When the topic of physical security comes up for discussion, most CISO’s instinctively think of access control systems on building doors or the latest advances in video monitoring systems. This default thinking must change. For CISO’s charged with protecting manufacturing, utilities, or other industries utilizing operational technologies (OT) such as robots or logical controllers, the discussion of physical security must also include the “shop floor” where this OT resides.
For CISO’s in these critical infrastructure sectors, the conversation about physical security needs to move from the back office to the front lines—that means the world of operations, where the CISO has historically been excluded. And that doesn’t mean securing the bay doors to the loading dock; it means protecting workers from the dangers of compromised robots and misconfigured Programmable Logic Controllers (PLC’s).
According to the 2018 National Census of Fatal Occupational Injuries published by the United States Bureau of Labor Statistics, fatal work injuries increased 2 percent from 2017 to 2018, settling in at 5,250 for the reported year. This number was driven in part by a 39 percent increase in deaths caused by workers caught in running equipment or machinery.
Finding examples of these rare but catastrophic “worst-case-scenarios” is not too difficult. In 2015, a robot in a Volkswagen plant in Germany accidentally killed a worker. And a robot in an automotive stamping plant in Michigan killed another worker. In both cases, the fatalities were accidental, but short of extreme advances in Artificial Intelligence, robots can only do what they are programmed to do (good or bad).
“For CISO’s charged with protecting manufacturing, utilities, or other industries utilizing robots or logical controllers, the discussion of physical security must also include the “shop floor” where this OT resides.”
Couple the fact that robotics and PLC’s are showing up on plant floors in accelerating fashion, augmenting and replacing human workforce in rapid succession, with the troubling trend of nation-state advancements in weaponization of malware targeted at Industrial Control Systems, and you have a growing physical threat that needs to be accounted for by CISO’s. This does not even touch on dangers related to waste-water treatment, food supply, or broader societal concerns. Just merely focusing on factory floor safety and security, the notion of physical security needs to change.
The discussion around physical security often focuses on preventing or monitoring unauthorized access to buildings or keeping a log of activities to assist in workplace investigations. It rarely is seen as a life-safety issue, except in the narrow case of avoiding workplace violence. Now with the proliferation of robotics and the development of malware such as Stuxnet in 2010 and its successor Industroyer in 2017, corporate Information Security teams can no longer avoid the plant floor and must work in haste to put controls in place to protect the people and machines that are building the products that drive the business.
In 2015 alone, the US ICS-CERT reported 295 incidents where ICS devices were attacked. As a result, it published the Seven Strategies to Defend ICS’s. While all seven strategies are essential, the most impactful should be immediately addressed by businesses relying on this type of equipment. These businesses should:
1. Implement Application Whitelisting on the Human-Machine Interfaces (HMI’s) to prevent malware from being introduced, which could cause erratic and unpredictable device behavior. These HMI’s generally run on low-level devices that can’t be patched or run a full antivirus stack. Protecting them with software that prevents programs from writing to the hard disks of these devices is the best that can be done in many cases.
2. Ensure Proper Configuration and Patch Management to address vulnerabilities inherent in these devices. Most companies do not even have a clear inventory of their devices, let alone a process for managing vulnerabilities and patches. Treating shop floor device management similar to back-office device management, in this case, would be an improvement. Inventory the devices, monitor them, and put proper vulnerability management practices in place.
3. Reduce Your Attack Surface by isolating the shop floor area from the back office to avoid the spread of malware from office computers to shop floor management devices. Also, isolate plant floor equipment from the Internet. Nothing on a plant floor should be directly accessible from the Internet. Ensure firewalls are configured to prevent OT from accessing the Internet, and periodically review online resources that report on OT devices that have been enumerated.
4. Build a Defensible Environment by limiting device to device communications and building secure network segments to limit access and restrict lateral movement. Properly deploy firewalls, virtual network segments, and traffic tagging to isolate devices into more manageable subsets (e.g., by line or cell). Remember to log all of this data to help gain visibility into these long-neglected areas of the business. Work with your operations and infrastructure teams to ensure production isn’t adversely affected.
ICS-CERT has a few other suggestions, but these four will have the most significant impact. It is imperative that InfoSec teams and their CISO’s work closely with business leaders to drive these improvements. Bridging the gap between the traditional world of the CISO and the often “off-limits” world of business operations is vital now that the world of logical threats are infringing on the world of physical production and human safety.