Are you cyber secure?

Digitalisation is a fantastic opportunity for manufacturing, it is also one of the biggest challenges. Will Darby, managing director of Carlo Gavazzi considers the importance of protecting your manufacturing plant from exposure to cybersecurity breaches whilst staying safe and secure as well as reducing your energy usage

The 4th Industrial Revolution is an unprecedented opportunity for manufacturers. Increased digitalisation and information sharing enables processes to be optimised, production to be streamlined and efficiency maximised.

With increased automation, connectivity and data-sharing comes vulnerability to cyberattack. Whatever it is that gives a manufacturer an edge, be that a more innovative or advanced product or an ultra-efficient production process, all that information will be written into the data held on the company IT system and, possibly that of their suppliers. If that information is compromised, the very future of the business could be in jeopardy. As such, cybersecurity is not something manufacturers can afford to ignore.

More worryingly, cyber vulnerability is not confined to manufacturing processes. A production plant's Energy Management System (EMS), for example, is installed to maximise energy efficiency while ensuring occupant comfort in manufacturing plants and offices. Once separate, these systems are now integrated with a company’s IT infrastructure, where they are used to optimise the control of heating, air conditioning and lighting systems. Its interconnectivity further exposes manufacturers to greater cybersecurity risks.

Unfortunately, cyberattacks are becoming increasingly common. The UK government’s Cyber Security Breaches Survey 2021, reports that four in ten businesses (39%) reported having cyber security breaches or attacks in the last 12 months. Like previous years, this figure is significantly higher among medium businesses (65%) and large businesses (64%).

Any connected device has the potential to be hacked. With production and EMS systems being connected directly to the internet, company IT networks and to wireless networks there is the possibility that criminals can use these systems as a back door to other connected systems that are critical to the functioning of the business. Advanced malware is a type of attack that is increasingly common in industrial systems connected to the internet, this malicious software infiltrates weak systems and hardware (often legacy manufacturing systems) and then spreads itself to other systems.

Similarly, the purpose of collecting and centralising data is to garner insights into processes, production, equipment throughput, quality and even maintenance to optimise process and performance. If cyber criminals corrupt this information, then informed decisions will not be possible.

So how can manufacturers ensure production plants continue to operate while still enabling processes to be optimised and energy consumption to be minimised?

A cyberattack can come from various sources: it could come from an aggrieved former employee out for revenge for example, a rival company looking to sabotage a competitor’s operations; it could be activists looking to disrupt an organisation they take issue with; it could even come from a bored teenager looking to hone their hacking skills. Also, as production spreads across the globe, regional and national politics are becoming an increasingly important in corporate and manufacturing policies.

While the types of attack can vary, once in, cyber criminals could potentially do a huge amount of damage and even bring production operations to an abrupt halt.

It is important to remember that any manufacturing operation is only as secure as its weakest link. Many existing manufacturing systems were developed when security was much less of an issue, which can lead to security gaps in production systems.

Another issue is that many production facilities are operated and managed by manufacturing specialists, rather than IT/security specialists. Similarly, EMS installers, for example, tend not to have extensive security expertise. This can lead to new systems being plugged straight into networks, or connected to wireless networks, without adequate security controls in place.

If a building’s EMS is the weakest link, then cyber criminals could, for example, make conditions uncomfortable for the building's occupants; they could set off the fire alarm or override the lift controls or corrupt connected business or production systems, which would also bring operations to halt.

There are reports of production controls and EMS systems having a weaker level of protection than that of the IT systems used for business purposes. Remember, secure software installed on an un-secure PC, results in an un-secure system. Similarly, IT departments are often diligent in applying best practice to networked devices for which they have a responsibility, only for a system to be compromised by someone connecting their smartphone. Likewise, one of the simplest ways malicious software can be introduced is by plugging a USB into a port on a machine controller, which was originally intended for maintenance engineers to connect their laptop.

IEC 62443 is an international series of standards on security for industrial communication networks and systems. The standards define five levels of security ranging from Level 0, ‘no protection required’, through to Level 4, ‘prevent the unauthorised disclosure of information to an entity actively searching for it using sophisticated means with extended resources, application specific skills and high motivation’.

The standard divides the industrial communication industry into operators, integrators and controls manufacturers. Each has a role to play in ensuring an installation is secure: a controls manufacturer, for example, must develop products that are secure; the system designer/integrator must make design choices based on developing the most secure system; the installer must work to maximise cyber security throughout system deployment; while the end-user must operate the system according to best practice, such as the avoidance of default passwords. 

In order to keep ahead of cyber criminals, production control systems and EMS must be engineered in line with best practice. That means:

Limiting the size of the attacker's target by minimising the number of system components;

• Ensuring these components have been developed and manufactured in line with best practice by a manufacturer keeping pace with evolving cybersecurity threats;
• Ensuring the manufacturer adopts development practices that put cybersecurity top of the agenda when developing new products; and
• Ensuring that products are tested and assessed as being cyber secure by a respected, third party cybersecurity testing laboratory.

To help minimise the vulnerability of an EMS system, Carlo Gavazzi has also introduced a security enhanced IoT gateway and controller. Its Universal Web Platform 3.0 SE has been developed to sit at the heart of an ecosystem of over two hundred Carlo Gavazzi meters, sensors and actuators, which it links at both field and cloud levels to other systems in the EMS architecture. For peace of mind, the UWP 3.0 Security Enhanced gateway’s capabilities have been verified by UL, one of the top cybersecurity assessment organisations.

There is no such thing as absolute security. However, organisations that use production controls and an EMS designed and installed with security enhanced products, which is then operated and maintained in a secure manner using best practice, will have done all they can to help protect the manufacturing process from attack.

To download a copy of the White Paper on Cybersecurity in Energy Management Systems go to www.carlogavazzi.co.uk