Why cyber security should be top of mind for machine builders
As more and more equipment gets connected to the internet and machine software becomes more complex, the risk of cyber attacks grows for companies worldwide. Machine builders must protect their customers and themselves to prevent dire consequences.
As we continue to venture further into the connected world of Industry 4.0, the chance of security breaches and cyber attacks and the caused damages increase exponentially. If you aren’t aware of the security risks, the chance of a cyber attack is even higher.
Cyber attacks, originating in OT equipment, can be disastrous for the factory and cause great image damage for you as a machine builder. The number of cyber attacks causing operational disruption in the industrial sector is increasing dramatically. Machines or even whole factories go down, data is stolen and in the worst case humans are injured. All because of a simple click on a link in a spam email.
You don’t want to be the weak link, so it’s time to delve into your cyber security and sort it out. What should you know about cyber security? How can you take your own responsibility and what should you expect or ask from your partners?
Increased demand for cyber security from customers
End customers, in particular factory owners, are becoming increasingly aware of the risks they run when connecting their equipment to the internet. This leads to them expecting more from you in the complex area of cyber security. You need to know how your connectivity solution works and be aware of the risks that connected machines bring. Also, you have to know how you can protect and support your customer and answer any questions they may have.
However, relatively few service level agreements (SLAs) are provided by machine builders, and usually maintenance and monitoring of machines after warranty have little focus. The biggest focus is on keeping your machines running optimally and making sure that they are physically safe. That’s no longer enough, because a lack of expertise about security measures increases the risks.
That’s a lot of added responsibility in what, for many machine builders, is a completely new field.
Share information about your security management
It’s clear that machine builders have a big responsibility towards customers regarding the cyber security of their connected systems. You probably get questions about the added value of your connectivity solution and how it could affect their factory network. You will gain more confidence if you communicate and be transparent about how security, user access and, for example, open network ports are arranged.
To answer those questions, it’s important to know who is responsible for what in the cyber security landscape.
Shared responsibility on cyber security
Cyber security is a broad topic, and the responsibility of ensuring a secure connected machine is shared between different stakeholders. Unanswered questions of who is responsible for what leads to leaks or attacks. You need to know who should be involved in keeping equipment secure, and what can be expected of whom. The cyber security responsibility is shared between:
- Machine builder
- End customer (machine user)
- Connectivity solution provider
Responsibilities of a machine builder
The machine builder is the one who decides that he needs to connect his machine to a certain connectivity solution. He needs to make sure the chosen connectivity solution is secure and can’t harm the connected systems and OT network. To minimise the risks you should also:
- Share knowledge gained from monitoring your machine’s security;
- Share information about your security and privacy policies;
- Secure machine components from outside exposure with a robust firewall and the latest firmware;
- Manage user access and rights within the connectivity solution.
Responsibilities of the end customer
The end customer needs to secure his own network and devices, for example:
- Protect their own IT infrastructure and data;
- Secure their devices, such as PCs, tablets and mobile phones with strong passwords;
- Keep track of the identity of the connectivity solution’s infrastructure;
- Manage user access and rights within the connectivity solution.
Responsibilities of the connectivity solution provider
Your chosen connectivity solution has to be robust and must include features that keep connected systems secure, such as:
- An advanced user management system to manage user access and rights;
- Two factor authentication;
- Strong encryption;
- Back ups;
- Robust firewalls.
In the next paragraph we will go more into detail about what you as a machine builder can do in practice.
Key security measures every machine builder should take
To maximise the security of your connected machines, you need to take into account various security aspects at different levels. When you think about cyber security, you want to address the following 3 topics:
- Internal organisation
- Internal plant network
- Incoming connections
Securing the internal organisation
When we talk about the internal organisation, we mean all employees at both the machine builder's and the end customer's side. Since most cyber hacks are caused by human errors, every employee should use hacker-proof passwords. Employees have to be aware and trained about the consequences and measures they can take. Additionally, analysing risks, incident management and user management can help mitigate the risks.
Securing the internal plant network
Your machine is going to be installed in the internal plant network of the end customer. First of all, it’s important to ensure a secure installation in the plant through network separation. Make sure your machines are protected by unwanted incoming connections by a strict firewall, so they are shielded even without regular firmware updates.
Securing the machine from incoming connections
When you connect your machine to the internet you should make sure that any connections between your machine and the outside world are secured. You have to use strong encryption (HTTPS) and it’s good to perform regular pentests or have continuous monitoring in place to see if your incoming connections are secured. Robust user authentication, such as 2FA, during remote logins can help reduce the risk of unauthorised access.
Secure both IT and OT
Information technology (IT) focuses on anything related to computer technology while operational technology (OT) refers to hardware and software used to monitor and control physical devices and processes. OT devices control the physical world and IT systems manage data.
Nowadays OT environments are becoming increasingly dependent on IT, which makes an integrated approach to cyber security important because attackers can now also reach OT through the internet. The end customers already focus on IT, but on the OT-side there is still much to gain. Both machine builder and end customer need to know how OT security is arranged in a connectivity solution, as many incidents occur there.
Think of Shodan, known as a popular search engine for hackers, used to discover exposed vulnerable IoT devices such as routers, SCADA and smart home installations. By leveraging multitudes of these unprotected devices, attackers can perform large scale attacks such as spamming, phishing and DDoS, which can have a huge impact on you and your customer.
Isolation of both IT and OT is a must. On the OT-side, you need to isolate machines individually from each other, so that one machine does not affect others in case of contamination, but also to prevent hiccups in the process due to foreign network activity. The machine builder can impact this by blocking access to the OT side of the factory to the outside world with a firewall.
Balancing the benefits and risks of connectivity
All of this might leave you thinking, “is it even worth it to get a connectivity solution installed?”. And that is a good question to ask every time you connect a machine to the internet. Do the risks outweigh the benefits, and have you taken all the necessary precautions to minimise the risk as much as possible?
Each additional connected system increases the risk of security breaches. To determine if this is the case, you can make risk trade-offs by weighing the opportunities against the impact. By explaining why the benefits outweigh the risks, you can convince the customer why connectivity adds value for them.
Because if the COVID pandemic has shown us anything, it is the immense value of remote access to and control of your equipment. You are the one with knowledge about the machine and capabilities to troubleshoot issues. By connecting your machines to the internet you add value by using remote access to your machines and its data to meet your customer’s service needs.
You just need to know what the weaknesses are in your solution and work to minimise risks as much as possible. Reduce the risks with the highest chance or impact and keep improving, because new risks appear regularly.
Mitigate risks by complying with security standards
Security standards are powerful tools to ensure your security or any used tools are well organised. IEC 62443 and ISO 27001 are comprehensive industry standards, made to help companies design secure solutions. The IEC 62443 standard describes requirements on how to make secure machine components and how you as a machine builder must ensure secure connections. If you work with a cloud service, the ISO 27001 is a strongly recommended certificate to pursue as it ensures a strong security focus on data confidentiality.
You can choose to work on complying with these standards yourself. However, at the very least you should work with equipment and companies that already meet these standards.
Ensure your customers of a secure solution
It’s become clear that a strong collaboration between machine builder and end customer is of great importance in the field of cyber security. Protect both your customers and yourself by investing in security know-how, but also focus strongly on making sure that you have the right (connectivity) partners that help you along the way.
A well-organised IIoT platform can take away a lot of security worries. At IXON, we built security into our foundation and developed a framework to assist machine builders. Cyber security is top of mind throughout the entire organisation. Everything is in place:
- Advanced user management system;
- Two factor authentication;
- Strong encryption, backups and robust firewalls;
- Dedicated security officer;
- Extensive Information Security Management System;
- ISO 27001 and IEC 62443 certified;
- Internal security training.
Take advantage of everything a connectivity solution offers, such as optimised machines, higher uptime, better service and valuable insights, without the need to worry about its security. Since it’s your responsibility to ensure a secure connectivity solution to prevent connected systems and the OT network from being harmed, that’s already a burden off your shoulders. All you have left to do is to provide a machine with secure components, manage user access and rights, and share knowledge and information about your machine’s security with customers.