Critical Manufacturing Legacy Systems
One common item that information Security Professionals working
in Critical Manufacturing environments have to deal with is that of
legacy systems. You see, in Critical Manufacturing environments it is
very common for the systems that run and control factory lines to
remain in place for a very long time. Some of these systems can be
running Operating Systems(OS) that are 10 to 15 years out of date. In
many cases these OS are no longer vendor supported and cannot be
patched to remediate known exploitable vulnerabilities. These older
systems are often used to run production lines and they still do a
great job at doing what they were purchased to do. It is difficult,
rightly so, to convince the leadership team at a factory to spend
money to replace something that is old but that is still doing the
job it was purchased to do. It cost money and reduces potential
profits to replace these old and outdated systems with new systems.
Because they continue to do the job they were purchased to do
justifying the new spend can be a difficult thing to do.
From an Information Security point of view these systems pose a
large risk to the overall manufacturing environment and if hacked
could cause a large scale production outage. In smaller companies
this type of major Cyber attack can result in no longer being able to
conduct business and permanently closing the doors. Legacy systems
that are commonly found on the shop floor are often 3, 4 or even 10
years out-of-date when it comes to standard Information Technology
patching. Information Security Professionals look at these systems
as attack vectors while the people working in the Critical
Manufacturing environment view them as cost effective work horses
that are getting the job done. While cyber attacks on networks at
Sony, Target, Home Depot and the US Government are getting all the
press, the greatest cyber vulnerability is in manufacturing. “By raw
numbers, and by the numerous manners of attacks, manufacturing is the
most targeted area now, even compared to financial services,” Chet
Namboodri, senior director of Global Private Sector Industries at
Cisco, told Design News. “Financial services gets more press, but
industrial networks get more attacks.” Attacks and warnings such as
Stuxnet, Armaco, SolarWorld and U.S., Steel to U.S. regulators and
security experts sending out an official warning that hackers could
now access critical medical equipment including pacemakers and
insulin pumps with potentially deadly results make the threat to
Critical Manufacturing a real one. Determining what to do in order
to lock down and protect the Legacy systems while at the same time
allowing them to continue doing the work they have been doing is a
major part of an Information Security professionals job.
“You can’t scan that system (or you can’t put AV on that system)
because it is old and fragile and if you bring it down we will not be
able to produce our product” Is way too common of a phrase in the
Critical Manufacturing environment. In many cases Information
Security Professionals are asked/told to please just leave the
systems alone, do not run vulnerability scans, do not put antivirus
on them, do not put a light firewall on them, do not patch them, do
not put updates on them, etc. This type of thinking by Information
Technology and Factory leadership teams is shortsighted and is
putting their entire production capability at huge risk of
catastrophic failure. As these legacy systems are outdated and no
longer being supported by the vendor they are hugely exploitable to
any blackhat or hacker that wants to take advantage of their
exploitability. The reality is that the risk is real, the risk is
great and from past events we know that these systems pose easy to
use attack vectors for blackhats, fraudsters and competitors seeking
to cause negative business impact to the company.
Information Security professionals working in Critical
Manufacturing should take the approach shown in Table 1 for dealing
with the Computer Systems residing in the factory environment and
that are on the plant floor. By following this methodology the
legacy systems will be protected while at the same time be able to
continue doing the job they are good at and that they were purchased
to do. In most cases this approach will also reduce the overall risk
that these systems pose to an acceptable level.
Table 1
This approach when combined with the network segmentation and smart
firewall approach discussed in my previous blog on Critical
Manufacturing is the start of a successful recipe in securing a
Critical Manufacturing environment.
Learn more about security critical manufacturing in Protecting Our Future (Vol. 2).
Source:
Spiegel, R. (2016, January 12). Manufacturing Becoming Top Cyber Target. Retrieved from
