By Steven Pflantz, PE
Who would want to hack a programmable logic controller? If you have watched any news as of late, you will notice a routine story line about the occurrences of cybersecurity attacks. It seems that the hackers are working over time trying to cause all manner of trouble.
If you had asked me years ago, I would have never dreamed that anyone would go to great length to hack into a programmable logic controller (PLC)—especially not for a pharmaceutical manufacturing facility. What would be the fun in that? Does your average hacker even know ladder logic? There are many government agencies that present a more notable target than some random PLC.
The unfortunate truth is that is no longer the case. Industrial control systems have become a target of interest to any number of cyber criminals. Consider the negative economic impact and consumer distrust that a hack of a major retailer causes. We can only imagine the chaos that would ensue if it appeared like prescription drugs had been tampered with. But how could this happen?
Back in the day, networking control systems was a royal pain. Everyone had their own proprietary control network physical infrastructure and network protocol. Sharing among systems required interface gateways that gave limited interface capabilities. It was hard to talk amongst systems even if you were trying. Now move forward a couple decades and industry has migrated towards use of a more common network protocol—Ethernet—and the prayers of many past automation engineers have been answered. It has become easier to connect and network systems together. Both a blessing and a curse!
We now have the relatively easy ability to connect automation networks together and provide a wonderful level of data availability. But that connectivity and accessibility on a worldwide network can also be a hazard.
There are some “philosophical” differences in the way business systems (information technology) are operated versus control systems (operation technology) that require a different approach to cybersecurity. OT is a way to differentiate the network systems used for industrial controls versus those used for businesses, banking, and such. They are both using the same basic network infrastructure, but the applications you are running on them are quite different.
IT systems place a priority on data security above all else. They are interested in having the latest software patches and upgrades installed, which is why your PC seems to constantly be prompting you to allow it to install upgrades. In an office environment, it is no big deal, just an annoyance. If a Cyber threat is severe enough and out of control, you just shut the system down or cut it off from the rest of the world to stop the threat from progressing.
Now think about those same concepts from an OT or a control system perspective. Control systems are intended to run 24/7, and constantly rebooting to install patches and upgrades is not possible. In the life sciences realm, validated systems provide more reason to avoid continual software patches and upgrades. A validated system that has been stopped and changed has to be validated again. And just shutting things off to stop access or progression of a threat is not desirable.
The threats can be quite different as well. If you think about a business network where someone is planning to steal credit card information, they not only need to gain access to the network, but they need to locate and gain access to encrypted files on the network that contain the credit card data files. If they gain access to your network and computers, but cannot access the data, it’s scary, but not so bad.
Now consider the scenario where someone gains access to a control system network. If you remember the need for near total up time, just gaining access to a network and flooding the network with garbage so it crashes can achieve a hacker’s objective (aka denial-of-service attack), and is much easier than gaining access to your network and then accessing encrypted files. Crash the network and the plant shuts down, causing loss of production, loss of product in process, or worse if a disorderly shutdown can cause instability or dangerous conditions in the process.
So responding to these threats is quite difficult, but there are things you can do to prevent a hack from ever happening. As OT systems are designed, keep in mind the points of connection and access. It is not just the network connection on the other side of the firewall that is of concern. The reason many companies restrict or prohibit the use of USB memory sticks is that using them is a potential point for a virus or malware. Think of how many are floating around in use, and passed around for others to use. Think about the use of laptops for control system configuration, and each time they connect to a network. And tablets, phones and instrument calibration equipment too. Any device that can connect to multiple networks can be a source of trouble. Their use is so routine, we often take for granted cybersecurity and good cyber hygiene.
A major retailer was accessed by a hacker and thousands of credit card numbers were compromised because of malware on an HVAC service techs laptop that got plugged in to a store’s building control network. It can be that easy. The solution is awareness and training on how to handle all of our technology and connections in a high tech, connected world. Keep your security software up to date and watch those connections!