How food and beverage processors can fight cyberattacks

CEOs tend to look at a cybersecurity as a one-time investment, but imagine the results if your virus definitions were last updated Jan. 1, 2015.

By Wayne Labs
Cybersecurity
Many plant managers find it difficult to convince their CEOs to fund ongoing cybersecurity investments, but plant managers need to link their cybersecurity proposal to business benefits. For example, it’s not unreasonable to think that a cyberattack could put your business on hold for a few days or a week while you rebuild the system from backups.
November 29, 2017

Verizon has released new cybersecurity figures, and the statistics, which are based on actual events — not polls — are scary.

According to the company’s 2017 Data Breach Investigations Report (10th Edition):

  • 75 percent of actual breaches were caused by outsiders
  • 25 percent involved internal actors
  • 18 percent were conducted by state-affiliated parties
  • More than half (51 percent) involved organized criminal groups

The report also showed that:

  • As many as 62 percent of breaches were caused by hacking
  • 51 percent included malware
  • 81 percent leveraged stolen and/or weak passwords
  • 43 percent were social attacks

And industrial control systems are not exempt from attacks.

However knowledge of how attacks occur, new tools coming on the scene, and long-term investments in cybersecurity can all help processors stand a better chance of keeping their plants safely up and running.

ICS-CERT (Industrial Control Systems-Cyber Emergency Response Team) recently released its third “Annual Assessment Report for Fiscal 2016” (ending in June 2017).

The report highlighted continued and significant risks on industrial control systems. ICS-CERT also released Version 8.0 of its Cybersecurity Evaluation Tool (CSET). The team identified 700 discoveries for the year through design architecture reviews and network validation and verification assessments.

For the third year running, “boundary protection” was the most commonly identified area of weakness, and weaknesses related to boundary protection accounted for 13.4 percent of all discovered weaknesses.

The next three weakness categories in order of prevalence were listed as “least functionality,” “identification and authentication,” and “physical access control.”

Looking for quick answers on food safety topics?
Try Ask FSM, our new smart AI search tool. Ask FSM

In boundary protection, the two major risks reported were undetected unauthorized activity in critical systems and weak boundaries between ICS and enterprise networks.

Least functionality risks include increased vectors for malicious third-party access to critical systems and rogue internal access.

Identification and authentication risks include a lack of accountability for user actions on compromised accounts and increased difficulty in securing accounts when personnel leave a company.

Physical access control risks include unauthorized physical access to field equipment and locations where someone could access the ICS network, steal or vandalize cyber assets, add rogue devices — or make changes to programs or device firmware.

The latter issue (changes to programs or firmware), however, is not limited to physical tampering alone, but a new vector was discovered with the 2014 Dragonfly/Havex attack, otherwise known as a remote access Trojan (RAT), which was embedded into firmware updates on various automation vendors’ websites. The virus payload would cause multiple common OPC platforms to crash, which could cause a denial of service effect on applications reliant on OPC communications.

New tools in development

“We all know that ICS and IIoT asset owners depend on their vendors to supply valid software and firmware for system implementation and upgrades,” says Eric Byres, PE, ISA Fellow, noted industrial security expert and inventor whose firm, aDolus, is now working on a US Department of Homeland Security funded research project to investigate the viability of using trust anchor technologies for real-time verification of ICS software/firmware packages. “However, if this chain of trust is compromised, then malicious software can be introduced that alters core system functionality, potentially impacting critical operations and human safety.”

Unfortunately, there are currently few safeguards in place to protect IIoT and ICS devices against introduction of counterfeit firmware/software.

This is not a hypothetical risk, adds Byres.

In 2014, the Dragonfly attack targeted critical infrastructure in North America and Europe by inserting malware into legitimate software bundles available for download on three ICS vendors’ websites. Any asset owner that downloaded and installed these modified software bundles had their critical control systems infected.

These attacks highlighted the fact that industry needs a robust and universal solution for safeguarding against the counterfeiting of firmware/software upgrades.

“Our project is investigating methods of generating digital fingerprints of both legitimate and suspect firmware via automated agents, and then assigning reputational scores to the software package,” says Byres. “An API and web tool we’re developing allows end users to incorporate a validation process into their daily operations, ensuring the legitimacy of updated firmware/software without impeding critical operations.”

In other words, a technician at a site uses the tool to scan any firmware upgrade package just before loading it into a controller, says Byres. The tool then gives the software/firmware a score between 1 and 10, where 10 means the software bundle is highly validated and thus safe, while 1 means it is pure evil malware.

“Asset owners in the food and beverage industry can’t buy the ‘Secure Trust Anchor’ tool, but they can partner with us and use it for free as we go through the research process,” says Byres.

Cybersecurity demands ongoing management participation

Cyber-attacks already are costing companies worldwide an estimated $300 billion to $400 billion each year, and that number is projected to increase sharply, according to an article in the Series “Insights on the connected enterprise,” which can found on the Schneider Electric website. Entitled “Justifying Industrial Site Cybersecurity Investments to your CEO,” the article suggests strategies for funding cyber security initiatives.

The problem is that many CEOs tend to look at a cybersecurity investment as a one-time expenditure that will fix all on-going issue. But, cybersecurity is an ongoing investment — much in the same way an antivirus program updates itself on an almost daily basis. Imagine the results if your virus definitions were last updated Jan. 1, 2015.

One of the hurdles is that plant managers find it difficult to convince their CEOs to fund ongoing cybersecurity investments.

These investments are often defined as short-term projects and are not positioned as long-term investments for conducting business. But plant managers need to link their cybersecurity proposal to business benefits. For example, it’s not unreasonable to think that a cyberattack could put your business on hold for a few days or a week while you rebuild the system from backups. 

You do have backups, right?

For more information: Eric Byres, CEO of aDolus Inc., eric.byres@aDouls.com or (866) 897-9980.

This article was originally posted on www.foodengineeringmag.com.

This article was originally posted on www.foodengineeringmag.com.
KEYWORDS: facility security IIOT Hacking Manufacturing cybersecurity Processor cybersecurity
Wayne labs 200px
Wayne Labs has more than 20 years of editorial experience in industrial automation. He served as senior technical editor for I&CS/Control Solutions magazine for 18 years where he covered software, control system hardware and sensors/transmitters. Labs ran his own consulting business and contributed feature articles to Electronic Design, Control, Control Design, Industrial Networking and Food Engineering magazines. Before joining Food Engineering, he served as a senior technical editor for Omega Engineering Inc. Labs also worked in wireless systems and served as a field engineer for GE’s Mobile Communications Division and as a systems engineer for Bucks County Emergency Services. In addition to writing technical feature articles, Wayne covers FE’s Engineering R&D section.

Related Articles

Related Products

See More ProductsSee More Products

Related Directories

  • Aptar Food + Beverage - Food Protection

    Aptar Food Protection manufactures premium active packaging systems and processing equipment, applying its unique material science expertise to develop advanced packaging systems that help extend freshness and enhance safety for fresh-cut fruits, vegetables and seafood. The company’s newest groundbreaking technology, InvisiShield™, offers an antimicrobial packaging solution that seamlessly integrates into sealed packages to protect fresh-cut produce and other food products from bacteria, fungi and viruses. Other offerings include trays, pouches, containers, slicing equipment, lidding film, and tray sealing technology.

Never miss the latest news and trends driving the food safety industry

eNewsletter | Website | eMagazine

JOIN TODAY!