become more
agile, meaning they can change direction quickly and easily – moving from different
products, different materials, different assets or even different approaches to manu-
facturing. While agility is very difficult to quantify, it is very valuable as a normal part of
everyday operations.

Smart manufacturing not only provides increased agility, flexibility and responsiveness,
it also can increase quality, speed, productivity, consistency and predictability. All these
capabilities have a positive impact on a manufacturer’s customers, suppliers, workforce
and community.

Customer technology expectations are increasing

Today’s customers use smart technology and are more tech-savvy than ever. They have
13
Smart manufacturing’s impact: Is it moving fast enough?

come to expect new products, new product solutions and customized product vari-  Back to TOC
ations. They want on-demand access to new and better, high-quality products. They
want more customizable bells and whistles at lower costs along with quick response
times and superior service.

With smart manufacturing, manufacturers can use real-time data to meet customer
specifications and help solve problems. Customers require data on product details,
specifications and usage.

Smart manufacturing makes it easy to collect, organize and summarize the data cus-
tomers require and provide it along with the products and solutions.

Manufacturers also can make quality products with tighter specifications. This helps
them deliver better products and services to customers while helping resolve their
problems with fit-for-purpose solutions at the same time.

Supplier manufacturing partnerships and collaboration is key

Strong collaboration with suppliers is key to establishing a successful partnership.
Suppliers want to understand how they can help support manufacturing business
needs. They want to be more than just commodity suppliers responding to requests
and sending what’s listed. Suppliers want insight into how they can help solve manu-
facturing problems and provide the best products and services to the consumer.

With smart manufacturing technologies, manufacturers and suppliers can collaborate

and work together as true partners and deliver the quality products and solutions
customers have come to expect. Using intelligent real-time data, manufacturers and
14
Smart manufacturing’s impact: Is it moving fast enough?

 Back to TOC

suppliers can gain insight into customer requirements. There are many reasons why
manufacturing industries need
They can then change the products, materials, or pro-
to move much, much faster to
cess to meet customer specifications, as well as deliver implement smart manufacturing.
new services, new products and new variations. Courtesy: Rockwell Automation

Smart manufacturing can lay the foundation for manufacturers and suppliers to collab-
orate and build a stronger partnership that delivers better, faster and lower cost prod-
ucts and solutions.

How smart manufacturing empowers the workforce

Manufacturing jobs aren’t what they once were. The next generation is showing little
interest in manufacturing jobs. Hiring and retaining people to work in manufacturing
15
Smart manufacturing’s impact: Is it moving fast enough?

industries is extremely difficult. Smart manufacturing helps companies build a safe work  Back to TOC
environment that appeals to people and gets them interested in manufacturing careers.
Transforming with smart technologies also has a significant impact on the overall cul-
ture and quality of life in an industrial work environment. Companies can improve their
employment value proposition and make it easier to recruit and retain an industrial
workforce. They can use smart manufacturing to create a high-tech digital environ-
ment, a place where people want to work and can use modern tools and technologies
to do their jobs safely, effectively and efficiently.

Nobody wants to work in an environment where they are undervalued or underappre-

ciated, or be seen as cogs in the manufacturing machine. Modern workers want to be
empowered to make decisions and proactively improve operations in a safe environ-
ment where they can significantly impact the job.

In other words, let the machines do what they do best while the people do what they
do best.

Smart tools and technologies also help collect and transform real-time data into infor-
mation and provide it to the right people at the right time. Based on this data, workers
can then make informed decisions to keep productivity up and costs down, which all
leads to greater long-term economic sustainability.

Smart manufacturing tools and technologies enable workers in a manufacturing oper-

ation to become highly skilled knowledge workers, where they are very effective and
productive in their jobs and highly valued within the company.

16
Smart manufacturing’s impact: Is it moving fast enough?

Smart manufacturing and sustainability: More than  Back to TOC

technologies
Smart manufacturing technology helps manufacturers achieve sustainability. Many
technologies can help achieve results for environmental sustainability (reduced waste,
emissions, energy and carbon footprint) and economic sustainability (profitability) ef-
forts. But smart manufacturing is about more than just technology – it’s about people
and processes, as well. It’s about the social responsibility to employees and the com-
munity. Smart technology helps reduce the impact in all these areas and helps compa-
nies keep their competitive edge.

From an environmental sustainability perspective, smart tools and technologies pro-

vide the data necessary to know what’s going on and to figure out why it’s happening.
This provides the ability to analyze data in context over the short and long term to see
trends, to perform real root cause analysis (RCA) and judge the efficacy of programs
designed to reduce waste and reduce emissions.

Real-time data and analytics also help companies achieve economic sustainability by
increasing productivity and reducing costs. It’s about increasing throughput, uptime
and manufacturing performance while reducing overhead costs, operating costs and
capital costs. Leveraging the data, companies can analyze productivity and the obsta-
cles holding it back. They can analyze costs and the best way to reduce costs.

Smart manufacturing also helps corporations become more socially responsible and
make a positive contribution to their communities and globally. Social responsibility
can take many forms, and each company must decide how it wants to make a positive
impact. It’s about improving the quality of life for employees and everyone, locally and
17
Smart manufacturing’s impact: Is it moving fast enough?

globally. The company’s actions with employees and their surrounding communities  Back to TOC
reflects company values worldwide.

Smart manufacturing may be one of the only ways companies can truly achieve envi-
ronmental and economic sustainability, as well as corporate social responsibility.

Smart manufacturing delivers a competitive advantage

Many manufacturers simply aren’t moving fast enough with smart manufacturing to
make any kind of significant impact on their business. For those who stay status quo
and keep doing the same business over and over again in the same traditional ways
with no innovation, no growth, no changes and no improvements, the competition is
looking to pull ahead and become the industry leader.

It’s time to embrace smart manufacturing and not pay lip service to it or by only exe-
cuting a pilot project. Companies that embrace smart manufacturing will realize bot-
tom-line benefits, meet customer expectations, build stronger supplier partnerships,
attract, hire and retain a more empowered, productive workforce, meet sustainability
goals and much more.

Manufacturers need smart manufacturing tools and technologies to help transform

their operations so they can have a positive impact on the company, its people and the
surrounding community. That’s the power of smart manufacturing.

John Clemons
John Clemons is a solutions consultant, LifecycleIQ Services at Rockwell Automation.
He has been working in the field of manufacturing IT for more than 30 years.
18
MANUFACTURING SECURITY:
MANAGE IT/OT WITH
CONFIDENCE
A Practical Way To There is a lot of noise on cybersecurity for the
manufacturing shop floor, but where do you start?

Reduce Risk on the

Let’s keep it simple and touch on why attackers
do what they do, and what you can do to stop
them. It’s all about reducing risk, and maximizing
Shop Floor your efforts to get the best results. Read on to
learn more about the threat landscape and some
tactics to manage the threats.

W hatever name we want to put on it, the trend

widely called digitization or convergence in IT/OT
in manufacturing has its good and bad points. Increased
data about quality, efficiency and sustainability makes
for faster and more informed decisions. The increased
connections and new systems mean traditionally isolat-
ed systems are connected. In the rush to connect, we
expand the attack surface, resulting in deficient security
and safety controls. In this blog post, we look at the true
nature of vulnerabilities and their fixes on the shop floor.

Let’s take a deep and meaningful look into the threats fac-
ing us today:

1. Bad guys trying to make money off of you

2. Bad guys trying to make money off of someone else

by damaging you
A Practical Way To Reduce Risk on the Shop Floor

Yeah, that’s kinda it. We can slice and dice it many ways but the things we need to do  Back to TOC
to prevent and/or fix it are the same. It all comes down to a set of impactful defenses
we summarize below.

So let us take a deep and meaningful look into the defenses you can put in place:

1. You can fix vulnerabilities

2. You can chase threats

Yeah, that’s kind of it, but we are going to look at fixing vulnerabilities because that is
where money is best spent. Chasing down intrusions and threats sounds glamorous –
very James Bond with cool terms we appropriate from the military. The truth of the mat-
ter is it is pretty expensive and requires full-time employees (FTEs) dedicated to hunting.
What we can also do is look for the effects of attacks and quickly respond. This is resil-
iency which is much more important in ICS, and much more straightforward in ICS.

So, vulnerability management it is, then. It is a pretty charged topic in the OT world,
but bear with me. Fixing vulnerabilities is not just patching. Otherwise, I wouldn’t
waste my time or yours.

So, what is a vulnerability?

The National Institute of Standards and Technology (NIST) defines it as: “Weakness
in an information system, system security procedures, internal controls, or implementa-
tion that could be exploited or triggered by a threat source.”
21
A Practical Way To Reduce Risk on the Shop Floor

I bet most of you thought about Windows system patching, maybe CVE or CVSS scores  Back to TOC
of one flavor or another. I would modify the NIST definition from “information system” to
“system.” It would be more inclusive of OT, and really of anything that introduces cyber
risk. Doesn’t that make you think of a vulnerability differently? With that context, here are
some common vulnerabilities (you could also call them weaknesses if that helps):

• Flaws in software coding (yup, blame the other guy)

• Hardware and software designed without security in mind, such as legacy equip-
ment, which is very common in manufacturing environments.

• Configuration or implementation decisions that ignore security

• Poor process, poor standards

• Inadequate knowledge of system capabilities

My favorite vulnerability falls under the third bullet above; shop floor computers that
use a shared username and password. Another example of a configuration weakness is
the many devices that have no authentication at all when a method is available.

Notice that only the first one of the categories can be fixed by a “patch”. I’m going to
go wide here and clump everything that requires an upgrade “patch.” Disclaimer, de-
pending on the nature of the system requiring a patch, the process can be disruptive to
the production process. With that said, Windows hotfixes, upgrades, anything on Patch
Tuesday, firmware upgrades on a controller, new versions of software, etc … are in scope.
22
A Practical Way To Reduce Risk on the Shop Floor

Admittedly a wide net, but we want to take a holistic view. We fear and loathe patching,  Back to TOC
yell at IT for suggesting them, start bar fights, hold grudges, and argue endlessly at con-
ferences. I digress. Let’s cover the steps in the vulnerability management process:

• Vulnerability identification: Vulnerabilities in a system are detected through vulner-

ability scanning, penetration testing or code review (or other stuff).

• Vulnerability assessment: Gauging the probability of a vulnerability being exploited

by an attacker and determining the impact should the vulnerability be exploited.

1. A formally designed program would call this risk quantification.

• Vulnerability resolution: Mitigation or remediation. But what is the difference?

1. Remediation – Correct or remove the vulnerability – typically a patch.This is

often not possible in all parts of an ICS environment. In controllers, it rarely
meaningfully raises your security posture, resulting in the next step.

2. Mitigation – Reduce, lessen or decrease the likelihood of a successful attack

or lessen the impact of a successful attack. These are often called compen-
sating controls.

How Tenable OT Security helps cybersecurity professionals in

the manufacturing industry
Let’s look at the vulnerability management process outlined above, through the lens of
a security practitioner using Tenable OT Security.
23
A Practical Way To Reduce Risk on the Shop Floor

Example 1:  Back to TOC

Step 1: Here, we are continuously monitoring and scanning a manufacturing environ-

ment with Tenable OT Security. You can see we were able to identify CVE-2020-6998
present on a Rockwell controller. Not only do we identify the vulnerability, but we also
get options for remediation. We can follow the links on the screen for instructions and
resources. In the image below, we can see the option to upgrade the firmware to ver-
sion 33.011 or later.

Step 2: Based on what process the controller runs, we may not be able to do any-
thing, or even improve anything. Why did I say remediating the device may not make
anything better? Well, even when a provider like Siemens or Rockwell provides an
authentication method in a controller, it is rarely used. So, all anyone needs is the
coding tool from the manufacturer like Studio 5000 or TIA Portal, to access the device.
Even better, a bad guy might just get access to the Windows workstation normally
used to program that controller. My point is, exploits for controllers can be a waste of
time if there is no authentication.
24
A Practical Way To Reduce Risk on the Shop Floor

Tenable OT Security leverages Vulnerability Priority Ratings (VPR), helping users under-  Back to TOC
stand the exploitability of a vulnerability. The image below shows a summary of our re-
search for this specific vulnerability, saying there aren’t any known exploits in the wild. The
VPR score is low, indicating low risk if this vulnerability is present in your environment.

Step 3: Based on the above assessment, the best option might be mitigation. For this
one, and many other Rockwell devices, that means blocking traffic on port 44818 from
“outside the manufacturing zone.”

Tenable OT Security can build you a visual network map that shows you all of the con-
nections in the ICS network and their IP addresses. In the figure below, we get a clear
view of the devices that need connectivity and those that do not, making the most
challenging part of writing firewall rules significantly easier.

Using this information, we can take it a step further than blocking traffic on port
44818 by implementing firewalls or other network controls to segment the ICS net-
work. We can limit traffic so only those devices that need to communicate with the
controller can. 25
A Practical Way To Reduce Risk on the Shop Floor

 Back to TOC

The conclusion here is that there are many vulnerabilities more important than this one
and that many are covered by the application of firewall rules. So there is no reason to
go through the arduous task of deciding if you can upgrade the firmware on this con-
troller, which eliminates the need to schedule downtime to patch systems. Less down-
time means saving the company money.

Example 2: On to a less contentious set of vulnerabilities and the mitigations that cov-
er a wide range of them. I see these a fair number of times when working with manu-
facturing clients.
26
A Practical Way To Reduce Risk on the Shop Floor

Step 1: Let’s take a look at CVE-2020-16233, a vulnerability running on a Windows  Back to TOC
machine. Nessus is embedded in Tenable OT Security, which makes light work of iden-
tifying vulnerable IT systems. This Windows workstation is running the CodeMeter
software license management program.

Step 2: Many manufacturing environments have a sizable inventory of IT devices on

the OT network. How we treat controller vulnerabilities and their mitigations is sepa-
rate and distinct from how we treat workstation vulnerabilities and their remediations.

Step 3: In the image below, you can see the remediation option and additional re-
sources. Because this vulnerability is on a Windows workstation, a software upgrade
isn’t likely to cause disruption, though we recommend confirming this assumption be-
fore starting the patching process. It’s safe to say IT system patching is typically easier
than OT system patching.

Key takeaways for manufacturing industry cybersecurity

professionals
1. Threats facing the manufacturing industry are based on two motivations:

• Bad guys trying to make money off of you

• Bad guys trying to make money off of someone else by damaging you

What we do to reduce the likelihood of a successful attack is the same.

2. The defense strategy is simple and consists of two main tactics:

27
A Practical Way To Reduce Risk on the Shop Floor

 Back to TOC

• You can fix vulnerabilities

• You can chase threats

3. Both of the tactics above are important. However, I recommend a proactive ap-
proach by fixing vulnerabilities because that is where money is best spent. Resil-
iency is much more important in ICS. The steps in the vulnerability management
process are:
28
A Practical Way To Reduce Risk on the Shop Floor

• Vulnerability identification  Back to TOC

• Vulnerability assessment

• Vulnerability resolution

• Remediation

• Mitigation

Dwayne Edwards
In his role as a Senior Security Engineer at Tenable, Dwayne works
at the intersection of business and technology where operational
and information security meet. With a deep background in manu-
facturing, data acquisition, security and networking, Dwayne has
architected, written and built applications and global internetworks
in the polymer industry and consumer goods manufacturing are-
na. Dwayne previously was employed at Rockwell Automation and
spent more than 20 years at Cisco Systems in a variety of technical
leadership positions. Prior to Cisco, Dwayne performed in-house
and consulting work in manufacturing.

29
Throwback Attack: Smart
buildings, smarter hackers  Back to TOC

A s society has delved deeper into the fourth — and soon to be fifth — industrial
revolution, technology has become more woven into our everyday lives. Once
upon a time, smart technology was found only in computers and phones, but now it’s
in refrigerators and toasters, as well. This evolution of smart tech has led to a more
recent development: smart buildings.

In 2021, a German smart building was attacked by threat actors, who took control of its
security system and locked out the building engineer managers. This caught the firm
off guard, but they reacted swiftly in an attempt to clean up the mess the attacker had
created. Smart building hacks have always been a fear, but this was a manifestation of
what could happen, though far from the worst-case scenario.

Smart buildings: A brief history

The concept of smart buildings was first developed in the 1970s, when an oil spill off the
coast of California sparked a need for more efficient building environments. This need
for efficiency also stemmed from increasing energy costs. Thus, the U.S. government
passed a bill called the Green Building Movement, which triggered a push for innovation
in building efficiency. The first hint at what the future of smart buildings would hold came
in the ’80s when United Technology Building Systems created “intelligent buildings” that
allowed heating, air conditioning and ventilation to be controlled remotely.

The term “smart buildings” began to appear in the early 2000s. People were becoming
more environmentally conscious, and a shift to smart buildings catered to that new ethos.
These improvements were mainly an attempt to reduce buildings’ carbon footprint.
30
Throwback Attack: Smart buildings, smarter hackers

Now, as we reach the end  Back to TOC

of the first quarter of the
21st century, we are seeing
smart buildings that are
more adaptable than ever
before. Chip-enabled cards
let employees enter build-
ings, doors can be locked
and unlocked with an app,
and sensors can tell you
how many people are in a
room. Furthermore, smart
buildings can integrate with
the cloud and greatly re-
duce a building’s carbon footprint.

Smart buildings have the potential — and have proven — to be a leap forward in tech-
nology and innovation. However, that creates problems of its own, especially when it
comes to cybersecurity.

The downside of smart buildings

The problem with smart buildings is very simple to diagnose but complicated to reme-
diate. Because smart buildings are so connected to the internet and must be accessible
from remote locations, they are inherently more vulnerable to cyberattacks from threat
actors. Everything is networked, from elevators to thermostats to clocks. Threat actors
can take advantage of this network in many ways with different attacks (ransomware,
DDoS, etc.). For example, it would be possible for a seasoned adversary to access a
31
Throwback Attack: Smart buildings, smarter hackers

building remotely and lock the doors, turn the boilers up, and cause mass building fires  Back to TOC
or explosions. Although this is an extreme example, the further we push into a digitized
world, the greater of a risk threat actors pose. Any building that is networked — from
nuclear facilities to hospitals — is vulnerable.

Attack on a German building automation system (BAS)

In the case of the German smart building, the threat actor was able to breach their system
through an unprotected gate in the internet. From there, they began to cause problems.

According to DarkReading, “The firm … discovered that three-quarters of the BAS

devices in the office building system network had been mysteriously purged of their
‘smarts’ and locked down with the system’s own digital security key, which was now
under the attackers’ control.”

The hackers were able to use the firm’s own security measures to block out building
engineers from directly accessing the BAS. The attackers not only blocked access, but
they also wiped the systems, rendering them useless.

Because of this, the engineers needed to go into the system manually to turn the BAS
back on. Luckily, the hacker used the same password to get into all of the different sys-
tems, making the recovery a relatively simple process.

According to DarkReading, “BAS systems aren’t configured with any logging functions,
so the attackers don’t leave behind any digital footprints per se. Their attacks left no
ransom notes nor signs of ransomware, so it’s unclear even what the endgame of the
attacks was.”
32
Throwback Attack: Smart buildings, smarter hackers

Preventing future attacks  Back to TOC

DarkReading warns, “Ransomware and extortion attacks on a BAS could be used to
target facility management companies, or more ominously, hospitals.”

There is no 100% infallible way to prevent all attacks on smart buildings — or any tech-
nology for that matter. However, there are ways to mitigate risk and enable a swift
response. A few examples are:

Employee training – Perhaps one of the simplest implementations is to train employ-

ees in good security habits — i.e., not clicking phishing emails or improving password
hygiene — and to say something when a piece of technology seems to be acting out
of the ordinary.

Software updates – Perform regular software and firmware updates so that any known
vulnerabilities are patched.

Regular auditing – Routine audits are a great way to ensure that everything is acting
normally, and they allow for a swift response if something isn’t functioning as it should.

Smart buildings are a fantastic way to reduce a building’s carbon footprint. The cut-
ting-edge technology provides new insights and opportunities, making many things
easier. However, being on the cutting edge also invites challenges from cyber adver-
saries and gives them access to more than ever before.

Tyler Wall
Tyler Wall is an Associate Editor at CFE Media and Technology.
33
Smart Factories and
Cybersecurity: Expert interview  Back to TOC

Series, Moty Kanias, NanoLock

A s the fourth industrial revolution — or Industry 4.0 — continues apace, factories
and supply chains are becoming more connected than ever. This can be great for
companies, delivering increased value and efficiency, but more connections also mean
more cyber risks. Every device, sensor, piece of equipment and connected product can
be both an asset and a vulnerability. Despite their benefits, smart factory environments
can expose people, technology, physical processes and intellectual property. This rais-
es questions of if the manufacturing industry has adequate cybersecurity programs in
place to prepare for the expanded risks of smart factories.


34
Smart Factories and Cybersecurity: Expert interview Series, Moty Kanias

The risks of smart factories  Back to TOC

The increased connectivity of smart factories can be great for business continuity, but
there are some downsides, said Moty Kanias, VP of cyber strategy and alliances with
NanoLock. Kanias recounted a story about a conference he recently attended with
“huge, monster machinery” that had stickers on it advertising that it was ready for In-
dustry 4.0. When he asked what that meant, he got an unsurprising answer.

“They said that everything inside their system communicates to every different part
and that they’re ready for the new era,” Kanias said. “Then, I started asking them
questions about cybersecurity, and I got exactly what I think everyone knows. No-
body knows what cybersecurity in the future will look like, and 4.0 is kind of a slogan
of saying, ‘Well, we want the world to be connected because we understand how
good it will do to the world.’ But the question of cybersecurity in 4.0 is unsolved, and
we have a long way into finding the specific technology that is needed to find a good
solution.”

Industries don’t just start up from zero and buy brand new machinery every day for
their whole production line. There is a mix of old and new products, and they should
all connect and work together. The problem is that there is always a weakest link in a
network, and that will be the factor that tells you how strong you are.

In the past, the way the Cybersecurity and Infrastructure Security Agency (CISA) ad-
vised organizations to deal with cyberattacks in the industrial zone was to just discon-
nect from the internet or make sure that only authorized personnel can touch your
computers.

35
Smart Factories and Cybersecurity: Expert interview Series, Moty Kanias

“[Industry] 4.0 is kind of the nightmare of where we were,” Kanias said. “It means that  Back to TOC
everything is connected. It means that everyone could directly get into any piece of
data that he wants and could probably see all the configuration and how to change
them according to what he or she would want to do.”

The era of big data creates many cybersecurity challenges. Big data makes programs
more complicated, and more complicated programs mean more vulnerabilities. Ac-
cording to Kanias, that’s a big reason we’re seeing more and more vulnerabilities being
posted every day.

Who is at risk?
Kanias said that no one would argue that smart factories are bad for business. There
are just too many benefits. But cybersecurity must be moved to the forefront. The
worst risk is outdated legacy machinery that doesn’t have any cybersecurity protections
in place. There are also some industries that are more vulnerable to cyberattacks, such
as critical infrastructure. This includes areas like oil and gas, water/wastewater, food
manufacturers, transportation, banking systems and nuclear facilities.

“4.0, in some ways, will connect all of them together,” Kanias said. “Therefore, it’s hard
to know exactly which will be the weakest link. Connectivity means that everything is
connected, and it will be much harder to build systems that are not interfering with the
connectivity and the upsides of it.”

What are hackers generally after? That one is simple, according to Kanias: money.

“When factories main goal is to make money for themselves and to continue produce
36
Smart Factories and Cybersecurity: Expert interview Series, Moty Kanias

what it is that they’re producing, it means that it’s money toward money,” Kanias said.  Back to TOC
“If an adversary manages to attack a bakery and stop their process from working, [it
would] be a good way of getting money from the company.”

How smart factories can protect themselves

According to Kanias, the best thing companies can do is to first educate their workers
to get them more aware of what cybersecurity is and what cyber actors are trying to
exploit. Once that awareness increases, it’s much easier to protect corporate resources.
It’s also important to invest in cybersecurity and bring in smarter, zero-trust solutions.

“It means finding the right products that will make sure that only authorized people
can make critical changes to sensitive computers,” Kanias said. “It’s the only way of
preventing bad things from happening.”

Only air-gapping, or having no connectivity to the internet, is no longer a viable plan.

Organizations also can’t just leap into Industry 4.0 and connect everything without
considering cybersecurity. There needs to be a plan in place and dedicated resources
toward securing systems.

“We need more hands in the cybersecurity area,” Kanias said. “We need more pro-
grammers. We need more specialists in order to build a strong protection plan for
industries with connectivity that is just expanding every day.”

Gary Cohen

37
Accelerating the adoption of smart
manufacturing in the U.S.  Back to TOC

Smart manufacturing technology can integrate supply chains, improve

quality, customization, safety and sustainability, but widespread adoption
remains a challenge.

S mart manufacturing offers tremendous potential for manufacturers and can en-
hance their operations, but adoption remains a challenge for many companies.

“The notion of Industry 4.0 and digital transformation is kind of difficult to rationalize
and dovetail into our way of thinking,” said John Dyck, CEO of CESMII in his keynote
speech “The Urgent Need To Accelerate The Adoption Of Smart Manufacturing In The
US,” at the Automotive Smart Manufacturing 4.0 USA Summit 2023 in Detroit. “We’ve
been using data forever to solve our problems, but now it’s about doing it in a more
cost-effective way.”

CESMII, created in 2017 by the Federal government, is about accelerating the democ-
ratization of smart manufacturing, reducing costs and the complexity around smart
manufacturing.

There’s an urgent need to improve manufacturing, Dyck said. Manufacturing productiv-

ity had been experiencing steady growth from the 1980s to the early 2010s. Since then,
it has either plateaued and, in some cases, declined. The lack of younger workers,
combined with the older workforce retiring, has put a serious crunch on productivity.

We absolutely need to take care of and address this,” Dyck said.

38
Accelerating the adoption of smart manufacturing in the U.S.

The rise of Industry 4.0, or  Back to TOC

the fourth industrial revolu-
tion, is designed to address
these problems by improving
information flow throughout
an enterprise and give users
the information they need.
More devices than ever are
connected to the internet and
is giving manufacturers more
data to work with.

Smart manufacturing can

help, Dyck said, but accessibility remains a problem. John Dyck, CEO of CESMII in his
keynote speech “The Urgent Need
Many large-scale manufacturers have the capabilities To Accelerate The Adoption Of Smart
and bandwidth to take advantage of smart manufac- Manufacturing In The US. Courtesy:
Chris Vavra, CFE Media and Technology
turers. The smaller manufacturers, which make up a
vast majority of the companies that exist out there,
don’t have the capabilities. “There’s a huge digital divide,” Dyck said. “This techni-
cal debt makes the capabilities deploying today not accessible for small-and medi-
um-sized manufacturers.”

This is an especially acute problem in the United States, Dyck said, compared to other
parts of the world. “We’ve absolutely fallen behind the rest of the world in Industry 4.0
and smart manufacturing. Europe and Asia are outstripping their initial investment.”

39
Accelerating the adoption of smart manufacturing in the U.S.

Smart manufacturing  Back to TOC

challenges remain
The world does recognize
smart manufacturing and
adoption is increasing, said
Ben Stewart, VP strategy and
business development for
PLEX in his presentation “The
State Of Smart Manufacturing:
Practical Steps To A Real-World
Digital Transformation.”

While they recognize the

Ben Stewart, VP strategy and business
need, business challenges remain as companies
development for PLEX in his presentation
continue adjusting to the new reality after the “The State Of Smart Manufacturing:
COVID-19 pandemic. A lack of skilled workers re- Practical Steps To A Real-World Digital
Transformation.” Courtesy: Chris Vavra,
mains an issue and the supply chain continues to
CFE Media and Technology
have issues.

Another challenge companies face, Stewart said, is they are overwhelmed with choice.
They don’t know where to start.

“The range of available systems is leading to a technology paralysis,” Stewart said.

Other internal challenges include balancing quality and growth, deploying and inte-
grating new technology and getting workers to understand and embrace these chang-
40
Accelerating the adoption of smart manufacturing in the U.S.

 Back to TOC

es. The resistance in the latter case also applies to Developing a strong smart
manufacturing plan requires involvement
younger workers who aren’t interested in working
from many stakeholders and a thorough,
with old technology and don’t realize what they well-researched plan. Courtesy: Chris
could be working with if they accept a plant floor job. Vavra, CFE Media and Technology

“You have to make it more interesting to them because they want to interact and so
you have to make it more automated and less manual,” he said.

Five steps to developing a smart manufacturing plan

Choosing the right technology is hard enough, but knowing what to do or where to
start is just as daunting. Many facilities have challenges and issues they can improve
on. That’s not unique or uncommon to the industries. Getting started with a smart
manufacturing plan, Stewart said, consists of five steps:
41
Accelerating the adoption of smart manufacturing in the U.S.

1. Identify key stakeholders and agree on the company’s greatest need. The  Back to TOC
stakeholders involved should include decision-makers and system users who can
find a place where they’re weak or where they can improve the most in a short
period of time in a way that’s easily quantifiable.

2. Build the business case for investment. This can be done by highlighting how
smart manufacturing will increase control, efficiency and savings. It’s also import-
ant to highlight how the plan will reduce risk and improve security.

3. Research and select the solution(s). Thorough research will help narrow down
the potential solutions and make everyone better prepared to address questions
to the stakeholders.

4. Design and deploy the solution(s). Pick an implementation partner and create
the roadmap for a successful process all stakeholders can agree on.

5. Manage change, measure results and drive adoptions. Companies need to

determine what will define success and who will be the main advocate.

Improving interoperability and communication

For a long time, the Purdue Model has been the model for collecting and sending in-
formation up the ladder in a linear fashion. While valuable and successful, Dyck said, it
only goes so far when it comes to information.

A more interoperable method, he said, using a smart manufacturing infrastructure,

allows all of the data to be sent up the ladder, but also together.
42
Accelerating the adoption of smart manufacturing in the U.S.

 Back to TOC

A more interoperable way of sending

“Interoperability promotes growth across the stack information is key to making smart
and improve growth across the model,” Dyck said. manufacturing successful. Courtesy: Chris
“We need to put together a systematic and holistic Vavra, CFE Media and Technology

approach.”

There is an enormous opportunity to collectively engage the knowledge, the capabilities

and raise the tide for all boats,” Dyck said. “We need to be more educated on the tech-
nical debt we’ve accumulated and move forward in a more agile and intelligent manner.”

Chris Vavra
Chris Vavra is web content manager for CFE Media and Technology. 43
Cybersecurity in
Smart Factories
Thank you for visiting the Cybersecurity in Smart
Factories eBook!

If you have any questions or feedback about the contents

in this eBook, please contact CFE Media at
customerservice@cfemedia.com

We would love to hear from you!