Hvordan Producenterne kan beskytte mod Cyber-angreb

By Jonathan Wilkins of Stafford based European Automation

In 2014, the total number of cyber security incidents detected rose to 42.8 million according to PWC”s Global State of Information Security Survey 2015, which you can find at http://goo.gl/MZR3zg. For those of you that have not done the maths, that is 117,339 attacks per day, every day. And these are just the strikes that were detected and reported.

European Automation Johnatan WilkinsTo comprehend the sheer extent of current threats, antivirus business Kaspersky has created an interactive map. It depicts the number and type of cyber threats in real time. If you are reading this white paper online, I am sure you will agree that it is almost hypnotic. If you are reading offline, I recommend you visit http://cybermap.kaspersky.com.

Men kortet er også utroligt bekymrende. Det samlede antal -af sikkerhedsangreb detekteret steget med 48 procent fra 2013 til 2014 og der er lidt, der tyder denne procentdel vil falde i 2015. På trods af disse tal fremgår det, at oplysninger sikkerhedsprogrammer faktisk har svækket, hvilket især skyldes naivitet og utilstrækkelige investeringer.

I den industrielle sektor alene, virksomheder rapporterede en 17 procent stigning i påviste sikkerhedshændelser i 2014. De resulterende finansielle omkostninger er steget med 34%, mens forskning fra Barclays tyder på, at næsten 50% af virksomhederne, der lider en cybersikkerhed angreb ophører handel.

Denne særlige rapport analyserer den stigende globale cyber trussel og skitserer værdien af ​​at gennemføre en forretning fokuseret sikkerhedsstrategi for at sikre trivsel både medarbejdere og industrielle automatiserede systemer.

Hvem har gjort det?

Året 2014 featured nogle af de største hacking og cyber sikkerhedsbrud i dette årti. Det synes ingen var sikker, ikke engang de største erhvervskunder spillere. eBay, Sony Pictures Entertainment, Apple og Sony Playstation, var alle ofre for cyber-angreb i en eller anden form.

Interestingly, there is one thing most security threats have in common and that is the source. The results of PWC”s survey illustrate that 34.55 per cent of companies asked, reported that the attacks on them last year were estimated to originate from current employees of the company and 30.42 per cent from former employees. These were the two biggest culprits.

Statistically, you are far more likely to come under cyber attack because of someone plugging in a corrupted USB stick to your network, than you are to be specifically targeted by a hacker trying to exploit a weakness in an automated system. However, that”s not to say that you shouldn”t prepare for both eventualities.

Hackers still ranked highly in the survey – third with 23.89 per cent of companies surveyed pinning their security attacks on them. However, there is another, less prevalent threat that companies should be aware of too.

Every business encounters third parties on a daily basis – such as consultants, contractors, suppliers and providers. It is imperative that the information shared with these parties, on and off site, is restricted to an appropriate level. 18.16 per cent of businesses surveyed responded that they believed their current third party providers were responsible, actively or passively, for their cyber attacks.

For example, the US retail giant Target had a considerable breach in 2013 when the personal identifiable information (PII) and credit card details of customers were stolen. The multi-staged hack began with Target”s heating, ventilating and air conditioning supplier, who, it would seem, had access to Target’s network. Credentials were stolen from the US vendor using common malware implemented through an e-mail phishing campaign. This was the hackers’ way in.

Moralen af ​​historien er, at for at udvikle sikre systemer, skal virksomhederne gennemføre tekniske, konceptuelle og organisatoriske foranstaltninger til at forhindre forskellige typer af sikkerhedstrusler.

Hvor skal man begynde

In a manufacturing context, typical security incidents include infection by malware, unauthorised use, manipulation of data, espionage and denial of service – the latter being an attempt to make a machine or network resource unavailable for its intended users.

Forsvar mod disse former for trusler kræver mere end blot at investere i ny software eller leje en Chief Information Security Officer (CISO), selv om disse foranstaltninger er en god start. Ændringer skal gennemføres fra jorden op. Før vi komme foran os selv er der visse skridt, der bør tages, før noget andet.

To evaluate properly the likely threats, system owners must first assess the weak points of that system – including the human element. In an automated environment, this may reveal a scenario in which a property of the whole is considered beneficial from an automation perspective, but detrimental from security one.

For eksempel kan en fjernenhed, der er fri adgang til en programmerbar logisk styreenhed (PLC) uden godkendelse sparer tid i en automatiseret proces. Men ud fra et sikkerhedsmæssigt perspektiv er dette en konkret svagt punkt. Det er nødvendigt at identificere disse svagheder for at få adgang risici og træffe passende foranstaltninger.

Producenter og industrivirksomheder bør være særlig opmærksom på tre kerneområder. Den første er de svage punkter, der opstår på grund af forkert udstyr eller software implementering. Dette kunne være en defekt enhed eller et stykke programmering.

Fremkomsten af ​​sammenkobling og tingenes internet giver mulighed for alt i en fabrik til at kommunikere ved hjælp af en fælles protokol, generere en stor mængde data. Dette bringer os til det andet område virksomhederne skal fokusere på: sikring masse datastrøm, så hackere ikke kan udnytte det.

Finally, weak points often arise due to organisational measures, or lack thereof. For example, it is important to ensure that the CISO”s team update operating systems, web browsers and applications whenever necessary. This negates the worry of using a product that has known flaws, which a developer has corrected in a later version. You should implement a corporate policy dedicated to updating software to solve this problem.

Overall, it is essential that, during an initial security assessment, the team identify, group and isolate the critical information belonging to the business so that the CISO”s team can properly protect it. This should be the main priority for any company concerned with its cyber security.

Beskyttelse netværk

En af de mest effektive midler til at sikre automatiserede produktionssystemer er cellebeskyttelse. Denne form for forsvar er især effektiv mod en række forskellige trusler, herunder mennesket-i-the-middle angreb, hvorved angriberen har evnen til at overvåge, ændre og injicere meddelelser i et kommunikationssystem.

Cell protection employs a security integrated component that supervises access to an automated cell. This is often referred to as a doorman, because it plays the same role as its human namesake by deciding who can and who can”t come in. The most common device used for this purpose is an industrial Ethernet communications processor that integrates a firewall and virtual private network (VPN), filtering out attacks and keeping the network connection secure.

Celle beskyttelse forhindrer også uautoriseret adgang til og kontrol, denial of service-angreb og online trusler via kontornetværk.

However, it is important that risk assessments and security measures don”t focus solely on automated systems. Staff, suppliers and third party providers should also come under scrutiny.

Sikkerhed via uddannelse

Part of the current problem is that the topic of cyber security isn”t being elevated to a board level discussion in most companies despite the damaging consequences of security breaches including loss of production, reduced product quality and safety threats to both humans and machines.

De fleste regeringer har oprettet eller er i færd med at skabe, cyber sikkerhedsforskrifter, der pålægger vilkår om varetagelse og brug af personlige oplysninger. Virksomheder, der ikke i tilstrækkelig grad beskytter følsomme oplysninger risiko økonomiske sanktioner. På trods af dette, nogle virksomheder forbliver uvidende.

Forordninger er særligt udbredt i Europa og bør tjene som et eksempel på, hvad lande, der endnu ikke har lovgivning bør forvente i den nærmeste fremtid. USA har også obligatoriske overensstemmelses politikker, når det kommer til virksomheder, der beskytter PIO.

I begyndelsen af ​​2104, implementeret USA en ramme for forbedring internetsikkerhed infrastruktur: et sæt af branchestandarder og bedste praksis med henblik på at hjælpe organisationer styre cyber sikkerhedsrisici. Imidlertid har disse foranstaltninger blevet stærkt kritiseret for ikke at gå langt nok, især i lyset af den seneste tids høje profil Sony Pictures Entertainment hacking skandale angiveligt involverer Nordkorea.

To help educate businesses in the ways of information security, the UK Government has allocated £860 million until 2016 to establish a National Cyber Security Programme. Part of this agenda is to ensure the UK is one of the most secure places to do business online. This comes after it was revealed that 81 per cent of large corporations and 60 per cent of small businesses in the UK reported a cyber breach in 2014.

Under the programme, the Government has developed a cyber essentials scheme to give companies a clear goal to aim for. This will allow businesses to protect themselves against the most common cyber security threats but also advertise that they meet this standard. For more information about the scheme, go til www.gov.uk/government/publications/cyber-essentials-scheme-overview.

In addition, a ‘Ten steps to cyber security booklet’ is available for anyone seeking advice on current risks and methods of prevention. The literature outlines important elements when creating a business-focussed security strategy, such as risk management regimes, secure configuration, network security, user privileges, education and awareness, incident management, malware prevention, monitoring and home or mobile access. The security booklet can be downloaded by going to www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility.

Virksomheder, der gerne vil vide mere om, hvordan de kan øge deres sikkerhedsniveauer, kan også få adgang til et brugbart retningslinjedokument fra industristandardbureauet PROFIUBUS & PROFINET International (PI).

The Security Guideline for PROFINET was originally developed in 2006 and later revised at the end of 2013. It specifies ideas and concepts regarding how and which security measures should be implemented. It also contains a list of commonly used security acronyms and offers a series of proven best practices, such as the cell protection concept mentioned earlier. PROFINET”s guide can be downloaded by going to http://goo.gl/yT7rKW.

The information is out there for companies seeking advice regarding cyber security. However, from the statistics provided by PWC”s survey, it would appear that industrial product companies are already leading the way.

Industri

I det hele taget er cyber trusler stigende og alligevel informationssikkerhed budgetter syntes at falde i 2014. Det industrielle produkter marked er undtagelsen, fordi det har skabt budgetter til at beskytte sig selv.

According to the PWC security survey, this sector, more than all other surveyed – power and utilities, healthcare, retail and consumer, technology and financial services – appears to understand rising security risks. Moreover, it”s investing accordingly.

Information security budgets for industrial products companies have soared more than 150 per cent in the past two years. In 2014, information security spending represented 6.9 per cent of PWC survey respondents” total IT budget, the highest of any sector surveyed. However, in 2014, security incidents in the sector also increased six fold. So perhaps even a 150% increase is not enough.

Resultatet af denne investering har været bemærkelsesværdige forbedringer i sikkerheds processer og teknologier samt uddannelsesinitiativer. Der er imidlertid stadig generøs plads til forbedringer.

Ophold sikker

Megatrends såsom Industri 4.0, tingenes internet og store data har drevet industriel automation til et helt nyt niveau, skabe mere effektive og sofistikerede produktionslinjer. Industrien integrere dens produktionslinier med IT-lag og den traditionelle industriel automatisering pyramide er ved at kollapse på grund af behovet for hurtigere, billigere og mere effektiv produktion. Men der er en pris for disse gevinster: med større åbenhed, sammenkobling og afhængighed kommer større sårbarhed.

There is a definite need for more training when it comes to cyber security, both at the top and bottom of the manufacturing ladder. Too often businesses slip into common pitfalls – believing they are either untouchable or not a target.

Hvis flertallet af cyberangreb i 2014 blev begået af nuværende medarbejdere i det berørte selskab, hvor mange af disse tror du blev foretaget bevidst? Eller var de resultatet af en individuel ikke fuldt ud at forstå, at hans eller hendes handlinger kan føre til brud på sikkerheden?

Understanding that you don”t have to be a desirable target for hackers and that cyber threats can be the result of non-malicious, poor judgement from one employee is key to understanding the risks.

Selvom ledelsen helhjertet implementerer en dedikeret cyber-sikkerhed nedad, alt det tager er en malware-inficerede enhed sluttet til netværket for at forårsage forstyrrelser. Vi kan ikke forhindre ulykker, men det er muligt at styre dem ved at indgyde viden på medarbejdere og indføre pålidelige overvågningsudstyr og procedurer for, hvornår et angreb finder sted.

Security training shouldn’t be limited to a one off seminar for the staff and an initial systems upgrade. Patch maintenance and updates need to be carried out as and when vulnerabilities are revealed or new software is released. Senior management need to implement vigorous maintenance and monitoring policies. Security is a constant and evolving concern, not something that can be solved with one quick fix.

Risk assessments need to be undertaken for suppliers, providers and contractors and restrictions on information should be put in place. Again, this can”t simply be an initial appraisal. Unified procedures should be written up and followed when dealing with any third party that requires a certain level of information from a business.

Med økonomisk investering og passende opmærksomhed på it-sikkerhed infrastruktur og procedurer, vil en virksomhed være klar, bør en ondsindet eksterne angreb finde sted.

Ellers skal en virksomhed ikke bare står over tab af produktion og økonomiske sanktioner; der er også tab af omdømme og potentiel fare for både maskiner og mennesker til at overveje.

Process Industry Informer

Giv en kommentar

Din e-mail adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Dette websted bruger Akismet til at reducere spam. Lær, hvordan dine kommentardata behandles.