The manufacturing industry has become increasingly digitized, automated and connected. Governments across the world also supports the shift to smart factory through policies under the concept of “Industry 4.0” (Germany) and “Connected Industries” (Japan). The IIoT is bringing artificial intelligence (AI), cloud computing and robotics into factories. Smart factories that take advantage of these new technologies will be more productive and competitive as digital technology offers greater efficiency, better quality products with fewer mistakes, and more flexibility for working processes. Despite the benefits they offer, however, the connected nature of smart factories means the manufacturing industry is vulnerable to a variety of potential cyber threats

Manufacturing sector under attack

Traditionally, factories are not connected with the outside and thus there is little need to consider the risk of cybersecurity. The connected nature of smart factories leaves the sector open to potential cyber attacks. As more and more devices and sensors are connected, the attack surface rapidly expands. The security measures against cyber threats often do not keep up with the increasing risks. The manufacturing industry is the third most targeted industry for cybercrime, just behind the finance and government sectors, according to MakeUK, the UK’s industry organization. The report found that nearly half of UK manufacturers have been victims of a cyber attack, and almost a quarter of them suffer financial loss or disruption to business as a result. And this is happening not just in the UK. In 2010, the Stuxnet malware had sabotaged centrifuges used in Iran’s nuclear-enrichment program. The WannaCry ransomware caused the disruption and stoppage of many factories in 2017, including car factories of Honda and Renault-Nissan.

The entry points of cyber attack vary. When the U.S. retailer Target became the victim of a data breach in 2013, the attackers initially gained access through Target’s heating and air conditioning supplier. The manufacturer’s operational systems were hacked and due to their connection to Target’s IT infrastructure, it provided a gateway for the hackers to infiltrate, causing the theft of the personal details from between 70 and 110 million people. Because of security risks, more than a third of respondents are reluctant to fully implement digitization, according to the MakeUK report.

Risks and attack scenarios

In this backdrop, the European Union Agency for Cybersecurity (ENISA) published “Good Practices for Security of Internet of Things in the context of Smart Manufacturing (IIoT Good Practice)” in 2018. The main objectives were to collect good practices to ensure security of IoT in the context of Industry 4.0/Smart Manufacturing, while mapping the relevant security and privacy challenges, threats, risks and attack scenarios.

IIoT Good Practice identified 29 security threats including manipulation of hardware & software, failure or malfunction of a control system (PLC, RTU, DCS), software vulnerabilities exploitation, and power supply outage. Compared with Good practices for Security of Internet of Things, another ENISA publication in 2017, which assessed the risk of IoT in general, IIoT Good Practice focused on risks that affect the operation of factories.

IIoT Good Practice also identified 12 critical attack scenarios for smart factories:

1) Against the connection between the controller (e.g. DCS, PLC) and the actuators
2) Against sensors (modification of measured values / states, their reconfiguration, etc.)
3) Against actuators (suppressing their state, modifying the configuration)
4) Against the information transmitted via the network
5) Against IIoT gateways
6) Manipulation of remote controller devices (e.g. operating panels, smartphones)
7) Against the Safety Instrumented Systems (SIS)
8) Malware
9) DDoS attack using (IoT) botnets
10) Stepping stones attacks (e.g. against the Cloud)
11) Human error-based and social engineering attacks
12) Highly personalized attacks using Artificial Intelligence Technologies

Out of these, 3), 4), 5) and 7) are considered “crucial” threats to IIoT. Hacking of control system and manipulation of systems can result in physical damage of facilities, which potentially causes not only financial losses but also environmental pollution or human casualties. Hacking of transmission network may cause blackout and damage to the waste treatment plant may cause pollution. A digital attack by malware Triton on the control systems of an industrial plant in Saudi Arabia in 2017 exposes just how vulnerable industrial plants and their failsafe mechanisms are to manipulation.

Security measures

IIoT Good Practice identified a total of 110 security measures that can help prevent or properly respond to potential cyberattacks and ensure overall security and safety of the industrial IoT environment. They are classified into three groups – Policies (24), Organizational Practices (27) and Technical Practice (59). In Policies category, for example, security measures include privacy by design (e.g. separate data that can be used to identify an individual from other information and ensure its security) and Asset Management (e.g. introduce a new device into the system only according to an established, accepted and communicated change management process). Meanwhile, security measures in Technical Practices category touches on the issues of business continuity and recovery, Machine-to-Machine security, and software/firmware updates among others. This section also emphasizes the importance of cloud security. For example, IIoT Good Practice recommend that base your decisions regarding the choice of the type of cloud be based on impact assessment taking into consideration laws and regulations applicable to the cloud security provider’s country and points of presence, and locate critical systems and applications within the private or at least hybrid deployment models and precede implementation with a risk analysis if public cloud is used.

Importance of security practice

Merck & Co. estimated the financial impact of the cyber attack in the summer 2017 at around US$135 million (through loss of sales) and $174 million in additional costs in the aftermath of the attack. The scale of the risk means that cyber security is now imperative in the manufacturing sector. Introducing the security measures, however, is not enough – they have to be kept updated so that they remain effective against ever changing patterns of attacks and new malwares. As the digitization of manufacturing accelerates, cyber security measures will become ever more important in the future. ENISA’s Good Practices for Security of Internet of Things in the context of Smart Manufacturing can be downloaded from the link below.