Cisco UK & Ireland Blog

6 Ways to Defend Your Factory from Industry 4.0 Security Threats

March 3, 2017

The digitisation of manufacturing, or Industry 4.0 as it is commonly known, is driving industrial operators to achieve new levels of productivity, quality, and visibility. It doesn’t take the genius of early industrial innovators like Robert Louis Stephenson to see that manufacturers who connect their factory systems with their enterprise networks will create a more agile, efficient, flexible and profitable business. These are exciting times in manufacturing, however there is a dark side to the rapid progress that’s underway.

Unfortunately, more connections also open the door to new security risks, and previous generations of industrial control systems were not conceived with security or IP connectivity in mind. Industrial Automation and Control Systems (IACS) traditionally utilise proprietary hardware and protocols that are hard to integrate with network security. Although segregated from industrial IP networks, they’re still at risk because they’re often set up as simple, open-network machine islands, with limited or no security.

The net effect is that digital transformation is proliferating vulnerabilities at the same time as cyberattackers are getting more sophisticated. This raises the stakes for UK manufacturers. The industrial sector has some of the least mature security practices and policies and lowest quality security infrastructure, so there’s a very real risk of being left behind…

In the age of the industrial internet of things (IIoT), here are the top 6 actions you should consider taking to secure your factory from cyberattacks:

#1 Ensure the basics are covered: Many industrial businesses don’t have have even a simple security policy written down. Start by drafting and implementing a set of written security policies and procedures for your plant that will, for example, outline who should be able to access the network in the first place and how (covering permanent employees and contractors and BYOD), what assets they can access, define acceptable asset use, and define reporting mechanisms for events.  Your written policies should also contain an incident response plan including any procedures to restore critical production systems after a security event.

#2 Physical security is the first line of defence: Some of the most severe damage comes from the inside, when entry is gained from the factory floor. Whether it’s preventing inventory lift, data loss or intellectual property theft, companies can benefit from a comprehensive physical security solution integrated with a secure wired and wireless industrial network. Protect assets with physical access restrictions like locks, key cards, and video surveillance. Where practical, you can also add device authentication and authorisation, plus encryption.

#3 Take a holistic approach: The more connections you have in your manufacturing environment, the more chances for a breach. No single technology, product, or methodology can fully secure your network. Protecting critical manufacturing assets requires a holistic approach that uses multiple layers of defence—physical, procedural, and digital (network, device, application)— to address different types of threats. A basic mapping exercise will help you get started, providing an inventory of all the devices and software on your network. Remember, ’air gap’ strategies are fallible—just because a robot or device isn’t connected to the network doesn’t mean it’s completely safe. One corrupt or malicious thumb drive will put an isolated machine at risks of unplanned downtime or worse, safety incidents.

#4 Get in the zone: Use industry best practices, such as the ISA IEC 62443 standard, to set up zones and design schemas to segment and isolate your sub-systems. Create a demilitarized zone (DMZ) between your enterprise and manufacturing networks. On the network perimeter, firewalls and intrusion detection will help you keep threats at bay. And within the network, employing out-of-band deep packet inspection (DPI) in your routers, switches, and other network devices can help you spot viruses, spam, and other intrusions.

#5 Distance isn’t a barrier: If your company is made up of distributed sites in multiple locations, you need a way to apply security remotely.

Example: A leading oil and gas company operating in more than 70 sites globally was able to reduce costs by £500,000 per site deployed over five years (per their ROI study). To protect its critical infrastructure, including refineries, wells, and other sites, the company deployed Cisco Secure Operations, utilising field-deployed software and networking gear to remotely monitor more than 50 upstream and downstream sites. The solution provided a secure “tunnel” from the field infrastructure to a centralised management console. Its centralised control centre enables engineers and IT experts at a global service desk to quickly respond to any security threats.

#6 Thwart attackers at the edge: A critical segment of any company’s network architecture straddles the Internet edge, where the corporate network meets the public Internet. This is the gateway to cyberspace, and serves many roles for the typical enterprise network. As network users access websites and use email for B2B communication, you need to keep your corporate resources both accessible and secure. Something as simple as moving from unmanaged switches in your network to lightly managed switches gives you the ability to better secure ports and improves network visibility, control and security.

Manufacturers who rise to the challenge of Industry 4.0 by implementing the next generation of security protections built for the age of the IIoT will gain competitive edge in the process. By thinking holistically and combining multiple layers of defence, you can protect intellectual property and physical assets from unintentional breaches and cyber theft, while speeding threat resolution, reducing downtime, and driving efficiency gains across your facilities.

Leave a comment