It may not always be a targeted attack. Since the pharmaceutical giant Merck became the victim of the Ransomware Notpetya in 2017, it is clear to chemical and pharmaceutical companies how vulnerable the security and availability of their industrial control system (ICS) and automation system are. Merck had to fight with several weeks of production downtime and even had to borrow drugs from U.S. authorities. The incident cost the Group $375 million. Unlike Bayer or the Tasnee oil refinery operating in Saudi Arabia, Merck was not even actively attacked. Their losses were purely collateral damage. The shutdowns in production were caused by spillover effects. The malware had leapt from the office IT to the production line via the necessary ICS connections.
The ICS is a blind spot
With this incident, the open flanks of digitisation became apparent: higher system complexity, opening of the ICS to the internet as well as the (so far more poorly than properly functioning) marriage of a security-oriented office IT and an unsecured, availability-oriented production IT. In the end, Merck was lucky. Neither were customers endangered by changes in recipes, nor were employees injured. Especially in the chemical industry, there is a thin line between cyber security and occupational safety. Even the theft of sensitive data did not occur to the best of our knowledge. The vulnerability of the process industry is due to various reasons, which can also be applied to other branches of industry as well as critical infrastructure. In his book “Industrial IT Security“ (Vogel, 2019), ICS security expert Sebastian Rohr describes the three core problems with the production IT:
- lack of awareness by employees
- insufficient documentation of assets and applications
- no monitoring of infrastructure and assets (components, systems, applications, data)
While the first point can be solved through training, points 2 and 3 deal with organisational and technical challenges. In terms of documentation (or asset inventory), Rohr soberingly states: “In contrast to the detailed documentation of the mechanical and safety-critical components of a plant, which is constantly improved by quality management, the information regarding the IT systems, operating systems, applications, tools and databases or directories used or installed is often inadequate, at best poor, or sometimes simply not available at all.”
This also complicates the management, diagnosis and troubleshooting of assets. The minimum requirement would be the identification and visualisation of assets and its connections to each other or to communication partners outside the System under Consideration (SuC). Additionally, there is information on firmware version, configuration, protocols, IP addresses, ports and communication patterns. After Rhebo Industry 4.0 Stability and Security Audits at industrial and critical infrastructure companies, those responsible usually react with surprise as to which devices and applications are hidden in the ICS and with whom they communicate.
The audits use industrial network monitoring with integrated anomaly detection to record and subsequently analyse all communication processes within the ICS. This not only documents the communication that runs through routers and firewalls stationed at the ICS perimeters. The communication between components within the ICS is also recorded. Thus those responsible for the ICS gain detailed visibility of all assets, their properties and behaviour for the first time. Frequently, insecure ports, protocols and Internet connections are found. Similarly, almost all evaluated communication data contains unknown devices as well as vulnerable firmware versions.
Ostrichism doesn`t solve the challenge
Though, monitoring isn‘t completely new for production lines in the chemical industry. At the very least, this applies to the performance, use and wear parameters of the plants. This is essential for both process control and evolving predictive maintenance. The monitoring of the ICS, on the other hand, is lacking. Sebastian Rohr emphasizes: “This monitoring and evaluation offers considerable added value, since the analysis of network traffic or load parameters of the ICS components enables conclusions to be drawn about previously undiscovered attacks or manipulation attempts.“
The German Federal Office for Information Security (BSI) recently recommended integrating network monitoring with anomaly detection as standard in the production IT. This system continuously monitors every communication in the ICS and reports any irregularities in the expected communication pattern during normal operation.
Our experience from monitoring projects has taught us that security is the key, but never the whole picture. In addition to new network nodes, changes in communication patterns (e.g. changes in protocols and command structure due to malware, attacks or manipulation) and unprotected password transmission, technical error states must also be taken into account. In production lines with real-time processes, transmission errors, extended round trip times and capacity overloads of individual components can lead to process interruptions or quality issues. The evaluation of the data from our network monitoring with anomaly detection proves that technical error states are very common. The same applies to insecure protocols, vulnerable ports and communication that does not belong to the production process. In order to guarantee cyber security, product quality and occupational safety, the consistent visibility and continuous monitoring of the ICS should therefore be among the core tasks of those responsible for security as well as plant availability. A network monitoring system with real-time reporting of threats as well as real-time visualisation of the active assets provides all functionalities for this purpose.